Scan history
Security checks — sorted by severity
MX Records & Mail Provider
Strengths: Mail handled by Microsoft 365; 1 MX record(s) configured. Issues: Only 1 MX record — no failover if primary mail server is unavailable.
Strengths: Mail handled by Microsoft 365; 1 MX record(s) configured. Issues: Only 1 MX record — no failover if primary mail server is unavailable.
MTA-STS & TLS Reporting
Issues: No MTA-STS configured — email in transit is vulnerable to TLS downgrade attacks; sending servers cannot verify your mail server requires TLS; No TLSRPT record (_smtp._tls) — TLS delivery failures won't be reported to the domain owner.
Issues: No MTA-STS configured — email in transit is vulnerable to TLS downgrade attacks; sending servers cannot verify your mail server requires TLS; No TLSRPT record (_smtp._tls) — TLS delivery failures won't be reported to the domain owner.
DNS Configuration
Strengths: 6 nameservers configured (a13-65.akam.net, a1-109.akam.net, a11-65.akam.net, a6-64.akam.net...); SOA record present and MNAME consistent with NS set; 1 MX record(s) present; Zone transfers properly restricted on all nameservers; Address records present: 1 A record(s). Issues: All nameservers are from a single provider (akam.net) — a provider outage takes down the domain; DNSSEC not configured — DNS responses can be spoofed or tampered with in transit (DNS cache poisoning).
Strengths: 6 nameservers configured (a13-65.akam.net, a1-109.akam.net, a11-65.akam.net, a6-64.akam.net...); SOA record present and MNAME consistent with NS set; 1 MX record(s) present; Zone transfers properly restricted on all nameservers; Address records present: 1 A record(s). Issues: All nameservers are from a single provider (akam.net) — a provider outage takes down the domain; DNSSEC not configured — DNS responses can be spoofed or tampered with in transit (DNS cache poisoning).
DMARC / Email Security
Strengths: DMARC policy set to quarantine; DMARC pct=100 — policy applies to all mail; Aggregate reports (rua) configured; Forensic reports (ruf) configured; SPF soft-fail (~all) configured; SPF DNS lookup count: 2/10 (within limit); DKIM configured (selectors: selector2, s1, s2, cm). Issues: DMARC policy is 'quarantine', not 'reject' — spoofed mail is moved to spam rather than blocked outright; DMARC sp=none — subdomains are unprotected even though apex has p=quarantine. Attackers can spoof sub.subway.com.
Strengths: DMARC policy set to quarantine; DMARC pct=100 — policy applies to all mail; Aggregate reports (rua) configured; Forensic reports (ruf) configured; SPF soft-fail (~all) configured; SPF DNS lookup count: 2/10 (within limit); DKIM configured (selectors: selector2, s1, s2, cm). Issues: DMARC policy is 'quarantine', not 'reject' — spoofed mail is moved to spam rather than blocked outright; DMARC sp=none — subdomains are unprotected even though apex has p=quarantine. Attackers can spoof sub.subway.com.
security.txt (RFC 9116)
No security.txt found. Publishing a security.txt at /.well-known/security.txt is the industry standard (RFC 9116) for vulnerability disclosure policies. Its absence may indicate a less mature security program.
No security.txt found. Publishing a security.txt at /.well-known/security.txt is the industry standard (RFC 9116) for vulnerability disclosure policies. Its absence may indicate a less mature security program.
Cookie Security
Could not fetch subway.com to analyze cookies: HTTPSConnectionPool(host='www.subway.com', port=443): Max retries exceeded with url: / (Caused by ReadTimeoutError("HTTPSConnectionPool(host='www.subway.com', port=443): Read timed out. (read timeout=10)"))
Could not fetch subway.com to analyze cookies: HTTPSConnectionPool(host='www.subway.com', port=443): Max retries exceeded with url: / (Caused by ReadTimeoutError("HTTPSConnectionPool(host='www.subway.com', port=443): Read timed out. (read timeout=10)"))
HSTS Header
Could not fetch https://subway.com — connection failed or timed out.
Could not fetch https://subway.com — connection failed or timed out.
Security Headers
Could not fetch https://subway.com — connection failed or timed out.
Could not fetch https://subway.com — connection failed or timed out.
DNS CAA Records
Strengths: CAA records configured at subway.com (10 record(s)); Authorised CAs: amazontrust.com, pki.goog, digicert.com, sectigo.com, amazonaws.com, awstrust.com, amazon.com, letsencrypt.org, godaddy.com; Violation reporting (iodef) configured.
