Is manulife.ca safe to use as a vendor?

manulife.ca scored 85/100 on LynxRadar's security posture assessment. The domain meets baseline security requirements. 7 checks passed, 7 warnings, 0 critical issues across 14 passive checks including TLS, DMARC, security headers, breaches, and CVEs.

Does manulife.ca have SPF configured?

Yes. SPF record found: v=spf1 include:manulife.ca._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._sp...

Does manulife.ca have security headers configured?

manulife.ca has 3 of 5 recommended security headers. Present: CSP, X-Content-Type-Options, X-Frame-Options. Missing: Referrer-Policy, Permissions-Policy.

manulife.ca Security Report — Grade B (85/100)

Q: What TLS version does manulife.ca use?

manulife.ca uses TLSv1.3 with TLS_AES_256_GCM_SHA384. TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.

Q: Does manulife.ca have DMARC configured?

Yes. manulife.ca's DMARC policy is set to 'quarantine'. SPF record: yes. Strengths: DMARC policy set to quarantine; DMARC pct=100 — policy applies to all mail; Aggregate reports (rua) configured; SPF soft-fail (~all) configured; SPF DNS lookup count: 2/10 (within limit); DKIM configured (selectors: selector2, s1, s2, k1). Issues: DMARC policy is 'quarantine', not 'reject' — spoofed mail is moved to spam rather than blocked outright.

Q: Does manulife.ca use HSTS?

Yes. HSTS enabled: max-age=63072000s (730 days) with includeSubDomains and preload. Meets best-practice configuration.

Q: Is manulife.ca's SSL certificate valid?

Yes. Strengths: Certificate valid, 196 days remaining; Issued by Sectigo Limited.

Q: Does manulife.ca have DNSSEC enabled?

No. Strengths: 6 nameservers configured (a8-64.akam.net, a7-67.akam.net, a22-66.akam.net, a10-64.akam.net...); SOA record present and MNAME consistent with NS set; 1 MX record(s) present; Zone transfers properly restricted on all nameservers; Address records present: 2 A record(s). Issues: All nameservers are from a single provider (akam.net) — a provider outage takes down the domain; DNSSEC not configured — DNS responses can be spoofed or tampered with in transit (DNS cache poisoning).

85/100

manulife.ca

June 09, 2026 ·

1+ Warnings 7 Passed

Better than 78% of 2676 companies scanned.

078th pct100

A+

A-

B+

B-

C+

C-

D+

D-

MX Records & Mail Provider

MTA-STS & TLS Reporting

DNS CAA Records

DNS Configuration

DMARC / Email Security

Security Headers

security.txt (RFC 9116)

TLS Configuration

TLS Protocol Support

Known Breaches

HSTS Header

Cookie Security

CVE Exposure

Certificate Hygiene

manulife.ca

85/100

No critical issues — great work!

Strengthen email authentication configuration

DMARC / Email Security

2–4 hours High

Email authentication is partially configured for manulife.ca but has gaps. Actions needed: . Until DMARC enforcement is active, spoofed emails may still reach recipients.

NIST CSFPR.AC-7

Email authentication is a required access control

How to fix this

1Verify with: nslookup -type=txt _dmarc.manulife.ca

2 items locked

Unlock the full action plan

Report unlocked.

At a glance

Full data from this scan

TLS Version

TLSv1.3

TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.

DMARC Policy

p=quarantine

Strengths: DMARC policy set to quarantine; DMARC pct=100 — policy applies to all mail; Aggregate reports (rua) configured; SPF soft-fail (~all) configured; SPF DNS lookup count: 2/10 (within limit); DKIM configured (selectors: selector2, s1, s2, k1). Issues: DMARC policy is 'quarantine', not 'reject' — spoofed mail is moved to spam rather than blocked outright.

SPF Record

Present

v=spf1 include:manulife.ca._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all

Security Headers

3/5 present

Missing: Referrer-Policy, Permissions-Policy

HSTS

Enabled

HSTS enabled: max-age=63072000s (730 days) with includeSubDomains and preload. Meets best-practice configuration.

SSL Certificate

Valid

Strengths: Certificate valid, 196 days remaining; Issued by Sectigo Limited.

DNSSEC

Not enabled

Strengths: 6 nameservers configured (a8-64.akam.net, a7-67.akam.net, a22-66.akam.net, a10-64.akam.net...); SOA record present and MNAME consistent with NS set; 1 MX record(s) present; Zone transfers properly restricted on all nameservers; Address records present: 2 A record(s). Issues: All nameservers are from a single provider (akam.net) — a provider outage takes down the domain; DNSSEC not configured — DNS responses can be spoofed or tampered with in transit (DNS cache poisoning).

Similar companies

Other domains with comparable security profiles.