Non-.gov Domain Detected
Pursuant to OMB Memorandum M-23-10, issued in coordination with the Department of Homeland Security and the Cybersecurity and Infrastructure Security Agency (CISA), all U.S. government websites, including those operated by state, tribal, county, municipal, special district, and school district entities, are strongly directed to operate under a .gov domain. Existing government websites should be migrated to, and permanently redirected to, a .gov domain in order to strengthen authenticity, public trust, cybersecurity posture, and protection against impersonation and spoofing.
Executive Summary
Failing even 1 check is a major security concern and should be addressed immediately. Each failing control represents a potential attack vector that could be exploited by malicious actors.
c8f4bfa3-59ab-4e16-8152-f9de898f0e73
Domain & DNS Security
Layer: Internet resolution and authenticity. Checks included: DNSSEC validation, nameserver configuration, IPv6 DNS support for name servers and web servers. Why this matters: DNS is foundational. If DNS is compromised, everything else is irrelevant. Attackers can redirect traffic, intercept communications, or impersonate your domain if DNS security is weak. Responsibility: Domain administrator manages DNS records, DNSSEC keys, and nameserver configuration.
🔐 DNSSEC
DNSSEC is Enabled ✓DNSSEC (Domain Name System Security Extensions) is a security standard that adds cryptographic digital signatures to DNS records, verifying their authenticity and integrity to protect against DNS spoofing, cache poisoning, and man-in-the-middle attacks by ensuring data comes from the legitimate source and hasn't been altered in transit.
DNSSEC (Domain Name System Security Extensions)
What is it?
DNSSEC adds cryptographic signatures to DNS records to protect against DNS spoofing and cache poisoning attacks. It creates a chain of trust from the root DNS zone down to your domain.
Why is it important?
Without DNSSEC, attackers can redirect your domain to malicious servers by poisoning DNS caches. This can lead to phishing attacks, data theft, and loss of trust. DNSSEC ensures that DNS responses are authentic and haven't been tampered with.
What can go wrong if not properly setup?
If DNSSEC is not properly configured: attackers can hijack your DNS, redirect traffic to malicious sites, intercept emails, and compromise your entire domain infrastructure. Improper DNSSEC setup can also cause DNS resolution failures.
Technical Details
DNSSEC uses public-key cryptography. The root zone has DNSKEY records, which are signed by RRSIG records. Each level (root → TLD → domain) has DS (Delegation Signer) records that link the chain together. The domain must have DNSKEY records and RRSIG records for all DNS record types.
Web Transport Security (HTTPS & TLS)
Layer: Client-to-server encryption. Checks included: HTTPS availability, HTTPS redirect enforcement, TLS version support, cipher configuration, TLS renegotiation security, 0-RTT status, compression settings, HSTS configuration. Why this matters: TLS is one logical system that protects data in transit between browsers and servers. Weak TLS configuration allows attackers to intercept, decrypt, or modify communications. Modern standards require TLS 1.2 or higher with secure cipher suites. Responsibility: Web and infrastructure team configures web server TLS settings, certificate deployment, and HTTPS redirect rules.
🔒 SSL/TLS Certificate
Valid, Passed ✓SSL/TLS (Secure Sockets Layer / Transport Layer Security) provides encrypted communication between web browsers and servers, protecting data in transit from interception and tampering. SSL/TLS certificates authenticate the server's identity and establish a secure channel for transmitting sensitive information such as login credentials, personal data, and financial transactions. This check verifies that HTTPS is enabled, HTTP traffic is redirected to HTTPS, and the SSL/TLS certificate is valid and properly configured. Without proper SSL/TLS implementation, all data transmitted between users and your website is vulnerable to interception and modification by attackers.
SSL/TLS Certificate
What is it?
SSL/TLS certificates encrypt data transmitted between web browsers and servers, ensuring that sensitive information cannot be intercepted by attackers.
Why is it important?
SSL/TLS is mandatory for government websites per CISA requirements. It protects user data, prevents man-in-the-middle attacks, and is required for compliance. Without it, all data transmitted is visible to attackers.
What can go wrong if not properly setup?
If SSL/TLS is not properly configured: all data is transmitted in plain text, attackers can intercept and modify communications, browsers will show security warnings, and you fail CISA compliance requirements.
Technical Details
SSL/TLS certificates contain: issuer information, subject (domain name), validity dates, public key, and digital signature. Certificates must be valid, not expired, and match the domain name. HTTPS should be forced (HTTP redirects to HTTPS).
