Dr . Who Dr.Who lives at drwho.me — audit-grade domain evidence.
additional context — IP + user-agent lookups lookups that complement a dossier — useful when investigating a finding, but not part of the dossier engine itself.
5 MX record(s) present
Why it matters: MX records direct inbound mail. Misconfiguration silently breaks email delivery and lets attackers stand up parallel MX hosts for spoofing campaigns (ISO 27001 A.8.21).
pri=1 aspmx.l.google.com.pri=5 alt1.aspmx.l.google.com.pri=5 alt2.aspmx.l.google.com.pri=10 alt3.aspmx.l.google.com.pri=10 alt4.aspmx.l.google.com.fetched 2026-05-23T09:20:47.357Z
DNSSEC enabled — DS records present and chain validated (AD flag)
Why it matters: DNSSEC cryptographically signs DNS responses, blocking cache-poisoning attacks. US federal civilian agencies are required to enable it under OMB M-22-09 (NIST SC-20).
enabled yes
DS records 34951 ECDSAP256SHA256 2 a61f6abc2276e29688dd065d95a7397bc472e85969e6c6afcfdd191bd08893ec, DS ECDSAP256SHA256 2 86400 1779842843 1779233843 27677 com. E8hQnFtI/xqcjlPUbKUW8Zt8TOGKfk+ICGk23JCWf8ZKFFLh4aN15AL8PPXSjrOKf5sMQhJhF2np0CO8lMKS9g==
DNSKEY records 4 key(s) fetched 2026-05-23T09:20:47.370Z
not applicable: no TLSRPT record
Why it matters: TLS-RPT publishes a reporting address for SMTP-TLS failures. Without it, downgrade attacks on inbound mail go unnoticed (SOC 2 CC7.2).
not applicable: no _mta-sts TXT record
Why it matters: MTA-STS forces inbound SMTP to use TLS and refuse downgraded connections. Without it, an in-path attacker can strip TLS and read mail in plaintext (SOC 2 CC6.7).
p=reject — strict policy
Why it matters: DMARC binds SPF and DKIM into an enforceable policy (quarantine or reject) and surfaces spoofing attempts via aggregate reports. `p=none` or absent means spoofing succeeds silently (SOC 2 CC6.7).
v=DMARC1; p=reject; rua=mailto:dmarc-reports@canva.com; ruf=mailto:dmarc-reports+forensics@canva.com; fo=1
v= DMARC1
p= reject
rua= mailto:dmarc-reports@canva.com
ruf= mailto:dmarc-reports+forensics@canva.com
fo= 1 fetched 2026-05-23T09:20:47.376Z
1/6 DKIM selectors valid
Why it matters: DKIM signs outbound mail so receivers can detect tampering. Missing selectors or rotated-away keys break DMARC alignment and let receivers downgrade trust (ISO 27001 A.8.24).
Recommendations
Check the missing selectors in your DNS provider and re-add any removed records
default: —
google: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl3Od49cwtV8JnyDzhgggeIh4Ejq4hPjQTiaP3fsrpQ423rDCR8C0f71m+OJNEM5IDWmDlElUcm+usKlL8pdEgCRWWyoKhXgpq2khF1rLzYTFGfqV4ja/EjUsxCpR9PtGCINBGPukv74nv6ctkIGOprq8CXBtm996lLhgChAQk28+eVixN3pwq19IQeECaWsc/C9RqArnaxqjR+t8jt5Ey+CmVs2pKXk6rXgoxr7vfOPdRueiXWQtQMPwRsSpAotPace8ycYdxGupE5vXJTgLZ3zB35mcTMJlKZdxYqCOd5tVw12+NKvbdacvDgpTiDjm7lxFSHmciAil3nvse7DG4wIDAQAB
k1: —
selector1: —
selector2: —
mxvault: — fetched 2026-05-23T09:20:47.377Z
-all hardfail — strict policy
Why it matters: SPF tells receiving servers which hosts may send mail for the domain. Without it, any sender can forge the envelope-from — the primary mechanism behind business-email-compromise (SOC 2 CC6.7).
