B-
80/100
1
Strengthen email authentication configuration
DMARC / Email Security
Email authentication is partially configured for lichtbild-manufaktur.shop but has gaps. Actions needed: upgrade DMARC policy from 'none' to 'quarantine' or 'reject'. Until DMARC enforcement is active, spoofed emails may still reach recipients.
NIST CSFPR.AC-7
Email authentication is a required access control
How to fix this
1Upgrade DMARC policy to p=quarantine (then p=reject after monitoring)
2Verify with: nslookup -type=txt _dmarc.lichtbild-manufaktur.shop
At a glance
Full data from this scan
TLS Version
TLSv1.3
TLSv1.3 negotiated with TLS_AES_128_GCM_SHA256 (128-bit). Strong configuration with no deprecated protocols or weak ciphers detected.
DMARC Policy
p=none
Strengths: DMARC pct=100 — policy applies to all mail; Aggregate reports (rua) configured; SPF hard-fail (-all) configured; SPF DNS lookup count: 1/10 (within limit); DKIM configured (selectors: mail). Issues: DMARC policy is 'none' (monitoring only, no enforcement).
SPF Record
Present
v=spf1 include:_spf.google.com -all
Security Headers
0/5 present
Missing: CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy
HSTS
Enabled
HSTS enabled: max-age=63072000s (730 days). Missing includeSubDomains — subdomains not covered. Missing preload directive.
SSL Certificate
Valid
Strengths: Certificate valid, 49 days remaining; Issued by Let's Encrypt; 62 certificates logged in CT; Certificates from 3 CAs: DigiCert Inc, Google Trust Services, Let's Encrypt.
DNSSEC
Not enabled
Strengths: 2 nameservers configured (sky.ns.cloudflare.com, alexis.ns.cloudflare.com); SOA record present and MNAME consistent with NS set; 5 MX record(s) present; Zone transfers properly restricted on all nameservers; Address records present: 1 A record(s). Issues: All nameservers are from a single provider (cloudflare.com) — a provider outage takes down the domain; DNSSEC not configured — DNS responses can be spoofed or tampered with in transit (DNS cache poisoning).
Similar companies