Issuer
WE1
Subject
opkansas.org
Valid From
2026-03-09T06:31:39.000Z
Valid To
2026-06-07T07:31:37.000Z
Days Remaining
89 days
🔒 Secure Connection (HTTPS)
HTTPS Properly Configured ✓Enhanced HTTPS and TLS Configuration provides comprehensive validation of your web server's encryption setup beyond basic SSL/TLS certificate validation. This check verifies that HTTPS is available and properly configured, HTTP traffic is automatically redirected to HTTPS, HSTS (HTTP Strict Transport Security) is enabled to force browsers to use HTTPS, TLS version is modern and secure (TLS 1.2 or higher), cipher suites are strong and properly ordered, TLS compression is disabled to prevent CRIME attacks, secure renegotiation is supported, client-initiated renegotiation is disabled to prevent denial of service, and 0-RTT (zero round trip time) is properly configured. Weak TLS configuration allows attackers to downgrade connections, intercept communications, or exploit protocol vulnerabilities.
TLS Configuration
TLSv1.3
✓ Secure
Unknown
Enhanced HTTPS/TLS Configuration
Read the full HTTPS/HSTS guide → Read the full TLS configuration guide →
HTTPS Configuration
Enhanced HTTPS checks verify that HTTPS is properly configured with redirects, compression, and HSTS (HTTP Strict Transport Security) headers.
Why is HTTPS configuration important?
Proper HTTPS configuration is fundamental to web security. HSTS prevents downgrade attacks and ensures all connections are encrypted. HTTPS redirects ensure users always use secure connections. These are required for CISA compliance and protect against man-in-the-middle attacks.
TLS Configuration
TLS (Transport Layer Security) configuration checks verify that your server uses secure TLS versions, proper cipher suites, and secure settings.
Why is TLS configuration important?
Proper TLS configuration prevents attacks like BEAST, POODLE, and other TLS vulnerabilities. Weak ciphers, TLS compression, or insecure renegotiation can allow attackers to decrypt or intercept communications. This is critical for protecting sensitive government data.
What can go wrong if not properly setup?
Without proper HTTPS configuration: users may access your site over unencrypted HTTP, attackers can intercept and modify communications, browsers will show security warnings, and you fail compliance requirements. Missing HSTS allows attackers to force unencrypted connections.
Weak TLS configuration: allows attackers to decrypt communications, enables man-in-the-middle attacks, exposes sensitive data, and fails security compliance. TLS compression (CRIME attack) and client-initiated renegotiation are serious vulnerabilities.
Technical Details
HTTPS checks verify: 1) HTTPS is available and working, 2) HTTP redirects to HTTPS automatically, 3) HSTS header is present with appropriate max-age, 4) HSTS includes subdomains when appropriate. HTTP compression is informational but improves performance.
TLS checks verify: 1) TLS version 1.2 or higher (TLS 1.3 preferred), 2) Strong cipher suites with proper ordering, 3) Secure key exchange parameters, 4) No TLS compression (vulnerable to CRIME), 5) Secure renegotiation enabled, 6) Client-initiated renegotiation disabled, 7) 0-RTT (early data) status.
Certificate & Trust Policy
Layer: Cryptographic trust and issuance control. Checks included: Certificate validity, trust chain verification, public key validation, signature verification, domain name matching, CAA (Certificate Authority Authorization) records. Why this matters: Certificates and CAA are about who is allowed to issue trust, not transport mechanics. Invalid certificates or missing CAA records allow attackers to obtain fraudulent certificates for your domain, enabling man-in-the-middle attacks. Trust chain validation ensures certificates are issued by legitimate Certificate Authorities. Responsibility: Security and PKI administrators manage certificate lifecycle, CAA DNS records, and trust chain configuration.
📜 Certificate
Certificate Issues Found ✗Certificate Validation ensures that SSL/TLS certificates are properly issued, trusted, and correctly configured for your domain. This check validates the certificate trust chain (verifying it was issued by a recognized Certificate Authority), confirms the public key is valid and properly formatted, verifies the cryptographic signature is authentic, checks that the certificate domain name matches your actual domain, and confirms CAA (Certificate Authority Authorization) records are present to control which Certificate Authorities can issue certificates for your domain. Without proper certificate validation, attackers could obtain fraudulent certificates and perform man-in-the-middle attacks, intercepting and modifying communications between users and your website.
Certificate Validation
Read the full Certificates & CAA guide →
What is it?
Certificate validation checks verify that your SSL/TLS certificate has a valid trust chain, proper public key, valid signature, matches your domain, and has CAA records.
