bbc.co.uk

15-check dossier · scoreboard above, section details below

Get a pack →

Scanning…

dns

info

Open standalone →

resolving…

mx

info

Open standalone →

resolving mx…

spf

info

Open standalone →

resolving spf…

dmarc

info

Open standalone →

resolving dmarc…

dkim

info

Open standalone →

probing dkim selectors…

tls

info

Open standalone →

fetching tls cert…

redirects

info

Open standalone →

tracing redirects…

headers

info

Open standalone →

fetching headers…

cors

info

Open standalone →

sending preflight…

web-surface

info

Open standalone →

inspecting web surface…

dnssec

info

Open standalone →

checking dnssec…

mta-sts

info

Open standalone →

checking mta-sts…

tls-rpt

info

Open standalone →

checking tls-rpt…

whois

info

Open standalone →

resolving whois…

ct-log

info

Open standalone →

querying CT logs…

additional context — IP + user-agent lookups

lookups that complement a dossier — useful when investigating a finding, but not part of the dossier engine itself.

IP lookup — geolocation, ASN, ISP for any IP address surfaced by the DNS or redirect sections.
user-agent parser — the browser/OS/device the request came from.
single-record DNS lookup — drill into one record type at a time.

bbc.co.uk

15-check dossier · scoreboard above, section details below

Get a pack →

Mostly compliant · 4 items need attention

Aggregate grade across 15 checks. Auditors typically flag any High-severity finding.

Pass: 11
Warn: 4
Fail: 0

What an auditor would flag first

medium
SPF
~all softfail — receivers may still accept
SOC 2 CC6.7ISO 27001 A.13.2.1
low
DKIM
no DKIM selectors found — likely not configured
SOC 2 CC6.7
low
TLS certificate
cert expires in 65 days
SOC 2 CC6.6ISO 27001 A.13.1.1

Need this as an artifact your auditor can verify?

Your bbc.co.uk scan flagged 1 medium and 3 low findings. A signed pack covers the apex plus up to 100 CT-discovered subdomains, Ed25519-signed and ISO-timestamped, delivered in 10–30 minutes.

Get a pack →See methodology See a sample$29

Scanning…

15-check summary

DNS recordsA/AAAA records present
MX2 MX record(s) present
SPF~all softfail — receivers may still accept
DMARCp=reject — strict policy
DKIMno DKIM selectors found — likely not configured
TLS certificatecert expires in 65 days
Redirect chainHTTPS served correctly
Security headersall security headers present
CORSno CORS headers — cross-origin requests blocked by default
Web surfaceHTTPS surface reachable (robots ✓, sitemap ✓, title ✓)
MTA-STSnot applicable: no _mta-sts TXT record
TLS-RPTnot applicable: no TLSRPT record
DNSSECDNSSEC not configured — no DS or DNSKEY records found
WHOISdomain registered until 2034-12-13
Certificate Transparencycheck failed: crt.sh: Error: crt.sh http 429; certspotter: Error: certspotter http 429

dns

info

Open standalone →

A/AAAA records present

Why it matters: Without authoritative A or AAAA records on the apex, the domain is unreachable. Missing baseline DNS shows up in vendor reviews as evidence of unmanaged infrastructure (SOC 2 CC6.6).