v=spf1 include:_spf1.canva.com include:_spf2.canva.com include:_spf3.canva.com include:_spf4.canva.com include:_spf5.canva.com include:_spf6.canva.com include:_spf7.canva.com include:_spf8.canva.com include:_spf9.canva.com -all
v=spf1 include:_spf1.canva.com include:_spf2.canva.com include:_spf3.canva.com include:_spf4.canva.com include:_spf5.canva.com include:_spf6.canva.com include:_spf7.canva.com include:_spf8.canva.com include:_spf9.canva.com -all fetched 2026-05-23T09:20:47.378Z
cert valid for 208 days
Why it matters: A valid current TLS certificate is the baseline for data in transit. Expiry, weak chain, or hostname mismatch break HTTPS and fail PCI 4.2.1 / SOC 2 CC6.1.
subject cn: canva.com
issuer: Amazon RSA 2048 M04 / Amazon
valid: Nov 18 00:00:00 2025 GMT → Dec 17 23:59:59 2026 GMT
authorized: yes
sha256: 6B:D5:7A:88:67:A4:8C:7D:25:F5:DA:70:2C:B2:C5:4E:A8:F6:02:5B:06:7B:5C:F3:2E:3B:8F:76:45:0F:14:80 fetched 2026-05-23T09:20:47.402Z
no CORS headers — cross-origin requests blocked by default
Why it matters: Overly permissive CORS (wildcard with credentials, or reflected origin) lets any origin read authenticated responses from this domain. OWASP A05 misconfiguration territory (NIST AC-4).
origin https://drwho.me method GET preflight status 301 access-control-* headers
access-control-allow-origin —
access-control-allow-methods —
access-control-allow-headers —
access-control-allow-credentials —
access-control-max-age —
access-control-expose-headers — no access-control-* headers returned — site does not advertise CORS to this origin
fetched 2026-05-23T09:20:47.416Z
check failed: crt.sh: Error: crt.sh http 429; certspotter: Error: certspotter http 429
Why it matters: Every certificate issued for this domain is published in Certificate Transparency logs — including subdomains you may have forgotten. Unknown subdomains in CT are pre-disclosed attack surface (ISO 27001 A.8.16).
crt.sh: Error: crt.sh http 429; certspotter: Error: certspotter http 429
HTTPS served correctly
Why it matters: Bare HTTP requests must redirect to HTTPS without dropping the user mid-chain. Plain-text fallback or open redirects fail PCI 4.2.1 and feed phishing chains (SOC 2 CC6.6).
final status: 403 · 2 hops
[301] https://canva.com/[403] https://www.canva.com/fetched 2026-05-23T09:20:47.524Z
HTTPS surface reachable (robots ✓, sitemap ✗, title ✓)
Why it matters: Public files — robots.txt, sitemap.xml, head meta — are what attackers see first during reconnaissance. Misadvertised paths, stale sitemaps, and verbose generators leak more than intended (ISO 27001 A.8.9).
