A domain security audit reviews DNS configuration, email authentication, SSL/TLS certificates, and HTTP security headers to identify vulnerabilities before attackers do. This 2026 checklist provides structured tables, a quarterly schedule, and a scoring system so you can track your domain's security posture over time.
Why Domain Audits Matter in 2026
Google and Yahoo enforce strict sender requirements as of 2024, browsers flag mixed content and missing headers, and attackers increasingly exploit DNS misconfigurations for subdomain takeover. A quarterly audit catches drift before it becomes a breach.
๐ก Organizations with regular domain audits detect misconfigurations 4ร faster than those relying on incident-driven reviews (Verizon DBIR 2025).
DNS Configuration Checklist
| Check | Expected State | Tool | Risk if Missing |
|---|---|---|---|
| A / AAAA records resolve | Valid IPs, no dangling CNAMEs | DNS Lookup | Subdomain takeover |
| CNAME records valid | All targets resolve | CNAME Lookup | Subdomain takeover |
| TXT records clean | No stale verification tokens | TXT Lookup | Information leakage |
| DNSSEC enabled | DS record in parent, signatures valid | DNS Checker | DNS spoofing |
| CAA record set | Restrict CAs to authorized issuers | DNS Lookup | Rogue certificates |
| NS records consistent | All NS respond identically | DNS Checker | Resolution failures |
| Low TTL audit | No production records below 300s without reason | DNS Lookup | Performance impact |
Email Authentication Checklist
| Check | Expected State | Tool | Risk if Missing |
|---|---|---|---|
| SPF record exists | Single v=spf1 record, โค10 DNS lookups |
SPF Checker | Spoofing / delivery failure |
| DKIM selector valid | RSA โฅ 2048-bit or Ed25519, rotated annually | DKIM Checker | Message tampering |
| DMARC policy | p=reject or p=quarantine; rua tag set |
DMARC Checker | Domain impersonation |
| BIMI record | Valid SVG logo, VMC certificate (optional) | BIMI Checker | Missed brand visibility |
| MTA-STS policy | mode: enforce with valid mta-sts.txt |
TXT Lookup | Downgrade attacks |
| TLS-RPT record | v=TLSRPTv1; rua=mailto:... |
TXT Lookup | No TLS failure visibility |
SSL/TLS Certificate Checklist
| Check | Expected State | Tool | Risk if Missing |
|---|---|---|---|
| Certificate valid | Not expired, covers all subdomains | SSL Checker | Browser warnings / MITM |
| TLS version | TLS 1.2+ only; TLS 1.0/1.1 disabled | SSL Checker | Protocol downgrade |
| Certificate chain | Complete chain served, no missing intermediates | SSL Checker | Mobile trust failures |
| HSTS header | max-age โฅ 31536000; includeSubDomains; preload |
Security Scanner | SSL stripping |
| OCSP stapling | Enabled on server | SSL Checker | Revocation check delays |
| CT logs | Certificate in public transparency logs | SSL Checker | Rogue cert detection gap |
Security Headers Checklist
| Header | Recommended Value | Tool |
|---|---|---|
Content-Security-Policy |
Restrictive default-src 'self' with explicit exceptions |
Security Scanner |
X-Content-Type-Options |
nosniff |
Security Scanner |
X-Frame-Options |
DENY or SAMEORIGIN |
Security Scanner |
Referrer-Policy |
strict-origin-when-cross-origin |
Security Scanner |
Permissions-Policy |
Restrict camera, microphone, geolocation | Security Scanner |
Cross-Origin-Opener-Policy |
same-origin |
Security Scanner |
Scoring System
๐ Definition โ Each checklist item earns points. Total your score and compare against the rating thresholds to gauge your domain's security health.
| Category | Max Points | Weight |
|---|---|---|
| DNS Configuration | 20 | 20% |
| Email Authentication | 30 | 30% |
| SSL/TLS | 25 | 25% |
| Security Headers | 25 | 25% |
Rating thresholds:
- 90โ100 โ Excellent: production-ready
- 70โ89 โ Good: minor improvements needed
- 50โ69 โ Fair: significant gaps exist
- 0โ49 โ Critical: immediate remediation required
Quarterly Audit Schedule
Q1 โ January
Full audit of all four categories. Renew expiring certificates.
