Is html.duckduckgo.com safe to use as a vendor?

html.duckduckgo.com scored 92/100 on LynxRadar's security posture assessment. The domain meets baseline security requirements. 8 checks passed, 6 warnings, 0 critical issues across 14 passive checks including TLS, DMARC, security headers, breaches, and CVEs.

Does html.duckduckgo.com have security headers configured?

html.duckduckgo.com has 5 of 5 recommended security headers. Present: CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy. All recommended headers present.

html.duckduckgo.com Security Report — Grade A- (92/100)

Q: What TLS version does html.duckduckgo.com use?

html.duckduckgo.com uses TLSv1.3 with TLS_AES_256_GCM_SHA384. TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.

Q: Does html.duckduckgo.com have DMARC configured?

Yes. html.duckduckgo.com's DMARC policy is set to 'reject'. SPF record: yes. Strengths: DMARC policy set to reject (strongest); DMARC pct=100 — policy applies to all mail; Aggregate reports (rua) configured; SPF hard-fail (-all) configured; SPF DNS lookup count: 4/10 (within limit); DKIM configured (selectors: selector1, s1, zendesk1, zendesk2).

Q: Does html.duckduckgo.com use HSTS?

Yes. HSTS enabled: max-age=31536000s (365 days). Missing includeSubDomains — subdomains not covered. Missing preload directive.

Q: Is html.duckduckgo.com's SSL certificate valid?

Yes. Strengths: Certificate valid, 148 days remaining; Issued by DigiCert Inc. Note: Wildcard certificate in use (*.domain) — covers all subdomains. Common practice; worth noting that compromise would affect all subdomains.

Q: Does html.duckduckgo.com have DNSSEC enabled?

No. Strengths: 8 nameservers configured (ns01.quack-dns.com, ns02.quack-dns.com, ns03.quack-dns.com, ns04.quack-dns.com...); NS records span 2 providers (quack-dns.com, nsone.net) — genuine redundancy; SOA record present and MNAME consistent with NS set; 1 MX record(s) present; Zone transfers properly restricted on all nameservers; Address records present: 1 A record(s). Issues: DNSSEC not configured — DNS responses can be spoofed or tampered with in transit (DNS cache poisoning).

A- 92/100

html.duckduckgo.com

June 24, 2026 ·

1+ Warnings 8 Passed

Better than 92% of 2694 companies scanned.

092th pct100

A+

A-

B+

B-

C+

C-

D+

D-

MX Records & Mail Provider

MTA-STS & TLS Reporting

DNS CAA Records

Security Headers

DNS Configuration

security.txt (RFC 9116)

A-

html.duckduckgo.com

92/100

Enable DNSSEC on your domain

DNS Configuration

1–3 days (depends on registrar)

Without DNSSEC, DNS responses for html.duckduckgo.com can be spoofed, potentially redirecting users to malicious sites. This requires coordination with your domain registrar to publish DS records.

NIST 800-53SC-20

Secure name/address resolution service

How to fix this

1Check if your DNS provider supports DNSSEC (Cloudflare, Route53, etc.)

2Enable DNSSEC signing in your DNS provider dashboard

3Add the DS record to your registrar for .com TLD

4Verify: dig +dnssec html.duckduckgo.com

At a glance

Full data from this scan

TLS Version

TLSv1.3

TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.

DMARC Policy

p=reject

Strengths: DMARC policy set to reject (strongest); DMARC pct=100 — policy applies to all mail; Aggregate reports (rua) configured; SPF hard-fail (-all) configured; SPF DNS lookup count: 4/10 (within limit); DKIM configured (selectors: selector1, s1, zendesk1, zendesk2).

SPF Record

Present

v=spf1 include:mailer.duckduckgo.com include:spf.protection.outlook.com include:duck.com include:mai

Security Headers

5/5 present

All headers configured.

HSTS

Enabled

HSTS enabled: max-age=31536000s (365 days). Missing includeSubDomains — subdomains not covered. Missing preload directive.

SSL Certificate

Valid

Strengths: Certificate valid, 148 days remaining; Issued by DigiCert Inc. Note: Wildcard certificate in use (*.domain) — covers all subdomains. Common practice; worth noting that compromise would affect all subdomains.

DNSSEC

Not enabled

Strengths: 8 nameservers configured (ns01.quack-dns.com, ns02.quack-dns.com, ns03.quack-dns.com, ns04.quack-dns.com...); NS records span 2 providers (quack-dns.com, nsone.net) — genuine redundancy; SOA record present and MNAME consistent with NS set; 1 MX record(s) present; Zone transfers properly restricted on all nameservers; Address records present: 1 A record(s). Issues: DNSSEC not configured — DNS responses can be spoofed or tampered with in transit (DNS cache poisoning).

Similar companies