Free Domain Security Check
How exposed is your domain? Run a free external scan of your SPF, DKIM and DMARC records, TLS configuration, and attacker-visible services in around 15 seconds. No install, no sign-up, no access to your systems.
Email security
SPF, DKIM, DMARC and spoofing exposure.
Web and TLS
Certificates, headers and exposed services.
External surface
Subdomains and attacker-visible footprint.
What the scan checks and why it matters
The scanner runs entirely from outside your network, the same view an attacker has. It reads publicly available DNS records and public-facing services only. It never sends test emails, never logs in to anything, and never touches your internal systems.
Email authentication: SPF, DKIM and DMARC
SPF tells receiving mail servers which systems are authorised to send email for your domain. DKIM adds a cryptographic signature so recipients can verify messages have not been tampered with. DMARC ties these together and tells receiving servers what to do when a message fails. Without an enforced DMARC policy, your domain can be spoofed and used in phishing attacks against your own customers, suppliers, and staff.
Web and TLS health
The scan checks your TLS certificate validity and configuration and the presence of key HTTP security headers such as HSTS and Content-Security-Policy. Weak or expired certificates and missing headers are among the most common findings in external security assessments, and they directly affect whether browsers and customers treat your site as safe.
External attack surface
Subdomains created for old projects and never decommissioned stay visible to attackers. The scan maps the subdomains and services associated with your domain to show what is publicly facing. Forgotten DNS records pointing at decommissioned infrastructure are a well-documented source of subdomain takeover vulnerabilities.
Built for UK businesses, free to run
Half of UK businesses reported a cyber attack or breach in the UK Government's Cyber Security Breaches Survey 2024, and phishing remains the most common attack type. Misconfigured or missing SPF, DKIM and DMARC records mean your domain can be used to phish your own customers and suppliers without your knowledge.
The check is designed for IT managers, operations leads, and business owners who want a quick external view before a board update, a tender submission, a Cyber Essentials assessment, or a conversation with a security partner. The results are written in plain English, so you do not need to be technical to act on them.
Instant result vs full report
| Included | Instant | Full report |
|---|---|---|
| Overall security score and rating | check_circle | check_circle |
| Issue count across email, web and exposure | check_circle | check_circle |
| Every finding with a severity rating | remove | check_circle |
| Plain-English explanation of why each finding matters | remove | check_circle |
| Private link you can share with your IT team | remove | check_circle |
The scan uses only publicly available DNS and web data. We keep scan results so we can generate your report, and we never sell or share your details with third parties. See our privacy policy.
Domain security, answered
What is DMARC and why does my business need it?
DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving mail servers what to do when an email claims to come from your domain but fails authentication. Without an enforced DMARC policy, criminals can send convincing phishing emails to your customers, suppliers, and staff that appear to come from you. The NCSC recommends DMARC as a baseline control for UK organisations.
What is the difference between SPF, DKIM and DMARC?
SPF lists which mail servers are allowed to send email for your domain. DKIM adds a cryptographic signature to outgoing messages so recipients can verify they have not been tampered with. DMARC ties the two together and sets a policy telling receiving servers to quarantine or reject messages that fail. All three working together is the standard the NCSC recommends.
Will running this scan affect my website or email?
No. The scan is passive and external. It reads publicly available DNS records and checks your public-facing web services, the same information anyone on the internet can already see. It does not send test emails, log in to anything, or touch your internal systems.
What happens to the information I enter?
The scan uses only publicly available DNS and web data. We keep the scan results so we can generate your report, and if you request the full report by email we store your address to send it and to follow up once. We never sell or share your details with third parties. See our privacy policy for full detail.
What do I get in the full report?
The instant result shows your overall score, rating, and how many issues were found. The full report, sent to your email as a private link, breaks down every finding with a severity rating, explains what each one means in plain English, and covers your email authentication, web and TLS configuration, and externally visible footprint.
Found something you want fixed?
If your scan shows gaps in email authentication or exposed services, our cloud security team can walk you through remediation, or harden the pipeline that caused it with DevSecOps. A free scan commits you to nothing.