Is mxtoolbox.com safe to use as a vendor?

mxtoolbox.com scored 78/100 on LynxRadar's security posture assessment. The domain partially meets security requirements with some gaps to address. 7 checks passed, 5 warnings, 2 critical issues across 14 passive checks including TLS, DMARC, security headers, breaches, and CVEs.

Does mxtoolbox.com have SPF configured?

Yes. SPF record: v=spf1 redirect=mxtoolbox.com.hosted.spf-report.com

Does mxtoolbox.com have security headers configured?

mxtoolbox.com has 0 of 5 recommended security headers. Missing: CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy.

mxtoolbox.com Security Report — Grade C+ (78/100)

Q: What TLS version does mxtoolbox.com use?

mxtoolbox.com uses TLSv1.3 with TLS_AES_128_GCM_SHA256. TLSv1.3 negotiated with TLS_AES_128_GCM_SHA256 (128-bit). Strong configuration with no deprecated protocols or weak ciphers detected.

Q: Does mxtoolbox.com have DMARC configured?

Yes. mxtoolbox.com's DMARC policy is set to 'reject'. SPF record: yes. Strengths: DMARC policy set to reject (strongest); DMARC pct=100 — policy applies to all mail; Aggregate reports (rua) configured; Forensic reports (ruf) configured; SPF DNS lookup count: 0/10 (within limit); DKIM configured (selectors: google, selector1, selector2, smtpapi).

Q: Does mxtoolbox.com use HSTS?

No. Strict-Transport-Security header is missing. Connections can be downgraded to HTTP via man-in-the-middle attacks. If this domain is in the browser HSTS preload list, browsers may still enforce HTTPS — but the header should be present for full coverage.

Q: Is mxtoolbox.com's SSL certificate valid?

Yes. Strengths: Certificate valid, 138 days remaining; Issued by Amazon. Note: Wildcard certificate in use (*.domain) — covers all subdomains. Common practice; worth noting that compromise would affect all subdomains.

Q: Does mxtoolbox.com have DNSSEC enabled?

No. Strengths: 4 nameservers configured (ns-495.awsdns-61.com, ns-984.awsdns-59.net, ns-1320.awsdns-37.org, ns-1736.awsdns-25.co.uk); NS records span 4 providers (awsdns-61.com, awsdns-59.net, awsdns-37.org, co.uk) — genuine redundancy; SOA record present and MNAME consistent with NS set; 5 MX record(s) present; Zone transfers properly restricted on all nameservers; Address records present: 4 A record(s). Issues: DNSSEC not configured — DNS responses can be spoofed or tampered with in transit (DNS cache poisoning).

C+ 78/100

mxtoolbox.com

June 13, 2026 ·

1+ Warnings 7 Passed

Better than 59% of 2689 companies scanned.

059th pct100

A+

A-

B+

B-

C+

C-

D+

D-

HSTS Header

Security Headers

DNS CAA Records

DNS Configuration

MTA-STS & TLS Reporting

Cookie Security

security.txt (RFC 9116)

C+

mxtoolbox.com

78/100

Enable HSTS (HTTP Strict Transport Security)

HSTS Header

< 1 hour

The HSTS header is missing on mxtoolbox.com. Without it, connections can be downgraded from HTTPS to HTTP via man-in-the-middle attacks. This is a straightforward server configuration change.

PCI-DSS 4.0Req 6.4.1

Required application security controls

NIST 800-53SC-8

Transmission confidentiality and integrity

How to fix this

1Add header: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

2Verify all subdomains support HTTPS before adding includeSubDomains

3Test with: curl -sI https://mxtoolbox.com | grep -i strict

4Submit to hstspreload.org after confirming the header is correct

At a glance

Full data from this scan

TLS Version

TLSv1.3

TLSv1.3 negotiated with TLS_AES_128_GCM_SHA256 (128-bit). Strong configuration with no deprecated protocols or weak ciphers detected.

DMARC Policy

p=reject

Strengths: DMARC policy set to reject (strongest); DMARC pct=100 — policy applies to all mail; Aggregate reports (rua) configured; Forensic reports (ruf) configured; SPF DNS lookup count: 0/10 (within limit); DKIM configured (selectors: google, selector1, selector2, smtpapi).

SPF Record

Present

v=spf1 redirect=mxtoolbox.com.hosted.spf-report.com

Security Headers

0/5 present

Missing: CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy

HSTS

Not enabled

Strict-Transport-Security header is missing. Connections can be downgraded to HTTP via man-in-the-middle attacks. If this domain is in the browser HSTS preload list, browsers may still enforce HTTPS — but the header should be present for full coverage.

SSL Certificate

Valid

Strengths: Certificate valid, 138 days remaining; Issued by Amazon. Note: Wildcard certificate in use (*.domain) — covers all subdomains. Common practice; worth noting that compromise would affect all subdomains.

DNSSEC

Not enabled

Strengths: 4 nameservers configured (ns-495.awsdns-61.com, ns-984.awsdns-59.net, ns-1320.awsdns-37.org, ns-1736.awsdns-25.co.uk); NS records span 4 providers (awsdns-61.com, awsdns-59.net, awsdns-37.org, co.uk) — genuine redundancy; SOA record present and MNAME consistent with NS set; 5 MX record(s) present; Zone transfers properly restricted on all nameservers; Address records present: 4 A record(s). Issues: DNSSEC not configured — DNS responses can be spoofed or tampered with in transit (DNS cache poisoning).

Similar companies