A: ttl=106 151.101.0.81
ttl=106 151.101.192.81
ttl=106 151.101.128.81
ttl=106 151.101.64.81
AAAA: ttl=60 2a04:4e42:200::81
ttl=60 2a04:4e42::81
ttl=60 2a04:4e42:400::81
ttl=60 2a04:4e42:600::81
NS: ttl=900 dns0.bbc.co.uk.
ttl=900 dns0.bbc.com.
ttl=900 dns1.bbc.co.uk.
ttl=900 dns1.bbc.com.
ttl=900 ddns0.bbc.co.uk.
ttl=900 ddns0.bbc.com.
ttl=900 ddns1.bbc.co.uk.
ttl=900 ddns1.bbc.com.
SOA: ttl=900 ns.bbc.co.uk. hostmaster.bbc.co.uk. 2026051200 1800 600 864000 900
CAA: ttl=300 \# 17 00 05 69 73 73 75 65 61 6d 61 7a 6f 6e 2e 63 6f 6d
ttl=300 \# 19 00 05 69 73 73 75 65 64 69 67 69 63 65 72 74 2e 63 6f 6d
ttl=300 \# 21 00 05 69 73 73 75 65 67 6c 6f 62 61 6c 73 69 67 6e 2e 63 6f 6d
ttl=300 \# 25 00 09 69 73 73 75 65 77 69 6c 64 67 6c 6f 62 61 6c 73 69 67 6e 2e 63 6f 6d
ttl=300 \# 32 00 05 69 6f 64 65 66 6d 61 69 6c 74 6f 3a 73 65 63 75 72 69 74 79 40 62 62 63 2e 63 6f 2e 75 6b
TXT: ttl=3600 "v=spf1 ip4:212.58.224.0/19 ip4:132.185.0.0/16 +include:spf.sis.bbc.co.uk +include:spf.messagelabs.com ~all"
ttl=3600 "docusign=50f10407-e3e4-4f6a-aae4-712d4eb31329"
ttl=3600 "docusign=a10ad7b6-cf7e-472d-8157-23061f5b5116"
ttl=3600 "voUGv5zARbEV516E/S8Ugsy9/FOgDGg4n/rpmKZQRROVOj0+2tgzKw3Tk9+Ks6qVbNKU18KTrR5khxTQutDvBg=="
ttl=3600 "google-site-verification=Rhy5gpa1LeMjUY6gxrds3K4bhB_SUv-fYU9D3kpeAc8"
ttl=3600 "google-site-verification=ITX3CwHXxGVfkCmhF4eSwdfo8h2ZGLAZ3zRpYvZi5XA"
ttl=3600 "dropbox-domain-verification=l5djk65wpy3z"
ttl=3600 "adobe-idp-site-verification=9b850a4a56e3fac19aea1e0ac5db302e5cefab444cd73519dce1c72ccd4db058"
ttl=3600 "google-site-verification=RaiMXJBIiFvqXHd43kv_ekzmXT2l8ibq5Xy0mulndvU"
ttl=3600 "atlassian-domain-verification=SQsgJ5h/FqwMTXuSG/G4Nd1Gx6uX2keREOsZSa22D5XT46EsEuyaic8Aej4cR4Tr"
ttl=3600 "Huddle"
ttl=3600 "J0kgGm0XqA3/6pLD4DHeC5x/dAduzT809P1Iwx/PRCYvVS32rv75RIHKC2aVz47dJxKhPlxGf3h3KXiL6+dyXw=="
ttl=3600 "apple-domain-verification=jFFO0rdS9IrxgWUR"
ttl=3600 "msfpkey=3e29l8m08bqxp19k63t73fj5b"
ttl=3600 "docker-verification=aab67462-78f7-4ade-a86b-358645923430"

fetched 2026-05-23T09:32:55.145Z

dns

info

Open standalone →

resolving…

mx

info

Open standalone →

2 MX record(s) present

Why it matters: MX records direct inbound mail. Misconfiguration silently breaks email delivery and lets attackers stand up parallel MX hosts for spoofing campaigns (ISO 27001 A.8.21).

pri=10 cluster1.eu.messagelabs.com.
pri=20 cluster1a.eu.messagelabs.com.

fetched 2026-05-23T09:32:55.062Z

mx

info

Open standalone →

resolving mx…

spf

medium

Open standalone →

~all softfail — receivers may still accept

Why it matters: SPF tells receiving servers which hosts may send mail for the domain. Without it, any sender can forge the envelope-from — the primary mechanism behind business-email-compromise (SOC 2 CC6.7).