Why is it important?
A valid certificate chain ensures browsers trust your certificate. Domain name matching prevents certificate errors. CAA records control which Certificate Authorities can issue certificates for your domain, preventing unauthorized certificate issuance. This is fundamental to HTTPS security.
What can go wrong if not properly setup?
Invalid certificates: browsers show security warnings, users cannot access your site, attackers can issue fake certificates for your domain (without CAA), and you fail compliance requirements. Missing CAA records allow any CA to issue certificates for your domain.
Technical Details
Certificate validation checks: 1) Trust chain (certificate is signed by trusted CA), 2) Public key validity, 3) Signature validity, 4) Domain name matches certificate (CN or SAN), 5) CAA (Certificate Authority Authorization) DNS records exist to control certificate issuance.
HTTP Application Security Headers
Layer: Browser-side attack prevention. Checks included: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, security.txt file presence. Why this matters: Headers mitigate XSS, clickjacking, data leakage. They are not TLS controls but application-level security directives that instruct browsers how to handle your content. Missing headers allow attackers to embed your site in malicious frames, execute XSS attacks, or leak sensitive referrer information. The security.txt file provides a standardized way for security researchers to report vulnerabilities. Responsibility: Web application owner configures HTTP response headers in web server or application framework settings.
🛡️ HTTP Security Headers
Security Headers Not Properly Configured ✗HTTP Security Headers are directives sent by web servers that instruct browsers how to handle your website's content and protect against common web vulnerabilities. X-Frame-Options prevents clickjacking attacks by controlling whether your site can be embedded in frames. X-Content-Type-Options prevents MIME type sniffing attacks that could allow malicious files to be executed. Referrer-Policy controls how much referrer information is sent with requests, preventing sensitive data leakage. The security.txt file provides a standardized way for security researchers to report vulnerabilities to your organization. These headers are application-level security controls that complement TLS encryption by protecting against browser-based attacks.
SAMEORIGIN
HTTP Security Headers
Read the full security headers guide →
What are they?
HTTP security headers provide additional security controls to protect against common web vulnerabilities like clickjacking, MIME type sniffing, and information leakage.
Why are they important?
Security headers are a fundamental defense against web attacks. X-Frame-Options prevents clickjacking. X-Content-Type-Options prevents MIME sniffing attacks. Referrer-Policy controls information leakage. security.txt provides a standard way to report security vulnerabilities. These are required for modern web security.
What can go wrong if not properly setup?
Missing security headers: your site is vulnerable to clickjacking attacks, MIME type confusion attacks, information leakage through referrer headers, and security researchers cannot easily report vulnerabilities. These are low-hanging fruit for attackers.
Technical Details
Security headers checked: 1) X-Frame-Options (prevents iframe embedding - should be DENY or SAMEORIGIN), 2) X-Content-Type-Options: nosniff (prevents MIME sniffing), 3) Referrer-Policy (controls referrer information), 4) security.txt file at /.well-known/security.txt or /security.txt (RFC 9116).
Email Authentication & Transport Security
Layer: Identity and message integrity. Checks included: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), DMARC (Domain-based Message Authentication, Reporting & Conformance), MTA-STS (Mail Transfer Agent Strict Transport Security), TLS-RPT (TLS Reporting). Why this matters: Email is a completely separate attack surface from web security. Without proper authentication, attackers can spoof emails from your domain, leading to phishing attacks, reputation damage, and email delivery failures. SPF defines authorized sending servers, DKIM cryptographically signs messages, DMARC provides policy enforcement, MTA-STS enforces secure email transport, and TLS-RPT provides visibility into email transport security issues. Responsibility: Email and messaging administrators configure DNS records for SPF, DKIM, and DMARC, deploy MTA-STS policies, and monitor TLS-RPT reports.
📧 SPF Record
Yes, Enabled, Passed ✓SPF (Sender Policy Framework) is an email authentication protocol that specifies which mail servers are authorized to send email on behalf of your domain. SPF helps prevent email spoofing by allowing receiving mail servers to verify that incoming emails claiming to be from your domain are actually coming from authorized servers.
v=spf1 include:_spf.fortimailcloud.com include:_spf.google.com include:spf.constantcontact.com include:_spf.psm.knowbe4.com include:sendgrid.net ip4:23.160.216.3 ip4:192.254.115.42 ip4:173.243.134.117 -allSPF (Sender Policy Framework)
What is it?
SPF is a DNS record that specifies which mail servers are authorized to send email on behalf of your domain.
