Dr . Who Dr.Who lives at drwho.me — audit-grade domain evidence.
additional context — IP + user-agent lookups lookups that complement a dossier — useful when investigating a finding, but not part of the dossier engine itself.
5 MX record(s) present
Why it matters: MX records direct inbound mail. Misconfiguration silently breaks email delivery and lets attackers stand up parallel MX hosts for spoofing campaigns (ISO 27001 A.8.21).
pri=1 aspmx.l.google.com.pri=5 alt1.aspmx.l.google.com.pri=5 alt2.aspmx.l.google.com.pri=10 aspmx2.googlemail.com.pri=10 aspmx3.googlemail.com.fetched 2026-05-23T09:35:38.029Z
p=reject — strict policy
Why it matters: DMARC binds SPF and DKIM into an enforceable policy (quarantine or reject) and surfaces spoofing attempts via aggregate reports. `p=none` or absent means spoofing succeeds silently (SOC 2 CC6.7).
v=DMARC1; p=reject; rua=mailto:dmarc_agg@vali.email
v= DMARC1
p= reject
rua= mailto:dmarc_agg@vali.email fetched 2026-05-23T09:35:38.033Z
~all softfail — receivers may still accept
Why it matters: SPF tells receiving servers which hosts may send mail for the domain. Without it, any sender can forge the envelope-from — the primary mechanism behind business-email-compromise (SOC 2 CC6.7).
Recommendations
Move to -all (hardfail) once your mail flow is confirmed — softfail gives no real protection v=spf1 include:doordash.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all
v=spf1 include:doordash.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all fetched 2026-05-23T09:35:38.035Z
DNSSEC enabled — DS records present and chain validated (AD flag)
Why it matters: DNSSEC cryptographically signs DNS responses, blocking cache-poisoning attacks. US federal civilian agencies are required to enable it under OMB M-22-09 (NIST SC-20).
enabled yes
DS records 2371 ECDSAP256SHA256 2 81d3719fd44580822b6702dea5e5e1948830b45bcc1d2af9306c47ffd3ad065c, DS ECDSAP256SHA256 2 86400 1780023664 1779414664 27677 com. XsotXKKdwFY0IeA40G03pc22Nj3wJqDXODYaq0oNbTjDP/Iq8z2KQeUPwS8u4W4KadfW/HEP0430YAKKZ/BDWw==
DNSKEY records 3 key(s) fetched 2026-05-23T09:35:38.038Z
not applicable: no _mta-sts TXT record
Why it matters: MTA-STS forces inbound SMTP to use TLS and refuse downgraded connections. Without it, an in-path attacker can strip TLS and read mail in plaintext (SOC 2 CC6.7).
not applicable: no TLSRPT record
Why it matters: TLS-RPT publishes a reporting address for SMTP-TLS failures. Without it, downgrade attacks on inbound mail go unnoticed (SOC 2 CC7.2).
2/6 DKIM selectors valid
Why it matters: DKIM signs outbound mail so receivers can detect tampering. Missing selectors or rotated-away keys break DMARC alignment and let receivers downgrade trust (ISO 27001 A.8.24).
Recommendations
Check the missing selectors in your DNS provider and re-add any removed records
default: —
google: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCDlSGtLOhwbdLXdv/XK/FuUUE6b2hcxdMFRAg6XZuTJPhWV8SUsXkuj1LgMBz1Tf66dZOGyO8TPR69TyY/p+NA/q9DADkCddzYEphRAWfD1KRZ9ivPV/51fAG0K6CRVDkM8wIB1CxSlB+R/ccYwmMXBvvpVJtR0dRuqwsJH1sxWQIDAQAB
k1: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbNrX2cY/GUKIFx2G/1I00ftdAj713WP9AQ1xir85i89sA2guU0ta4UX1Xzm06XIU6iBP41VwmPwBGRNofhBVR+e6WHUoNyIR4Bn84LVcfZE20rmDeXQblIupNWBqLXM1Q+VieI/eZu/7k9/vOkLSaQQdml4Cv8lb3PcnluMVIhQIDAQAB
selector1: —
selector2: —
mxvault: — fetched 2026-05-23T09:35:38.054Z
A/AAAA records present
Why it matters: Without authoritative A or AAAA records on the apex, the domain is unreachable. Missing baseline DNS shows up in vendor reviews as evidence of unmanaged infrastructure (SOC 2 CC6.6).