Recommendations

Move to -all (hardfail) once your mail flow is confirmed — softfail gives no real protection

v=spf1 ip4:212.58.224.0/19 ip4:132.185.0.0/16 +include:spf.sis.bbc.co.uk +include:spf.messagelabs.com ~all

v=spf1
ip4:212.58.224.0/19
ip4:132.185.0.0/16
+include:spf.sis.bbc.co.uk
+include:spf.messagelabs.com
~all

fetched 2026-05-23T09:32:55.062Z

spf

info

Open standalone →

resolving spf…

dmarc

info

Open standalone →

p=reject — strict policy

Why it matters: DMARC binds SPF and DKIM into an enforceable policy (quarantine or reject) and surfaces spoofing attempts via aggregate reports. `p=none` or absent means spoofing succeeds silently (SOC 2 CC6.7).

v=DMARC1;p=reject;aspf=s;adkim=s;pct=100;fo=0;ri=86400; rua=mailto:dmarc_agg@vali.email;

v=: DMARC1
p=: reject
aspf=: s
adkim=: s
pct=: 100
fo=: 0
ri=: 86400
rua=: mailto:dmarc_agg@vali.email

fetched 2026-05-23T09:32:55.063Z

dmarc

info

Open standalone →

resolving dmarc…

dkim

low

Open standalone →

no DKIM selectors found — likely not configured

Why it matters: DKIM signs outbound mail so receivers can detect tampering. Missing selectors or rotated-away keys break DMARC alignment and let receivers downgrade trust (ISO 27001 A.8.24).

Recommendations

Enable DKIM signing in your mail provider and publish the provided TXT record
Common selectors: google._domainkey, selector1._domainkey (Microsoft), mail._domainkey

no DKIM record on probed selectors (default, google, k1, selector1, selector2, mxvault)

dkim

info

Open standalone →

probing dkim selectors…

tls

low

Open standalone →

cert expires in 65 days

Why it matters: A valid current TLS certificate is the baseline for data in transit. Expiry, weak chain, or hostname mismatch break HTTPS and fail PCI 4.2.1 / SOC 2 CC6.1.

Recommendations

Schedule certificate renewal — consider enabling auto-renewal

subject cn:: www.bbc.com
issuer:: GlobalSign RSA OV SSL CA 2018 / GlobalSign nv-sa
valid:: Jun 27 06:54:01 2025 GMT → Jul 27 10:26:17 2026 GMT
authorized:: yes
sha256:: 87:A4:D1:2D:B9:B5:7D:68:64:B5:4D:2E:FD:CC:66:CD:C1:7A:05:17:13:94:8C:F4:0B:EF:42:A0:86:5B:59:CB
sans: www.bbc.com
www.bbc.co.uk
www.bbcrussian.com
bbc.co.uk
bbcrussian.com
session.bbc.co.uk
search.bbc.co.uk
open.live.bbc.co.uk
news.bbc.co.uk
newsimg.bbc.co.uk
wwwnews.live.bbc.co.uk
cdnedge.bbc.co.uk
newsrss.bbc.co.uk
newsvote.bbc.co.uk
playlists.bbc.co.uk
r.bbci.co.uk
node1.bbcimg.co.uk
news.bbcimg.co.uk
account.bbc.com
session.bbc.com
bbc.com

fetched 2026-05-23T09:32:55.039Z

tls

info

Open standalone →

fetching tls cert…

redirects

info

Open standalone →

HTTPS served correctly

Why it matters: Bare HTTP requests must redirect to HTTPS without dropping the user mid-chain. Plain-text fallback or open redirects fail PCI 4.2.1 and feed phishing chains (SOC 2 CC6.6).

final status: 200 · 2 hops

[301] https://bbc.co.uk/
[200] https://www.bbc.co.uk/

fetched 2026-05-23T09:32:55.192Z

redirects

info

Open standalone →

tracing redirects…

headers

info

Open standalone →

all security headers present

Why it matters: Security headers — HSTS, CSP, X-Frame-Options, Referrer-Policy — defend against XSS, clickjacking, and downgrade attacks. Absent headers map directly to OWASP ASVS V14 findings (ISO 27001 A.8.23).