robots.txt
present # vnacccan
# nVCCCNVccNCCNv
# cCCCAa aCCC
# nCCCCa nCCC
# cCCCAv ACCa CACCn
# aCCCCv nVa vcVNn nVVa cVc aVNVv cNNv Cc Cc vaVNVa vcVa
# CCCCa nACCAcaAACCCc nCCCa aCCCCCC NCCCv Cc Cn cNCCCVaNACCCA
# aCCCC cCCCV cCCCA VCCCaAA CCCA CCCCv CACNvnVCCCAv vCCCCv
# cCCCC aCCCN VCCCa vCCCCCV CCCc CCCCv aCA cCCCCv nCCCN
# aCCCC nCCCCv CCCA ACCCCc CCC nCCCCn vCN VCCCc NCCCn
# aCCCCa aCCCCC NCCCc NCCCCV CCCN C aCCCc aCc NCCCn aCCCA Nc
# aCCCCn nNV CCCCa nAACCCc AACCCN vCCCAaVC ACCCaNAv cCCCN vVACCCA vNA
# aCCCCNav vncACc NCCCNn VCCCcVvvCCCv cCCCCV vACCNn cCCCCAa aCCCAa
# aNCCCCCCCCNa
#
# See something you can improve? We're hiring SEOs and Engineers!
# Checkout canva.com/careers and get in touch
User-agent: *
Disallow:
Disallow: /media/*
Disallow: /template/*
Disallow: /_ok
Disallow: /_blank
Disallow: *v=
Disallow: *utm_expid=
Disallow: *source=
Disallow: *utm_source=
Disallow: *utm_campaign=
Disallow: *utm_content=
Disallow: *__hstc=
Disallow: *reviews_page=
Disallow: *gclid=
Disallow: *magazineName=
Disallow: *_ga=
Disallow: *like=
Disallow: *sp_url=
Disallow: *fbclid=
Disallow: *country=
Disallow: *company_size=
Disallow: *_hsenc=
Disallow: *zd_source=
Disallow: *wt.mc_id=
Disallow: *via=
Disallow: *utm_medium=
Disallow: *spc-source=
Disallow: *sp=
Disallow: *sort=
Disallow: *sf11500465=
Disallow: *sa=
Disallow: *ref=
Disallow: *preview=
Disallow: *pr=
Disallow: *o=
Disallow: *NoCode=
Disallow: *mod=
Disallow: *kui=
Disallow: *industry=
Disallow: *iframe=
Disallow: *hsLang=
Disallow: *hsCtaTracking=
Disallow: *hash=
Disallow: *gh_jid=
Disallow: *filterTags=
Disallow: *clickId=
Disallow: *ca_referer=
Disallow: *author=
Disallow: *ak_action=
Disallow: *ad=
Disallow: *__hstc=
Disallow: *__+hsfp=
Disallow: /_ajax/
Disallow: /design/
Disallow: /design?create*
Disallow: /font-combinations/search/*
Disallow: /*/followers
Disallow: /*/followers/
Disallow: /*/following
Disallow: /*/following/
Disallow: /templates/*/*/?uid=*
Disallow: /templates/?uid=*
Allow: /templates/classroom-decoration
Allow: /t/E
Disallow: /templates/M
Disallow: /pt_br/modelos/M
Disallow: /es_es/plantillas/M
Disallow: /es_mx/plantillas/M
Disallow: /fr_fr/modeles/M
Disallow: /de_de/vorlagen/M
Disallow: /ru_ru/shablony/M
Disallow: /tr_tr/sablonlar/M
Disallow: /ja_jp/templates/M
Disallow: /ar_eg/templates/M
Disallow: /id_id/contoh/M
Disallow: /es_ar/plantillas/M
Disallow: /it_it/modelli/M
Disallow: /es_co/plantillas/M
Disallow: /pl_pl/szablony/M
Disallow: /th_th/templates/M
Disallow: /pt_pt/modelos/M
Disallow: /vi_vn/mau/M
Disallow: /nl_nl/sjablonen/M
Disallow: /ko_kr/templates/M
Disallow: /sv_se/mallar/M
Disallow: /zh_tw/templates/M
Disallow: /hi_in/templates/M
Disallow: /templates/*/MA
Disallow: /*/_m2/
Disallow: /_upload-widget
Disallow: /*/_upload-widget
Disallow: /_print/*
Disallow: /en_oz/
Disallow: /join/*
Disallow: /q/*
Disallow: *?filters=
Disallow: *&filters=
Disallow: /zh_cn/
Disallow: /en_psaccent/
Disallow: /en_instrume/
Disallow: /ar/
Disallow: /ar_ae/
Disallow: /ar_sa/
Disallow: /en_ph/
Disallow: /cdn-cgi/
Disallow: /*/login/verify-email
Disallow: /M/
User-agent: AdsBot-Google
User-agent: AdsIdxBot
User-agent: Google-InspectionTool
User-agent: facebookexternalhit
User-agent: LinkedInBot
User-agent: PerplexityBot
User-agent: Perplexity-User
User-agent: Canva-Slackapp-LinkExpanding
User-agent: Canva-Teamsapp-LinkExpanding
Allow: /
User-agent: GPTBot
User-agent: ClaudeBot
User-agent: CCBot
User-agent: Applebot-Extended
User-agent: anthropic-ai
User-agent: Claude-Web
Disallow: /
Allow: /create/
Allow: /ar_eg/create/
Allow: /da_dk/skabe/
Allow: /de_de/erstellen/
Allow: /es_ar/crear/
Allow: /es_co/crear/
Allow: /es_es/crear/
Allow: /es_mx/crear/
Allow: /es_us/crear/
Allow: /fr_f head
title Canva description social
no OpenGraph or Twitter meta tags found
fetched 2026-05-23T09:20:47.709Z
domain registered until 2030-05-05
Why it matters: Registrar and expiry tell auditors the domain is owned, current, and not about to lapse. An expired or about-to-expire domain fails business-continuity evidence (SOC 2 A1.2).