Why is it important?
SPF prevents email spoofing. Without it, anyone can send emails claiming to be from your domain. The "-all" mechanism is critical - it means "reject all emails from servers not listed", providing strict protection.
Why is "-all" critical?
The "-all" mechanism means "reject all emails from servers not explicitly listed in the SPF record." This provides strict protection. Without it, or with "~all" (soft fail) or "?all" (neutral), attackers can still send spoofed emails from your domain.
What can go wrong if not properly setup?
If SPF is missing or improperly configured: attackers can spoof emails from your domain, leading to phishing attacks, reputation damage, and email delivery failures. Using "~all" or "?all" instead of "-all" provides weak protection.
Technical Details
SPF records use mechanisms like: "include:" (authorize other domains), "a" (authorize A records), "mx" (authorize MX records), "ip4:" (authorize specific IPs), "-all" (reject all others - STRICT), "~all" (soft fail - WEAK), "?all" (neutral - NO PROTECTION).
📧 DKIM
DKIM Enabled, Passed ✓DKIM (DomainKeys Identified Mail) cryptographically signs emails to verify their authenticity. DKIM adds a digital signature to outgoing emails that can be verified by receiving servers to ensure the email hasn't been tampered with and actually came from your domain. Due to the way DKIM is implemented, it is possible to have a false negative if the selector is not in a common DKIM selector list. Contact us if you need help checking manually.
DKIM (DomainKeys Identified Mail)
What is it?
DKIM cryptographically signs outgoing emails using a private key. The public key is published in DNS, allowing recipients to verify the email's authenticity.
Why is it important?
DKIM proves that emails actually came from your domain and haven't been modified in transit. It works with SPF and DMARC to provide complete email authentication.
What can go wrong if not properly setup?
If DKIM is missing: recipients cannot verify email authenticity, emails may be marked as spam, and you cannot prove emails came from your domain in legal disputes.
Technical Details
DKIM uses a selector (like "google", "default", "mail") combined with "_domainkey" subdomain. The selector._domainkey.domain.com DNS record contains the public key. We check 250+ common selectors to find DKIM records.
Selector: google
Domain: google._domainkey.opkansas.org
Record:
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiwRG18yx7CA0L10RphvoBAhlih7ITJaf2/b0YFEDxdVhW4qByfL+dfUVUSSaTsYf6psnzH4hQBtqf7i05oFWbHV4GXJMLC/XfwzYmxhw0GP8oH17c6szxvlahe4jJCtGnY8QZaq4snHNMjpsUjc3H+elSyHY5+kpKDGEMkQrxKbz5WRPbyBJwEM0EMOd/+D7j eNCUzFb6zB/KpbG2fg/uNXfIzaMvH8JNGgFw9yZbhRtwlGv9rVD0biB4/CMo34K/fOoaLBblaXGVjjN9wdFhBO173wNRrpGIPnDRGeAxIfozL79UkDx/tpFNZYpxc/k50nHjukw8di0NAKMQ+0bvQIDAQAB
📧 DMARC
DMARC Enabled, Passed ✓DMARC (Domain-based Message Authentication, Reporting & Conformance) builds on SPF and DKIM to provide a policy framework for email authentication. DMARC tells receiving mail servers what to do with emails that fail SPF or DKIM checks (reject, quarantine, or monitor) and provides reporting on authentication results, helping prevent email spoofing and phishing attacks.
Quarantine is a good and effective DMARC policy. When set to quarantine, emails that fail SPF or DKIM checks are sent to the spam/junk folder instead of being rejected completely. This provides strong protection against email spoofing and phishing attacks while still allowing legitimate emails that might have authentication issues to be delivered (just to spam, where they can be reviewed). Quarantine is often used as a stepping stone before moving to "reject" policy, or as a permanent policy for organizations that want protection but also want to avoid potential false positives from legitimate senders.
DMARC (Domain-based Message Authentication, Reporting & Conformance)
What is it?
DMARC tells receiving mail servers what to do with emails that fail SPF or DKIM checks. It also provides reporting on email authentication.
Why is it important?
DMARC is the final layer of email security. It enforces SPF and DKIM policies and provides visibility into email authentication failures. Required for CISA compliance.
What can go wrong if not properly setup?
If DMARC is missing: you have no control over what happens to spoofed emails, no visibility into authentication failures, and cannot achieve complete email security.
Technical Details
DMARC policies: "none" (monitor only), "quarantine" (send to spam), "reject" (reject email). Should include "pct=100" (apply to 100% of emails) and "rua=" (reporting email address).