A ttl=153 172.64.152.226ttl=153 104.18.35.30AAAA ttl=75 2a06:98c1:310b::6812:231ettl=75 2a06:98c1:310c::ac40:98e2NS ttl=86400 ns1.doordash.com.ttl=86400 ns2.doordash.com.SOA ttl=300 ns1.doordash.com. dns.cloudflare.com. 2404782699 10000 2400 604800 300CAA ttl=300 \# 38 00 05 69 6f 64 65 66 6d 61 69 6c 74 6f 3a 63 61 61 2d 72 65 70 6f 72 74 73 40 64 6f 6f 72 64 61 73 68 2e 63 6f 6dttl=300 \# 17 00 05 69 73 73 75 65 61 6d 61 7a 6f 6e 2e 63 6f 6dttl=300 \# 19 00 05 69 73 73 75 65 63 6f 6d 6f 64 6f 63 61 2e 63 6f 6dttl=300 \# 45 00 05 69 73 73 75 65 64 69 67 69 63 65 72 74 2e 63 6f 6d 3b 20 63 61 6e 73 69 67 6e 68 74 74 70 65 78 63 68 61 6e 67 65 73 3d 79 65 73ttl=300 \# 22 00 05 69 73 73 75 65 6c 65 74 73 65 6e 63 72 79 70 74 2e 6f 72 67ttl=300 \# 41 00 05 69 73 73 75 65 70 6b 69 2e 67 6f 6f 67 3b 20 63 61 6e 73 69 67 6e 68 74 74 70 65 78 63 68 61 6e 67 65 73 3d 79 65 73ttl=300 \# 18 00 05 69 73 73 75 65 73 65 63 74 69 67 6f 2e 63 6f 6dttl=300 \# 14 00 05 69 73 73 75 65 73 73 6c 2e 63 6f 6dttl=300 \# 21 00 09 69 73 73 75 65 77 69 6c 64 61 6d 61 7a 6f 6e 2e 63 6f 6dttl=300 \# 23 00 09 69 73 73 75 65 77 69 6c 64 63 6f 6d 6f 64 6f 63 61 2e 63 6f 6dttl=300 \# 49 00 09 69 73 73 75 65 77 69 6c 64 64 69 67 69 63 65 72 74 2e 63 6f 6d 3b 20 63 61 6e 73 69 67 6e 68 74 74 70 65 78 63 68 61 6e 67 65 73 3d 79 65 73ttl=300 \# 26 00 09 69 73 73 75 65 77 69 6c 64 6c 65 74 73 65 6e 63 72 79 70 74 2e 6f 72 67ttl=300 \# 45 00 09 69 73 73 75 65 77 69 6c 64 70 6b 69 2e 67 6f 6f 67 3b 20 63 61 6e 73 69 67 6e 68 74 74 70 65 78 63 68 61 6e 67 65 73 3d 79 65 73ttl=300 \# 18 00 09 69 73 73 75 65 77 69 6c 64 73 73 6c 2e 63 6f 6dTXT ttl=300 "MS=ms82589317"ttl=300 "nintex.60aff12781259a0069a20271"ttl=300 "dropbox-domain-verification=zqgh8mdbs1rt"ttl=300 "apple-domain-verification=gLrbxW5eiM6T0bPk"ttl=300 "docusign=5b94c41e-39e0-479d-b682-d928d5cd0d54"ttl=300 "docusign=b7b61054-c73b-4575-9bf4-e5099789cf05"ttl=300 "jamf-site-verification=4Z_CCFpI4mte1xLpPooYsQ"ttl=300 "canva-site-verification=xapq3TIEvpGoPpG8WzS9xA"ttl=300 "doordash-verification=FeD9LNDZ9CVngz0f5gKBShBnCBGaB6"ttl=300 "1password-site-verification=VY26CAPZVRAZBPKX4IGPY6TWZE"ttl=300 "openai-domain-verification=dv-e97JWK8OkYo02uWtJdSOZqAc"ttl=300 "openai-domain-verification=dv-q0hIaFrQRwrXdDp7hQepzbMQ"ttl=300 "mongodb-site-verification=4LHJ15A3p4j9ITN4YqNIFIJTQgsaeFNk"ttl=300 "mongodb-site-verification=wBJpmm8azJfXBzHCcmvXBRMbUmTGrauf"ttl=300 "facebook-domain-verification=ke0mqxx0oqg5awcoellkzi7f7oxn2u"ttl=300 "smartsheet-site-validation=0LF7A9ADeCotFCnhI9b9cgxKvfd1_eaE"ttl=300 "teamviewer-sso-verification=d5e4fcbdd75d447ab8484ca7743d7390"fetched 2026-05-23T09:35:38.035Z
ttl=300 "make-domain-verification=0c85a408-c83c-4dde-8dd5-184bbdcdecbd"
ttl=300 "anthropic-domain-verification-cd4gyz=e3JRR8eGnY98lbCsqnN16ntwe"