Review DKIM key rotation. Update DMARC policy toward p=reject.
Q2 โ April
DNS hygiene sweep: remove stale records, check for dangling
CNAMEs, verify DNSSEC signatures. Review CAA records.
Q3 โ July
Email deliverability review: analyze DMARC aggregate reports,
check SPF lookup count, verify BIMI rendering. Test MTA-STS.
Q4 โ October
Security header hardening: test CSP in report-only mode,
add new headers, review Permissions-Policy. Pre-renewal SSL check.
Best Practices
Automate your audits with CI/CD checks. Run DNS and header validations on every deployment to catch regressions before they reach production.
- Document your baseline score and track improvement quarter over quarter.
- Use
p=noneDMARC only during initial monitoring โ escalate toquarantinethenreject. - Set calendar reminders 30 days before certificate expiry.
- Maintain an inventory of all subdomains including third-party services.
- Test security headers with report-only mode before enforcing.
Common Mistakes
- Dangling CNAME records: Decommissioned services with active DNS entries invite subdomain takeover.
- Multiple SPF records: Only one
v=spf1TXT record is allowed per domain. - Wildcard certificates without monitoring: A compromised wildcard key exposes all subdomains.
- HSTS without testing: A misconfigured HSTS header with
preloadis extremely difficult to undo. - Ignoring DMARC reports: Publishing
ruawithout reading reports defeats the purpose. - Forgetting non-sending domains: Domains that don't send email still need
v=spf1 -allandp=reject.
Tools
๐ DNS Lookup โ Query A, AAAA, MX, NS, TXT, and other DNS record types.
โ๏ธ SPF Checker โ Validate SPF records and count DNS lookups.
๐ DKIM Checker โ Verify DKIM selectors and key strength.
๐ก๏ธ DMARC Checker โ Analyze DMARC policy and reporting tags.
๐ท๏ธ BIMI Checker โ Validate BIMI records and logo format.
๐ SSL Checker โ Inspect certificate chain, expiry, and TLS config.
๐ก๏ธ Security Scanner โ Audit HTTP security headers.
๐ CNAME Lookup โ Resolve CNAME chains to detect dangling records.
๐ TXT Lookup โ Retrieve all TXT records for a domain.
๐ DNS Checker โ Global DNS propagation and DNSSEC validation.
References
- ๐ Google โ Email sender guidelines (2024)
- ๐ Yahoo โ Sender Requirements
- ๐ Qualys SSL Labs โ SSL Server Test
- ๐ Security Headers โ Analysis Tool
- ๐ RFC 8461 โ MTA-STS
- ๐ RFC 8460 โ TLS Reporting (TLSRPT)
๐ Free ToolZilla tools used in this article
All client-side, no signup, no upload โ open them in a new tab while you read:
- ๐ง DNS Lookup โ try it free in your browser.
- ๐ง CNAME Lookup โ try it free in your browser.
- ๐ง Txt Lookup โ try it free in your browser.
- ๐ง Dns Checker โ try it free in your browser.
- ๐ง SPF Checker โ try it free in your browser.
- ๐ง DKIM Checker โ try it free in your browser.
- ๐ง DMARC Checker โ try it free in your browser.
- ๐ง BIMI Checker โ try it free in your browser.
- ๐ง SSL / TLS Checker โ try it free in your browser.
- ๐ง Security Scanner โ try it free in your browser.
- ๐งฐ Browse all 60+ free tools โ
A domain security audit is not a one-time event โ it's a recurring discipline. Use the quarterly schedule and scoring system above to track progress. Prioritize email authentication and SSL/TLS first, as these have the highest impact on both security and deliverability.