Full DMARC Record
v=DMARC1; p=quarantine; rua=mailto:348e3bc55549476fa503fff8e9a1b1fa@dmarc-reports.cloudflare.net
V
DMARC1
P
quarantine
RUA
mailto:348e3bc55549476fa503fff8e9a1b1fa@dmarc-reports.cloudflare.net
📬 MTA-STS
Not Enabled, FAIL ✗MTA-STS (Mail Transfer Agent Strict Transport Security) enforces secure TLS connections for email transmission, preventing man-in-the-middle attacks on email delivery.
MTA-STS (Mail Transfer Agent Strict Transport Security)
What is it?
MTA-STS enforces secure TLS connections for email transmission, preventing man-in-the-middle attacks on email delivery.
Why is it important?
MTA-STS prevents attackers from intercepting emails in transit by forcing encrypted connections. Critical for government email security.
What can go wrong if not properly setup?
If MTA-STS is not configured: email transmission can be intercepted, attackers can downgrade to unencrypted connections, and sensitive government communications are at risk.
Technical Details
MTA-STS requires: 1) _mta-sts.domain.com TXT record with "v=STSv1", 2) Policy file at https://mta-sts.domain.com/.well-known/mta-sts.txt with "mode: enforce", 3) Valid SSL certificate. Mode "enforce" means strict enforcement, "testing" is monitoring only.
Policy File (mta-sts.opkansas.org/.well-known/mta-sts.txt)
{"success":false,"error":"fetch failed"}
false,"error":"fetch failed"}
📊 TLS-RPT
Not Enabled, FAIL ✗TLS-RPT (TLS Reporting)
What is it?
TLS-RPT provides reports on TLS connection failures for email transmission, helping identify and fix email delivery issues.
Why is it important?
TLS-RPT gives visibility into email delivery problems, helps identify misconfigurations, and ensures email security is working properly.
What can go wrong if not properly setup?
Without TLS-RPT: you have no visibility into email delivery failures, cannot identify security issues, and may not know when email is being intercepted.
Technical Details
TLS-RPT uses _smtp._tls.domain.com TXT record with "v=TLSRPTv1" and "rua=" email address for reports. Reports are sent in JSON format showing TLS connection failures.
Hosting & Platform Information
Informational – Not a Security ControlLayer: Transparency and context. Information included: Hosting provider identification, web and email IP addresses, MX record configuration, platform detection (WordPress), website scanning results (email addresses found, broken links). Why this matters: This section provides context for auditors and IT staff but does not represent security controls. Understanding hosting infrastructure helps assess risk exposure, identify shared hosting concerns, and track platform dependencies. WordPress detection helps identify if version monitoring is required. Website scanning identifies potential information disclosure issues. Responsibility: IT staff and auditors use this information for risk assessment and compliance documentation.
🌐 Hosting Provider
Informational ℹHosting Provider Requirements
Shared cPanel Hosting Prohibited
Shared cPanel hosting is very strongly discouraged and subject to additional guidelines per Federal Government security guidelines (CISA). Consumer-focused hosting should be avoided at all cost, as they lack proper security. If an attacker gains access to the server through another tenant/domain also hosted on the server, they could compromise your small slice of the server and your domain. This creates a significant security risk where one compromised account on a shared server can lead to compromise of all other accounts on that server.
Why This Matters
Government domains require enterprise-grade hosting with proper isolation between tenants, comprehensive security controls, and compliance with federal security standards. Shared hosting environments, especially those using cPanel/WHM, do not meet these requirements.
🌐 IPv6 Support
Partial IPv6 Support ⚠IPv6 (Internet Protocol version 6) is the next generation internet protocol that provides a vastly expanded address space compared to IPv4. IPv6 support ensures your domain is accessible via both IPv4 and IPv6 networks, providing redundancy and future-proofing your infrastructure. Modern networks increasingly rely on IPv6, and lack of IPv6 support can result in connectivity issues for users on IPv6-only networks. This check validates that both name servers and web servers have IPv6 addresses (AAAA records) and are reachable via IPv6, ensuring your domain remains accessible as the internet transitions to IPv6.
Name Servers
2803:f800:50::6ca2:c2c5
2606:4700:50::a29f:26c5
2a06:98c1:50::ac40:22c5
2a06:98c1:50::ac40:2141
2803:f800:50::6ca2:c141
2606:4700:58::adf5:3b41
Web Server
IPv6 Support
What is it?
