Security checks — sorted by severity
DNS CAA Records
Strengths: CAA records configured (11 record(s)); Authorized CAs: comodoca.com, digicert.com; cansignhttpexchanges=yes, letsencrypt.org, pki.goog; cansignhttpexchanges=yes, sectigo.com, ssl.com. Issues: No iodef record — CA violations won't be reported to the domain owner.
Strengths: CAA records configured (11 record(s)); Authorized CAs: comodoca.com, digicert.com; cansignhttpexchanges=yes, letsencrypt.org, pki.goog; cansignhttpexchanges=yes, sectigo.com, ssl.com. Issues: No iodef record — CA violations won't be reported to the domain owner.
Certificate Hygiene
Strengths: Certificate valid, 76 days remaining; Issued by Google Trust Services; 266 certificates logged in CT. Issues: Certificates issued by 6 different CAs (threshold: 5 for 266 logged certs) — possible misconfiguration or shadow IT. Note: Wildcard certificate in use (*.domain) — covers all subdomains. Common practice; worth noting that compromise would affect all subdomains.
Strengths: Certificate valid, 76 days remaining; Issued by Google Trust Services; 266 certificates logged in CT. Issues: Certificates issued by 6 different CAs (threshold: 5 for 266 logged certs) — possible misconfiguration or shadow IT. Note: Wildcard certificate in use (*.domain) — covers all subdomains. Common practice; worth noting that compromise would affect all subdomains.
MX Records & Mail Provider
Strengths: Mail handled by mail.nonkyc.io; 2 MX record(s) configured; Multiple MX records provide redundancy.
Strengths: Mail handled by mail.nonkyc.io; 2 MX record(s) configured; Multiple MX records provide redundancy.
DNS Configuration
Strengths: 2 nameservers configured (cash.ns.cloudflare.com., piper.ns.cloudflare.com.); 2 MX records present; DNSSEC enabled; Zone transfers properly restricted.
Strengths: 2 nameservers configured (cash.ns.cloudflare.com., piper.ns.cloudflare.com.); 2 MX records present; DNSSEC enabled; Zone transfers properly restricted.
TLS Protocol Support
Strengths: TLS 1.3 supported; TLS 1.2 supported; TLS 1.3 supported (strongest). Protocol support: TLS 1.3: Yes, TLS 1.2: Yes, TLS 1.1: No, TLS 1.0: No.
Strengths: TLS 1.3 supported; TLS 1.2 supported; TLS 1.3 supported (strongest). Protocol support: TLS 1.3: Yes, TLS 1.2: Yes, TLS 1.1: No, TLS 1.0: No.
TLS Configuration
TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.
TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.
security.txt (RFC 9116)
Strengths: security.txt found with 6 field(s); Contact: mailto:[email protected]; Expires in 19624 days (2080-01-01T12:01:00Z); Disclosure policy: https://nonkyc.io/legal/terms; Canonical URL specified; Preferred languages: EN; Acknowledgments/hall-of-fame link included. Issues: Not PGP signed (recommended for authenticity).
Strengths: security.txt found with 6 field(s); Contact: mailto:[email protected]; Expires in 19624 days (2080-01-01T12:01:00Z); Disclosure policy: https://nonkyc.io/legal/terms; Canonical URL specified; Preferred languages: EN; Acknowledgments/hall-of-fame link included. Issues: Not PGP signed (recommended for authenticity).
DMARC / Email Security
Strengths: DMARC policy set to reject (strongest); SPF record present with hard-fail (-all); DKIM configured (selectors: default, s1, s2, mail).
Strengths: DMARC policy set to reject (strongest); SPF record present with hard-fail (-all); DKIM configured (selectors: default, s1, s2, mail).
Known Breaches
No known breaches found in public disclosure databases.
No known breaches found in public disclosure databases.