Strengths: CAA records configured at subway.com (10 record(s)); Authorised CAs: amazontrust.com, pki.goog, digicert.com, sectigo.com, amazonaws.com, awstrust.com, amazon.com, letsencrypt.org, godaddy.com; Violation reporting (iodef) configured.
TLS Configuration
TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.
TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.
TLS Protocol Support
Strengths: TLS 1.3 supported; TLS 1.2 supported; TLS 1.3 supported (strongest). Protocol support: TLS 1.3: Yes, TLS 1.2: Yes, TLS 1.1: No, TLS 1.0: No.
Strengths: TLS 1.3 supported; TLS 1.2 supported; TLS 1.3 supported (strongest). Protocol support: TLS 1.3: Yes, TLS 1.2: Yes, TLS 1.1: No, TLS 1.0: No.
Known Breaches
No known breaches found in public disclosure databases.
No known breaches found in public disclosure databases.
CVE Exposure
No server software versions detected in HTTP response headers. This is good practice (version hiding) but means CVE exposure cannot be assessed from external signals alone.
No server software versions detected in HTTP response headers. This is good practice (version hiding) but means CVE exposure cannot be assessed from external signals alone.
Certificate Hygiene
Strengths: Certificate valid, 142 days remaining; Issued by DigiCert Inc.
Strengths: Certificate valid, 142 days remaining; Issued by DigiCert Inc.
Recommended actions
1+ items
Steps to improve subway.com's security grade, ranked by impact.
1
Strengthen email authentication configuration
DMARC / Email Security
Email authentication is partially configured for subway.com but has gaps. Actions needed: . Until DMARC enforcement is active, spoofed emails may still reach recipients.
NIST CSFPR.AC-7
Email authentication is a required access control
How to fix this
1
Verify with: nslookup -type=txt _dmarc.subway.com
See all 1 remaining recommendation
Enter your work email to unlock the full action plan.
No spam. We only send security-related updates.
Report unlocked.
AI Summary
What this means
subway.com scored 70/100, meeting baseline requirements but with 5 findings that require attention. The vendor can proceed with a remediation timeline agreement.
Positive signals: DNS CAA Records, TLS Configuration, TLS Protocol Support all passed.
2 action items identified, including 0 critical. The issues are configuration gaps, not architectural problems. A focused remediation effort of 2–5 days could address all findings.
How subway.com compares
Grade distribution across 2685 companies we've scanned. subway.com scores better than 42% of them.
88
A+
28
A
196
A-
202
B+
76
B
376
B-
138
C+
117
C
347
C-
123
D+
96
D
266
D-
632
F
subway.com — Grade C- (70/100)
2685 companies scanned
At a glance
Key data points from the scan.
TLS Version
TLSv1.3
TLSv1.3 negotiated with TLS_AES_256_GCM_SHA384 (256-bit). Strong configuration with no deprecated protocols or weak ciphers detected.
DMARC Policy
p=quarantine
Strengths: DMARC policy set to quarantine; DMARC pct=100 — policy applies to all mail; Aggregate reports (rua) configured; Forensic reports (ruf) configured; SPF soft-fail (~all) configured; SPF DNS lookup count: 2/10 (within limit); DKIM configured (selectors: selector2, s1, s2, cm). Issues: DMARC policy is 'quarantine', not 'reject' — spoofed mail is moved to spam rather than blocked outright; DMARC sp=none — subdomains are unprotected even though apex has p=quarantine. Attackers can spoof sub.subway.com.
SPF Record
Present
v=spf1 mx ip4:67.20.173.128/26 include:spf.protection.outlook.com ~all
Security Headers
0/0 present
All headers configured.
HSTS
Not enabled
Could not fetch https://subway.com — connection failed or timed out.
SSL Certificate
Valid
Strengths: Certificate valid, 142 days remaining; Issued by DigiCert Inc.
DNSSEC
Not enabled
Strengths: 6 nameservers configured (a13-65.akam.net, a1-109.akam.net, a11-65.akam.net, a6-64.akam.net...); SOA record present and MNAME consistent with NS set; 1 MX record(s) present; Zone transfers properly restricted on all nameservers; Address records present: 1 A record(s). Issues: All nameservers are from a single provider (akam.net) — a provider outage takes down the domain; DNSSEC not configured — DNS responses can be spoofed or tampered with in transit (DNS cache poisoning).
Similar companies
Other domains with comparable security profiles.