IPv6 is the next-generation Internet Protocol that provides a much larger address space than IPv4. IPv6 support ensures your domain is accessible via both IPv4 and IPv6 addresses.
Why is it important?
IPv6 is becoming increasingly important as IPv4 addresses are exhausted. Government agencies should support IPv6 to ensure accessibility for all users, especially as more networks transition to IPv6-only. It also demonstrates modern infrastructure and future-proofing.
What can go wrong if not properly setup?
Without IPv6 support: your domain may become inaccessible to IPv6-only networks, you may lose users as IPv6 adoption increases, and you fail to meet modern internet standards. IPv6-only networks are becoming more common, especially in government and enterprise environments.
Technical Details
IPv6 support requires: 1) AAAA DNS records for your domain (IPv6 addresses), 2) AAAA records for name servers, 3) IPv6 connectivity for both name servers and web server, 4) Same content served on both IPv4 and IPv6. We check for AAAA records and test connectivity to verify IPv6 is properly configured.
Network & Infrastructure Trust
Layer: Internet routing and reputation. Checks included: RPKI (Resource Public Key Infrastructure) validation for route origin authorization, IP abuse checks against blacklists, domain reputation analysis, PTR record validation. Why this matters: These controls protect against hijacking, spoofing, and reputation-based blocking. RPKI prevents BGP route hijacking by cryptographically validating that IP address blocks are announced by authorized networks. IP abuse checks identify if your IP addresses are on spam or malware blacklists, which can cause email delivery failures and website blocking. Domain reputation affects email deliverability and search engine rankings. Responsibility: ISP and infrastructure providers manage RPKI ROA (Route Origin Authorization) records, IP address allocation, and network routing announcements.
🛡️ IP Abuse Checks
Passed ✓104.18.31.225148.230.56.62opkansas-org.fortimailcloud.com
IP Abuse Checks
Read the full IP reputation guide →
What is it?
Checks if your hosting IP addresses are listed on abuse databases or blacklists, indicating compromised or malicious infrastructure.
Why is it important?
If your IPs are blacklisted: emails will be rejected, websites will be blocked, and your infrastructure may be compromised. Critical for security assessment.
What can go wrong if not properly setup?
If IPs are blacklisted: email delivery fails, websites are blocked by security tools, reputation is damaged, and you may be hosting malicious content.
Technical Details
We check: 1) Web IP against our comprehensive abuse database for abuse reports, 2) Email IP against our blacklist database for Primary Blacklist status, 3) PTR records for proper reverse DNS. Blacklisted IPs indicate compromised infrastructure.
Web IP Reputation Analysis
Blacklist Detections: 0
Detection Rate: 0%
Risk Score: 0/100
Abuse Confidence Score: 0%
Email IP Reputation Analysis
Blacklist Detections: 0
Detection Rate: 0%
Risk Score: 0/100
Email IP Blacklist Check Results
Primary Blacklist Status: Clean
Blacklist Detections: 0
Detection Rate: 0%
Risk Score: 0/100
Abuse Confidence Score: 0/100
Whitelisted: No
🛡️ Domain Reputation
Clean, Passed ✓Domain Reputation measures how trustworthy your domain appears to security systems and email providers. A good reputation ensures your emails are delivered and your website is not flagged as malicious. Domain reputation is determined by factors such as historical email sending patterns, blacklist status, phishing reports, and security incidents associated with the domain.
🛣️ Route Authorization (RPKI)
RPKI Validated ✓Name Servers
Web Server
RPKI (Route Origin Authorization)
What is it?
RPKI is a security framework that verifies the authenticity of BGP route announcements, preventing route hijacking and BGP attacks.
Why is it important?
RPKI prevents attackers from hijacking your IP address space by announcing unauthorized routes. This is critical for infrastructure security. Without RPKI, attackers can redirect traffic intended for your domain to malicious servers, even if DNS and other security measures are in place.
What can go wrong if not properly setup?
Without RPKI: attackers can hijack your IP address space, redirect all traffic to malicious servers, intercept communications, and cause widespread service disruption. Route hijacking is a serious threat to internet infrastructure.
Technical Details
RPKI checks verify: 1) Route Origin Authorization (ROA) records exist for your IP address space, 2) Route announcements are valid according to RPKI. ROA records specify which ASNs are authorized to announce specific IP prefixes. Invalid announcements are rejected by RPKI-validating networks.
Historical Checks
View previous check results for this domain.
🔔 Subscribe to Alerts
Get notified when security status changes for this domain. You must use an email address at this domain or a .gov email address.