final url: https://www.bbc.co.uk/

security headers

strict-transport-security: max-age=31536000; preload
content-security-policy: default-src 'none'; script-src 'strict-dynamic' 'nonce-QdiDb8Kx8koZg+eTutzPVqSGpSWeLb91oob2PHajLXgAfGWUJo' 'self' 'report-sample' 'unsafe-inline' cdn.syndication.twimg.com connect.facebook.net c.files.bbci.co.uk emp.bbci.co.uk mybbc-analytics.files.bbci.co.uk nav.files.bbci.co.uk news.files.bbci.co.uk platform.twitter.com public.flourish.studio static.bbc.co.uk static.bbci.co.uk static.chartbeat.com static2.chartbeat.com www.bbc.co.uk www.instagram.com www.ons.gov.uk gn-web-assets.api.bbc.com www.google-analytics.com bitesize.files.bbci.co.uk www.tiktok.com lf16-tiktok-web.ttwstatic.com static.files.bbci.co.uk; img-src 'self' https: data:; font-src c.files.bbci.co.uk gel.files.bbci.co.uk static.files.bbci.co.uk static.bbci.co.uk news.files.bbci.co.uk ws-downloads.files.bbci.co.uk bitesize.files.bbci.co.uk; style-src branding.files.bbci.co.uk cdn.riddle.com flo.uri.sh news.files.bbci.co.uk platform.twitter.com static.bbc.co.uk static.bbci.co.uk static.files.bbci.co.uk ton.twimg.com www.riddle.com 'unsafe-inline' lf16-tiktok-web.ttwstatic.com; frame-src 'self' bbc001.carto.com bbc003.carto.com bbc-maps.carto.com cdn.riddle.com chartbeat.com emp.bbc.co.uk emp.bbc.com flo.uri.sh graphics.reuters.com www.reuters.com graphics.thomsonreuters.com dynamic.mc-cdn.io vapi.mc-cdn.io vapi.beta.mc-cdn.io elections.mapcreator.io elections.beta.mapcreator.io cdn.mapcreator.io m.facebook.com news.files.bbci.co.uk personaltaxcalculator2.deloittecloud.co.uk platform.twitter.com public.flourish.studio static2.chartbeat.com syndication.twitter.com web.facebook.com www.bbc.co.uk www.facebook.com www.instagram.com www.tiktok.com www.ons.gov.uk www.riddle.com www.youtube.com www.youtube-nocookie.com uk-script.dotmetrics.net ssp-app-uk.votenow.tv ssp-app-uktest.votenow.tv ssp-app-ukbench.votenow.tv session.test.bbc.co.uk session.bbc.co.uk session.stage.bbc.co.uk bitesize.files.bbci.co.uk; object-src 'none'; manifest-src static.files.bbci.co.uk bitesize.files.bbci.co.uk; media-src 'self' blob: https:; connect-src 'self' https:; child-src blob:; base-uri 'none'; form-action 'self' platform.twitter.com syndication.twitter.com uk-script.dotmetrics.net/DeviceInfo.dotmetrics account.bbc.com/auth/identifier/landing; frame-ancestors 'none'; upgrade-insecure-requests; report-to default; report-uri https://webcore.bbc-reporting-api.app/report-endpoint;
x-frame-options: DENY
x-content-type-options: nosniff
referrer-policy: strict-origin-when-cross-origin
permissions-policy: accelerometer=(), autoplay=(self "https://emp.bbc.com" "https://emp.bbc.co.uk" "http://emp.bbc.com" "http://emp.bbc.co.uk"), camera=(), document-domain=(self "https://emp.bbc.com" "https://emp.bbc.co.uk" "http://emp.bbc.com" "http://emp.bbc.co.uk"), encrypted-media=(), fullscreen=(self "https://emp.bbc.com" "https://emp.bbc.co.uk" "http://emp.bbc.com" "http://emp.bbc.co.uk"), geolocation=(self), gyroscope=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(self "https://emp.bbc.com" "https://emp.bbc.co.uk" "http://emp.bbc.com" "http://emp.bbc.co.uk"), screen-wake-lock=(), sync-xhr=(self), usb=(), xr-spatial-tracking=(), browsing-topics=(), join-ad-interest-group=(), run-ad-auction=()