registrar Gandi SAS
created 2001-05-05T00:03:52Z
expires 2030-05-05T00:03:52Z
statuses clientTransferProhibited https://icann.org/epp#clientTransferProhibited fetched 2026-05-23T09:20:47.737Z
A-
Audit-ready · 2 minor advisories
Aggregate grade across 15 checks. Auditors typically flag any High-severity finding.
Pass 13
Warn 2
Fail 0 What an auditor would flag first low DKIM
1/6 DKIM selectors valid
SOC 2 CC6.7
low Security headers
1 security header(s) missing
SOC 2 CC6.6 ISO 27001 A.14.1.2
Need this as an artifact your auditor can verify?
Your canva.com scan flagged 2 low findings. A signed pack covers the apex plus up to 100 CT-discovered subdomains, Ed25519-signed and ISO-timestamped, delivered in 10–30 minutes.
15-check summary DNS records A/AAAA records present MX 5 MX record(s) present SPF -all hardfail — strict policy DMARC p=reject — strict policy DKIM 1/6 DKIM selectors valid TLS certificate cert valid for 208 days Redirect chain HTTPS served correctly Security headers 1 security header(s) missing CORS no CORS headers — cross-origin requests blocked by default Web surface HTTPS surface reachable (robots ✓, sitemap ✗, title ✓) MTA-STS not applicable: no _mta-sts TXT record TLS-RPT not applicable: no TLSRPT record DNSSEC DNSSEC enabled — DS records present and chain validated (AD flag) WHOIS domain registered until 2030-05-05 Certificate Transparency check failed: crt.sh: Error: crt.sh http 429; certspotter: Error: certspotter http 429 A/AAAA records present
Why it matters: Without authoritative A or AAAA records on the apex, the domain is unreachable. Missing baseline DNS shows up in vendor reviews as evidence of unmanaged infrastructure (SOC 2 CC6.6).
A ttl=56 18.165.83.61ttl=56 18.165.83.40ttl=56 18.165.83.87ttl=56 18.165.83.37AAAA ttl=60 2600:9000:24f4:600:b:add6:7500:93a1ttl=60 2600:9000:24f4:3400:b:add6:7500:93a1ttl=60 2600:9000:24f4:5e00:b:add6:7500:93a1ttl=60 2600:9000:24f4:6a00:b:add6:7500:93a1ttl=60 2600:9000:24f4:7600:b:add6:7500:93a1ttl=60 2600:9000:24f4:7a00:b:add6:7500:93a1ttl=60 2600:9000:24f4:a200:b:add6:7500:93a1ttl=60 2600:9000:24f4:c000:b:add6:7500:93a1NS ttl=771 ns-253.awsdns-31.com.ttl=771 ns-730.awsdns-27.net.ttl=771 ns-1421.awsdns-49.org.ttl=771 ns-1851.awsdns-39.co.uk.SOA ttl=900 ns-1851.awsdns-39.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 900