MTA-STS & TLS Reporting
Strengths: MTA-STS enabled with enforce mode (strongest); MX patterns specified: mail.nonkyc.io, mail2.nonkyc.io; SMTP TLS Reporting (TLSRPT) configured — delivery failures will be reported. Issues: MTA-STS max_age is only 1 day(s) — should be at least 7 days.
Strengths: MTA-STS enabled with enforce mode (strongest); MX patterns specified: mail.nonkyc.io, mail2.nonkyc.io; SMTP TLS Reporting (TLSRPT) configured — delivery failures will be reported. Issues: MTA-STS max_age is only 1 day(s) — should be at least 7 days.
HSTS Header
HSTS enabled: max-age=15552000s (180 days). includeSubDomains present. preload present.
HSTS enabled: max-age=15552000s (180 days). includeSubDomains present. preload present.
Security Headers
4/5 security headers present. Missing: Permissions-Policy.
4/5 security headers present. Missing: Permissions-Policy.
Cookie Security
Strengths: 2 cookie(s) analyzed; All cookies have Secure flag; All cookies have HttpOnly flag; All cookies have SameSite attribute.
Strengths: 2 cookie(s) analyzed; All cookies have Secure flag; All cookies have HttpOnly flag; All cookies have SameSite attribute.
CVE Exposure
Detected technologies: cloudflare. (cloudflare detected but excluded from CVE matching — upstream infrastructure). All detected technologies are upstream CDN/proxy infrastructure. No application-level software versions exposed.
Detected technologies: cloudflare. (cloudflare detected but excluded from CVE matching — upstream infrastructure). All detected technologies are upstream CDN/proxy infrastructure. No application-level software versions exposed.
Recommended actions
1 items
Steps to improve nonkyc.io's security grade, ranked by impact.
1
Review certificate configuration
Certificate issues found for nonkyc.io: wildcard certificate in use. Wildcard certificates have a broader blast radius if compromised. These are operational hygiene items, not immediate security risks.
How to fix this
1
Consider replacing wildcard cert with individual certs for critical subdomains
2
Consolidate certificate issuance to 1–2 trusted CAs
AI Summary
What this means
nonkyc.io scored 95/100, demonstrating a strong security posture. Minor improvements are noted below.
Positive signals: MX Records & Mail Provider, DNS Configuration, TLS Protocol Support all passed.
1 action item identified, including 0 critical. The issues are configuration gaps, not architectural problems. A focused remediation effort of 2–5 days could address all findings.
How nonkyc.io compares
Grade distribution across 2678 companies we've scanned. nonkyc.io scores better than 96% of them.
88
A+
28
A
194
A-
200
B+
75
B
376
B-
137
C+
117
C
347
C-
123
D+
96
D
265
D-
632
F
nonkyc.io — Grade A (95/100)
2678 companies scanned
At a glance
Key data points from the scan.
TLS Version
TLSv1.3
TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.
DMARC Policy
p=reject
Strengths: DMARC policy set to reject (strongest); SPF record present with hard-fail (-all); DKIM configured (selectors: default, s1, s2, mail).
SPF Record
Present
v=spf1 a mx include:_spf.elasticemail.com include:amazonses.com -all
Security Headers
4/5 present
Missing: Permissions-Policy
HSTS
Enabled
HSTS enabled: max-age=15552000s (180 days). includeSubDomains present. preload present.
SSL Certificate
Issues
Strengths: Certificate valid, 76 days remaining; Issued by Google Trust Services; 266 certificates logged in CT. Issues: Certificates issued by 6 different CAs (threshold: 5 for 266 logged certs) — possible misconfiguration or shadow IT. Note: Wildcard certificate in use (*.domain) — covers all subdomains. Common practice; worth noting that compromise would affect all subdomains.
DNSSEC
Enabled
Strengths: 2 nameservers configured (cash.ns.cloudflare.com., piper.ns.cloudflare.com.); 2 MX records present; DNSSEC enabled; Zone transfers properly restricted.
Similar companies
Other domains with comparable security profiles.