other headers

accept-ranges: bytes
alt-svc: h3=":443";ma=86400,h3-29=":443";ma=86400,h3-27=":443";ma=86400
belfrage-cache-status: HIT
bid: bruce
brequestid: 4590cc46ffda4a709d75db16b16847c9
bsig: 1208f4af15d5afde4f19a9ad56d6a2c7
cache-control: private, stale-if-error=90, stale-while-revalidate=30, max-age=0, must-revalidate
connection: keep-alive
content-encoding: gzip
content-length: 79602
content-type: text/html
date: Sat, 23 May 2026 09:32:55 GMT
fastly-restarts: 1
feature-policy: accelerometer 'none'; autoplay 'self' https://emp.bbc.com https://emp.bbc.co.uk http://emp.bbc.com http://emp.bbc.co.uk; camera 'none'; document-domain 'self' https://emp.bbc.com https://emp.bbc.co.uk http://emp.bbc.com http://emp.bbc.co.uk; encrypted-media 'none'; fullscreen 'self' https://emp.bbc.com https://emp.bbc.co.uk http://emp.bbc.com http://emp.bbc.co.uk; geolocation 'self'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; payment 'none'; picture-in-picture 'self' https://emp.bbc.com https://emp.bbc.co.uk http://emp.bbc.com http://emp.bbc.co.uk; screen-wake-lock 'none'; sync-xhr 'self'; usb 'none'; xr-spatial-tracking 'none'
nel: {"report_to":"default","max_age":2592000,"include_subdomains":true,"failure_fraction":0.25}
origin-agent-cluster: ?0
report-to

fetched 2026-05-23T09:32:55.193Z

headers

info

Open standalone →

fetching headers…

cors

info

Open standalone →

no CORS headers — cross-origin requests blocked by default

Why it matters: Overly permissive CORS (wildcard with credentials, or reflected origin) lets any origin read authenticated responses from this domain. OWASP A05 misconfiguration territory (NIST AC-4).

origin: https://drwho.me
method: GET
preflight status: 301

access-control-* headers

access-control-allow-origin: —
access-control-allow-methods: —
access-control-allow-headers: —
access-control-allow-credentials: —
access-control-max-age: —
access-control-expose-headers: —

no access-control-* headers returned — site does not advertise CORS to this origin

fetched 2026-05-23T09:32:55.068Z

cors

info

Open standalone →

sending preflight…

web-surface

info

Open standalone →

HTTPS surface reachable (robots ✓, sitemap ✓, title ✓)

Why it matters: Public files — robots.txt, sitemap.xml, head meta — are what attackers see first during reconnaissance. Misadvertised paths, stale sitemaps, and verbose generators leak more than intended (ISO 27001 A.8.9).

robots.txt

present


# version: 93256d693f35d6a70e7c37ac78d3bb49724f63fa
# The BBC's Terms of Use: https://www.bbc.co.uk/terms
# - Explain the rules for using our services
# - Tell you what you can do with our content
#
# In short: Please use our site like a human, not a robot.
# That means:
# - No scraping, crawling, or systematic extraction of content 
# - No use of BBC content for training or fine-tuning AI models, including large language models (LLMs)
# - No retrieval-augmented generation (RAG), AI-powered search, agentic AI or grounding using BBC content
# - No creating datasets from BBC content
# - No text and data mining (TDM) under Article 4 of the EU Directive on Copyright in the Digital Single Market
# - No using BBC content to create summaries for your own use
# - No business use without permission (details: https://www.bbc.co.uk/usingthebbc/terms/can-i-use-bbc-content-for-my-business/)
# - The BBC reserves all rights in its content and expressly opts out of any statutory exceptions in any jurisdiction for text and data mining, as permitted by law
 