CAA — TXT ttl=300 "MS=ms92090372"ttl=300 "cdc0ecd8-b767-4b2a-961d-056ff91c50cf"ttl=300 "apple-domain-verification=AAz7BIDOOK5bj9VF"ttl=300 "status-page-domain-verification=fgb6hyksgk8x"ttl=300 "docusign=4c293e32-cbde-4ddf-bec8-79108891d648"ttl=300 "https://issues.sonatype.org/browse/OSSRH-53881"ttl=300 "lucidlink-verification=Q8D0J05EK61V0PE82T654XJBMC"ttl=300 "1password-site-verification=CEUWLSG27ZBI3NCDNFPDQXMJBY"ttl=300 "airtable-verification=a351d73cf64b3a7900588fe07af4eca6"ttl=300 "airtable-verification=e13696d96fe5c6f38c47676debdd401e"ttl=300 "bugcrowd-verification=400b9a149f7cdd8664c2e7e502482536"ttl=300 "openai-domain-verification=dv-X62J0FmW8lDn4eDouDTtdvnm"ttl=300 "detectify-verification=79cd57657f82d1fbb417ce3beec7cbe6"ttl=300 "docker-verification=5298cfeb-b2af-4973-a4ae-72cfba77efa8"ttl=300 "shopify-verification-code=VFL6jPSmWRU2VUyhiN8qIQTeSnfgpA"ttl=300 "mongodb-site-verification=stxOuL7yJeLEHCRwM4KlS0w3Qn5QDXkt"ttl=300 "mongodb-site-verification=wUQ4V3GaUzBwppXzin6kKc9AybLlHJ14"fetched 2026-05-23T09:20:47.763Z
ttl=300 "cursor-domain-verification-eb1g1h=nven1Rl68xcItm0SV3eqGeGaU"
ttl=300 "facebook-domain-verification=05c971f78w3exkut5f717mw8obqmf3"
ttl=300 "twilio-domain-verification=f221ae68020aa3916d82bef6ca2fcbc0"
ttl=300 "pinterest-site-verification=b91a2bb89d0241853d81d959d5a78f07"
ttl=300 "onetrust-domain-verification=155ccaa6043f43439fb8fdbd4b1be792"
ttl=300 "onetrust-domain-verification=857af271813b4850b88f8e48bc2b2e78"
ttl=300 "have-i-been-pwned-verification=b633a4fdd0ff3575f1580524a28c9c7d"
ttl=300 "monday-com-verification=LnZZjRw2c6n_jXge5OWXu9GWtGGjlxNtMteJuNqM0bQ"
ttl=300 "yahoo-verification-key=fksNKRwkSoLGj4TIoVX0Iybviy7x0xpgDkRv/8s9Vw4="
ttl=300 "google-site-verification=0UOVvHC1k0nMb_2YKhFkMRkp4yRlqN-9Va_WB8b1qV0"
ttl=300 "google-site-verification=1uigN3ZKYSw5lr4ZdVugeteeJpy31qMbRecLJ_1ZVJU"
ttl=300 "google-site-verification=2dvQv03NLacULRWLTE7UGnoYc0P18AKoAAg91FRtOTo"
ttl=300 "google-site-verification=CVeAVsJ3_hxhfhDQTbtvIbpzUIIvUZ03vQCSCx7fCZk"
ttl=300 "google-site-verification=DW2cTgo6bXtus9wdZWW_20IB3HhMUoH2dLyitWm5VZU"
ttl=300 "google-site-verification=JqtkyfjBz-Uq1Xqk7REatNCxZnlo4gYFis8EdI_gVQ0"
ttl=300 "google-site-verification=MJYHtvI-o93g5yti0Uey9u-hglJQ6UnPfV0djrxlT9M"
ttl=300 "google-site-verification=MfIUBrtfhRkfARKs7m47C8eRPrJet6cRCq8M18-bHLo"
ttl=300 "google-site-verification=Nj3tLWEXpg6645jNi89eJ4d-f3EKhg0mywGniT6cnP0"
ttl=300 "google-site-verification=OORAEPphyRjSBXDWDBGtbZo0oElHFsUfxPQBesBvU6s"
ttl=300 "google-site-verification=TwtsJNfrmc2RPw6q28QiKM-wnDaowIdVWWX7VhmTDvA"
ttl=300 "google-site-verification=Y907KhOV3MD6WEXxbbTsYtSj1k5r3lDAVtM7bT8Tw58"
ttl=300 "google-site-verification=YGcdBuAhkMJMRa5khtl9hTKLAHlayiapf0pxJph2ZcU"
ttl=300 "google-site-verification=ZZHXa27FmPeiiZ1sM6N3i3widAseyqpbpp5mfW18q5A"
ttl=300 "google-site-verification=a9fY2y2BlMyyaiLXgGNEIwYe80ZXchnC3Fib7-7CN30"
