C-
licensetom.com
70/100
1
Strengthen email authentication configuration
DMARC / Email Security
2–4 hours

Email authentication is partially configured for licensetom.com but has gaps. Actions needed: upgrade DMARC policy from 'none' to 'quarantine' or 'reject'. Until DMARC enforcement is active, spoofed emails may still reach recipients.

NIST CSFPR.AC-7
Email authentication is a required access control
How to fix this
1Upgrade DMARC policy to p=quarantine (then p=reject after monitoring)
2Verify with: nslookup -type=txt _dmarc.licensetom.com
TLS Version
TLSv1.3
TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.
DMARC Policy
p=none
Strengths: DMARC pct=100 — policy applies to all mail; SPF soft-fail (~all) configured; SPF DNS lookup count: 3/10 (within limit); DKIM configured (selectors: default). Issues: DMARC policy is 'none' (monitoring only, no enforcement); DMARC has no aggregate report URI (rua) — policy violations won't be reported.
SPF Record
Present
v=spf1 +a +mx include:licensetom.com.spf.auto.dnssmarthost.net ~all
Security Headers
0/5 present
Missing: CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy
HSTS
Not enabled
Strict-Transport-Security header is missing. Connections can be downgraded to HTTP via man-in-the-middle attacks. If this domain is in the browser HSTS preload list, browsers may still enforce HTTPS — but the header should be present for full coverage.
SSL Certificate
Valid
Strengths: Certificate valid, 86 days remaining; Issued by Let's Encrypt. Note: Wildcard certificate in use (*.domain) — covers all subdomains. Common practice; worth noting that compromise would affect all subdomains.
DNSSEC
Not enabled
Strengths: 2 nameservers configured (ns2.siteground.net, ns1.siteground.net); SOA record present and MNAME consistent with NS set; 3 MX record(s) present; Zone transfers properly restricted on all nameservers; Address records present: 1 A record(s). Issues: All nameservers are from a single provider (siteground.net) — a provider outage takes down the domain; DNSSEC not configured — DNS responses can be spoofed or tampered with in transit (DNS cache poisoning).