# TL;DR: Browse, read, watch, enjoy - like a human.
#

# HTTPS www.bbc.co.uk

User-agent: *
Sitemap: https://www.bbc.co.uk/sitemap.xml
Sitemap: https://www.bbc.co.uk/sitemaps/https-index-uk-archive.xml
Sitemap: https://www.bbc.co.uk/sitemaps/https-index-uk-news.xml
Sitemap: https://www.bbc.co.uk/food/sitemap.xml
Sitemap: https://www.bbc.co.uk/bitesize/sitemap/sitemapindex.xml
Sitemap: https://www.bbc.co.uk/teach/sitemap/sitemapindex.xml
Sitemap: https://www.bbc.co.uk/sitemaps/https-index-uk-archive_video.xml
Sitemap: https://www.bbc.co.uk/sitemaps/https-index-uk-video.xml
Sitemap: https://www.bbc.co.uk/sitemaps/sitemap-uk-ws-topics.xml
Sitemap: https://www.bbc.co.uk/sport/sitemap.xml
Sitemap: https://www.bbc.co.uk/sitemaps/sitemap-uk-topics.xml
Sitemap: https://www.bbc.co.uk/ideas/sitemap.xml
Sitemap: https://www.bbc.co.uk/tiny-happy-people/sitemap/sitemapindex.xml

Disallow: /asset/
Disallow: /backstage/bbc-login-help/
Disallow: /backstage/bbc-login-help$
Disallow: /bitesize/search$
Disallow: /bitesize/search/
Disallow: /bitesize/search?
Disallow: /cbbc/search$
Disallow: /cbbc/search/
Disallow: /cbbc/search?
Disallow: /cbeebies/search$
Disallow: /cbeebies/search/
Disallow: /cbeebies/search?
Disallow: /chwilio/
Disallow: /chwilio$
Disallow: /chwilio?
Disallow: /iplayer/bigscreen/
Disallow: /iplayer/cbbc/episodes/
Disallow: /iplayer/cbbc/search
Disallow: /iplayer/cbeebies/episodes/
Disallow: /iplayer/cbeebies/search
Disallow: /iplayer/search
Disallow: /indepthtoolkit/smallprox$
Disallow: /indepthtoolkit/smallprox/
Disallow: /moderation/reports/
Disallow: /modules/musicnav/language/
Disallow: /news/0
Disallow: /radio/aod/
Disallow: /radio/aod$
Disallow: /radio/imda
Disallow: /radio/player/
Disallow: /radio/player$
Disallow: /search/
Disallow: /search$
Disallow: /search?
Disallow: /sport/alpha/
Disallow: /sounds/player/
Disallow: /sounds/player$
Disallow: /ugc$
Disallow: /ugc/
Disallow: /ugcsupport$
Disallow: /ugcsupport/
Disallow: /userinfo/
Disallow: /userinfo
Disallow: /food/favourites
Disallow: /food/menus/*/shopping-list
Disallow: /food/recipes/*/shopping-list
Disallow: /food/search*?*
Disallow: /sounds/search$
Disallow: /sounds/search/
Disallow: /sounds/search?
Disallow: /ws/includes
Disallow: /rd/search$
Disallow: /rd/search/
Disallow: /rd/search?
Disallow: /things/search$
Disallow: /things/search/
Disallow: /things/search?

User-agent: Amazonbot
Disallow: /

User-agent: magpie-crawler
Disallow: /

User-agent: CCBot
Disallow: /

User-Agent: omgili
Disallow: /
 
User-Agent: omgilibot
Disallow: /

User-agent: ClaudeBot
Disallow: /
 
User-agent: Claude-Web
Disallow: /
 
User-agent: anthropic-ai
Disallow: /
 
User-agent: cohere-ai
Disallow: /

User-agent: Bytespider
Disallow: /

User-agent: PetalBot
Disallow: /

User-agent: Scrapy
Disallow: /

User-agent: Applebot-Extended
Disallow: /

User-agent: GPTBot
Disallow: /
Allow: /sport
Allow: /sport/

User-agent: ChatGPT-User
Disallow: /
Allow: /sport
Allow: /sport/

User-agent: Google-Extended
Disallow: /
Allow: /sport
Allow: /sport/

Use

sitemap.xml

present — 6 url(s)

head

title: BBC - Home
description: The best of the BBC, with the latest news and sport headlines, weather, TV & radio highlights and much more from across the whole of BBC Online.

