TL;DR
A domain security audit reviews DNS configuration, email authentication, SSL/TLS certificates,
and HTTP security headers to identify vulnerabilities before attackers do. This 2026 checklist
provides structured tables, a quarterly schedule, and a scoring system so you can track
your domain's security posture over time.
📑 Table of Contents
- Why Domain Audits Matter in 2026
- DNS Configuration Checklist
- Email Authentication Checklist
- SSL/TLS Certificate Checklist
- Security Headers Checklist
- Scoring System
- Quarterly Audit Schedule
- Best Practices
- Common Mistakes
- Tools
- References
Why Domain Audits Matter in 2026
Google and Yahoo enforce strict sender requirements as of 2024, browsers flag mixed content and
missing headers, and attackers increasingly exploit DNS misconfigurations for subdomain takeover.
A quarterly audit catches drift before it becomes a breach.
💡 Organizations with regular domain audits detect misconfigurations 4× faster than those
relying on incident-driven reviews (Verizon DBIR 2025).
DNS Configuration Checklist
| Check | Expected State | Tool | Risk if Missing |
|---|---|---|---|
| A / AAAA records resolve | Valid IPs, no dangling CNAMEs | DNS Lookup | Subdomain takeover |
| CNAME records valid | All targets resolve | CNAME Lookup | Subdomain takeover |
| TXT records clean | No stale verification tokens | TXT Lookup | Information leakage |
| DNSSEC enabled | DS record in parent, signatures valid | DNS Checker | DNS spoofing |
| CAA record set | Restrict CAs to authorized issuers | DNS Lookup | Rogue certificates |
| NS records consistent | All NS respond identically | DNS Checker | Resolution failures |
| Low TTL audit | No production records below 300s without reason | DNS Lookup | Performance impact |
Email Authentication Checklist
| Check | Expected State | Tool | Risk if Missing |
|---|---|---|---|
| SPF record exists | Single v=spf1 record, ≤10 DNS lookups |
SPF Checker | Spoofing / delivery failure |
| DKIM selector valid | RSA ≥ 2048-bit or Ed25519, rotated annually | DKIM Checker | Message tampering |
| DMARC policy |
p=reject or p=quarantine; rua tag set |
DMARC Checker | Domain impersonation |
| BIMI record | Valid SVG logo, VMC certificate (optional) | BIMI Checker | Missed brand visibility |
| MTA-STS policy |
mode: enforce with valid mta-sts.txt
|
TXT Lookup | Downgrade attacks |
| TLS-RPT record | v=TLSRPTv1; rua=mailto:... |
TXT Lookup | No TLS failure visibility |
SSL/TLS Certificate Checklist
| Check | Expected State | Tool | Risk if Missing |
|---|---|---|---|
| Certificate valid | Not expired, covers all subdomains | SSL Checker | Browser warnings / MITM |
| TLS version | TLS 1.2+ only; TLS 1.0/1.1 disabled | SSL Checker | Protocol downgrade |
| Certificate chain | Complete chain served, no missing intermediates | SSL Checker | Mobile trust failures |
| HSTS header | max-age ≥ 31536000; includeSubDomains; preload |
Security Scanner | SSL stripping |
| OCSP stapling | Enabled on server | SSL Checker | Revocation check delays |
| CT logs | Certificate in public transparency logs | SSL Checker | Rogue cert detection gap |
Security Headers Checklist
| Header | Recommended Value | Tool |
|---|---|---|
Content-Security-Policy |
Restrictive default-src 'self' with explicit exceptions |
Security Scanner |
X-Content-Type-Options |
nosniff |
Security Scanner |
X-Frame-Options |
DENY or SAMEORIGIN
|
Security Scanner |
Referrer-Policy |
strict-origin-when-cross-origin |
Security Scanner |
Permissions-Policy |
Restrict camera, microphone, geolocation | Security Scanner |
Cross-Origin-Opener-Policy |
same-origin |
Security Scanner |
Scoring System
📖 Definition — Each checklist item earns points. Total your score and compare
against the rating thresholds to gauge your domain's security health.
| Category | Max Points | Weight |
|---|---|---|
| DNS Configuration | 20 | 20% |
| Email Authentication | 30 | 30% |
| SSL/TLS | 25 | 25% |
| Security Headers | 25 | 25% |
Rating thresholds:
90–100 — Excellent: production-ready
70–89 — Good: minor improvements needed
50–69 — Fair: significant gaps exist
0–49 — Critical: immediate remediation required
Quarterly Audit Schedule
Q1 — January
Full audit of all four categories. Renew expiring certificates.
Review DKIM key rotation. Update DMARC policy toward p=reject.
Q2 — April
DNS hygiene sweep: remove stale records, check for dangling
CNAMEs, verify DNSSEC signatures. Review CAA records.
Q3 — July
Email deliverability review: analyze DMARC aggregate reports,
check SPF lookup count, verify BIMI rendering. Test MTA-STS.
Q4 — October
Security header hardening: test CSP in report-only mode,
add new headers, review Permissions-Policy. Pre-renewal SSL check.
Best Practices
⚡ Pro Tip: Automate your audits with CI/CD checks. Run DNS and header validations on every deployment
to catch regressions before they reach production.
Document your baseline score and track improvement quarter over quarter.
Use
p=noneDMARC only during initial monitoring — escalate toquarantinethenreject.Set calendar reminders 30 days before certificate expiry.
Maintain an inventory of all subdomains including third-party services.
Test security headers with report-only mode before enforcing.
Common Mistakes
Dangling CNAME records: Decommissioned services with active DNS entries invite subdomain takeover.
Multiple SPF records: Only one
v=spf1TXT record is allowed per domain.Wildcard certificates without monitoring: A compromised wildcard key exposes all subdomains.
HSTS without testing: A misconfigured HSTS header with
preloadis extremely difficult to undo.Ignoring DMARC reports: Publishing
ruawithout reading reports defeats the purpose.Forgetting non-sending domains: Domains that don't send email still need
v=spf1 -allandp=reject.
Tools
🔍 DNS Lookup — Query A, AAAA, MX, NS, TXT, and other DNS record types.
✉️ SPF Checker — Validate SPF records and count DNS lookups.
🔑 DKIM Checker — Verify DKIM selectors and key strength.
🛡️ DMARC Checker — Analyze DMARC policy and reporting tags.
🏷️ BIMI Checker — Validate BIMI records and logo format.
🔒 SSL Checker — Inspect certificate chain, expiry, and TLS config.
🛡️ Security Scanner — Audit HTTP security headers.
🔗 CNAME Lookup — Resolve CNAME chains to detect dangling records.
📝 TXT Lookup — Retrieve all TXT records for a domain.
🌐 DNS Checker — Global DNS propagation and DNSSEC validation.
References
📄 Google — Email sender guidelines (2024)
📄 Yahoo — Sender Requirements
📄 Qualys SSL Labs — SSL Server Test
📄 Security Headers — Analysis Tool
📄 RFC 8461 — MTA-STS
📄 RFC 8460 — TLS Reporting (TLSRPT)
🎯 Key Takeaway: A domain security audit is not a one-time event — it's a recurring discipline. Use the
quarterly schedule and scoring system above to track progress. Prioritize email authentication
and SSL/TLS first, as these have the highest impact on both security and deliverability.
Originally published on StarNomina ToolBox. Try our free online tools — no signup required.
Top comments (0)