ttl=300 "google-site-verification=bQC1cPBMACHUOt271BPTfL6k2qsoXlrHkNNTW0bVGKg"
ttl=300 "google-site-verification=bn-oB_Sgkg-cPqCil91EY6tVtaRlq2x68HktpHFloeM"
ttl=300 "google-site-verification=eAc0jqdGQQKV0P-Rce35fFYWbiRi-Ic4QZocWJC45OE"
ttl=300 "google-site-verification=hZFAMgOOsawLXNZFTJ5XAsml2KJc5leHofbwIiLCl00"
ttl=300 "google-site-verification=vGYy48g7sb4flIluKql8BFp3_6lKKjbQEUGHUDSxCdA"
ttl=300 "google-site-verification=xDNuQ7HHiwzDPok6K8T5BcxOhJ5fB0IL9vf2xLc0YAs"
ttl=300 "zoom-domain-verification=ZOOM_verify_108a73b936394b4d83555479d9dab5f2"
ttl=300 "liveramp-site-verification=7cfkiVRS0afhs5IQ7o96bHcblYCH-SI_0G-eu7r9LsM"
ttl=300 "mgverify=34d839e7ad9cdafaaccc77da386dcff2c46e4a628449d8e434cd13b032c82201"
ttl=300 "neat-pulse-domain-verification-KX9q8nX=db71101a-781f-4da4-86ad-2fe12ade2c34"
ttl=300 "hubspot-domain-verification=ZGM1Zjc3YzktNjdmZC00N2JlLThiOTQtY2ViZjI2NTA2OTQw"
ttl=300 "hubspot-developer-verification=NDU5MWU5ODItY2E1Zi00YTY0LWEwNGEtNWU5M2EzOGIwZDll"
ttl=300 "hubspot-developer-verification=ZWRmOWRlMjEtZGU1Zi00MTJiLWE4YjktNWQ3NmIyNDA5NDhm"
ttl=300 "stripe-verification=15ef6563e51240246ef5c70232027055e35f306d5a68e239ba4d60b65b5e8f46"
ttl=300 "stripe-verification=5d4f5c71179a849cf68764a56809bfaada60fd51ca9a6c5b881b7477dbe92f70"
ttl=300 "stripe-verification=bbf18c986f16d71344fe2d0a77ef8b893ad8083e09a53e5fb59a864553c49921"
ttl=300 "stripe-verification=ec89fd8a56a7c9b8a0271fb890adecdfe20b8c157ade22d326b0ab9389b43f9b"
ttl=300 "stripe-verification=f4e689eb94442db29e022a6d99d0d5225c45eb72488d9fdf1510b94fe6e85694"
ttl=300 "wiz-domain-verification=7fe44deeceff62c6c3011ccf4b4ddae2fd6e94b39ec8cb2cb7e3343dc624d9c3"
ttl=300 "ahrefs-site-verification_801b8774fd779b395b1c81e48f7900e305369a5ed19eb3201a3dbc918465f5de"
ttl=300 "drift-domain-verification=9cea5d6a9cc67d7d8195abc4b7afefed111d50ad43225041c8d5f7fb7c2f6775"
ttl=300 "adobe-idp-site-verification=2be841675181663752bc242d59d2428df60b607824db83ed808c220becc78765"
ttl=300 "atlassian-domain-verification=rie8jGbQjxwFnUfEJ5DhYCdtEResa9Vg773/vaE2DtJwnEbS2txPvtfkuKhhLPTI"
ttl=300 "gauntlet-domain-verification=H9sUOdHq/SMDoMyBvXJiKkoNcY9g+3uSQ17NNxJ/kY37wSJe8i7D9x50SuXPMSV0T8mxcFjDlUX+EVhpt+99Gg=="
ttl=300 "postman-domain-verification=de148d23ecf7857ca6894818bd6b04d811b8e7bebcd91e5060df8aee3824726c7cdc06b72d0197a2826fd99d08a687f4cd739c2af0b7894e81bffeaf880b818c"
ttl=300 "v=spf1 include:_spf1.canva.com include:_spf2.canva.com include:_spf3.canva.com include:_spf4.canva.com include:_spf5.canva.com include:_spf6.canva.com include:_spf7.canva.com include:_spf8.canva.com include:_spf9.canva.com -all"