social

og:description: The best of the BBC, with the latest news and sport headlines, weather, TV & radio highlights and much more from across the whole of BBC Online.
og:image: https://static.files.bbci.co.uk/core/website/assets/static/bbc/images/metadata/poster-1024x576.efe9db7f43.png
og:image:alt: BBC logo
og:site_name: BBC
og:title: BBC - Home
og:type: website
og:url: https://www.bbc.co.uk/
twitter:card: summary_large_image
twitter:creator: @BBC
twitter:description: The best of the BBC, with the latest news and sport headlines, weather, TV & radio highlights and much more from across the whole of BBC Online.
twitter:image: https://static.files.bbci.co.uk/core/website/assets/static/bbc/images/metadata/poster-1024x576.efe9db7f43.png
twitter:image:alt: BBC logo
twitter:site: @BBC
twitter:title: BBC - Home
twitter:url: https://www.bbc.co.uk/

fetched 2026-05-23T09:32:55.213Z

web-surface

info

Open standalone →

inspecting web surface…

dnssec

low

Open standalone →

DNSSEC not configured — no DS or DNSKEY records found

Why it matters: DNSSEC cryptographically signs DNS responses, blocking cache-poisoning attacks. US federal civilian agencies are required to enable it under OMB M-22-09 (NIST SC-20).

Recommendations

Enable DNSSEC in your DNS provider's control panel and add the resulting DS record at your registrar

enabled: no
DS records: —
DNSKEY records: —

fetched 2026-05-23T09:32:55.156Z

dnssec

info

Open standalone →

checking dnssec…

mta-sts

info

Open standalone →

not applicable: no _mta-sts TXT record

Why it matters: MTA-STS forces inbound SMTP to use TLS and refuse downgraded connections. Without it, an in-path attacker can strip TLS and read mail in plaintext (SOC 2 CC6.7).

no _mta-sts TXT record

mta-sts

info

Open standalone →

checking mta-sts…

tls-rpt

info

Open standalone →

not applicable: no TLSRPT record

Why it matters: TLS-RPT publishes a reporting address for SMTP-TLS failures. Without it, downgrade attacks on inbound mail go unnoticed (SOC 2 CC7.2).

no TLSRPT record

tls-rpt

info

Open standalone →

checking tls-rpt…

whois

info

Open standalone →

domain registered until 2034-12-13

Why it matters: Registrar and expiry tell auditors the domain is owned, current, and not about to lapse. An expired or about-to-expire domain fails business-continuity evidence (SOC 2 A1.2).

registrar: British Broadcasting Corporation [Tag = BBC]
created: before Aug-1996
expires: 13-Dec-2034
statuses: Registered until expiry date.

fetched 2026-05-23T09:32:55.294Z

whois

info

Open standalone →

resolving whois…

ct-log

info

Open standalone →

check failed: crt.sh: Error: crt.sh http 429; certspotter: Error: certspotter http 429

Why it matters: Every certificate issued for this domain is published in Certificate Transparency logs — including subdomains you may have forgotten. Unknown subdomains in CT are pre-disclosed attack surface (ISO 27001 A.8.16).

crt.sh: Error: crt.sh http 429; certspotter: Error: certspotter http 429

ct-log

info

Open standalone →

querying CT logs…

additional context — IP + user-agent lookups

lookups that complement a dossier — useful when investigating a finding, but not part of the dossier engine itself.

IP lookup — geolocation, ASN, ISP for any IP address surfaced by the DNS or redirect sections.
user-agent parser — the browser/OS/device the request came from.
single-record DNS lookup — drill into one record type at a time.