ttl=300 "ALIAS for doordash-prod-lb-1965037934.us-west-2.elb.amazonaws.com"
ttl=300 "monday-com-verification=9UNZE93XuFvo9TszK9IAFbwM8tDbUog5oqoNqwj-u5o"
ttl=300 "google-site-verification=2rcRsTslUdxw5DyvpqlVQDk9KxnUncNIvMIp74YRRsA"
ttl=300 "google-site-verification=B8pCSLSrKW8YlJmzi7Yy_dN7RJL4kDl9y-rgC6w7IpE"
ttl=300 "google-site-verification=BfQohc0cUj3zZA1BKisF3t97WFPfcn1stcvZu6o1kF4"
ttl=300 "google-site-verification=GWpsrxG0KS4wrPZn6vo6cPpWi54VuA32W0qMrGT1esM"
ttl=300 "google-site-verification=HPUl-zyMzA0yQq-wMPBFfmDyagaxMi3367A0FSWpY7U"
ttl=300 "google-site-verification=IxltO7NjEjSGULS-Txeg7Qu2T6qohZv8zHEgJ8I3Rl0"
ttl=300 "google-site-verification=UcYKd6s6kOERFeXTToUDRNxtKRG8HfH_0xMGdQyFMWg"
ttl=300 "google-site-verification=ZIL_hda6Iiuc38NCbYP_YNbWuTLlaNna2jKulvPDkfU"
ttl=300 "google-site-verification=_nhAl3u-62bMXOhq8kHCRalYgz_jjgCvNuE9j_3nVDw"
ttl=300 "google-site-verification=a-Jdw2m-MOpK7B8CMb_J_XbJSXSbNIa_gF2t-LaJZrc"
ttl=300 "google-site-verification=oinRvdblMV4Ncm6r26vumPZi8wTqvV3myYzProiPB1M"
ttl=300 "google-site-verification=pE5HdbYNwhG6Ajwm--kYjO-HSojW7qY90GaxIgsLq0s"
ttl=300 "google-site-verification=rdKNCS9n0YSMdrp6GFqZcA882UrLU3FWNHqMzHTaHUk"
ttl=300 "apple-domain-verification=auLx8cBOBvSGINCMixgMgEEQ25ZHSoil-aoBhd31nac"
ttl=300 "cloudbees-domain-verification=465857a9eee140720ace1308ce419d23b24d6062"
ttl=300 "liveramp-site-verification=5wszPKkOhBCtvJ7UeYngVL_HJT8TLIidFz_ZDTuLfm4"
ttl=300 "neat-pulse-domain-verification-njM2wKN=cab352c6-5874-4fd8-b6e0-c440953cb19c"
ttl=300 "hubspot-domain-verification=ZGYzNGFkYmUtZWFkMi00MzJmLWI2ZTQtZWZhZmI3OWNmN2Ez"
ttl=300 "pardot1074543=d97a51eb532ec8bc893efc57d90a4af2cc95d3b1c2db1d007f4c9ca082bf5a81"
ttl=300 "stripe-verification=0601d7fe338b4c47028041de35c36823eab7dfa6da541d7b3f922a4296d4b3f8"
ttl=300 "stripe-verification=2dfbad05d1e9a184ee421836e03cc4a8275b0043a70e9aa3c499136141b07444"
ttl=300 "stripe-verification=36113287339DD6525555BE006FE320333C49B5E5E8CEA9707BB109A45E2D50DB"
ttl=300 "stripe-verification=80559cf6e421e37c6322149535e5ee37d6683aacf844c3a9d3c41d9783e1ca63"
ttl=300 "stripe-verification=972a79921adf9a3d42e966695a8abe1a145b5eb4d7c2373d05ba7a1bbd535fb4"
ttl=300 "stripe-verification=97ac764ba6c3b23b21b7fa92d59e7c456481fb088387d487de140a0e8ec2fc16"
ttl=300 "stripe-verification=99e9a754dd65028a2a92d1bbfc20d20c58caec59c2202c21bee836b97ff00f9c"
ttl=300 "stripe-verification=AFA5C2C820879CC0428BF81B398AD7BA733E43246B112B0AA1B33960AA6F3BB5"
ttl=300 "stripe-verification=fc0a51eed89484d07c775ff7cc99a8267651b02c0ce4c7b23bc0940e6f04fbe1"
ttl=300 "adobe-idp-site-verification=4c435e2e07ad31e38e2b8eef37ddd3422b6eaf6decb8746a240258dd8a2f96e9"
ttl=300 "atlassian-domain-verification=WynfBPojkTHuEFbQh1YiVrhBd+YgTvHLyK7+H7ZbQojdYSieNeHVzWxKFA5kU6RB"
ttl=300 "atlassian-domain-verification=nNhx5JpLiPH2KCXSAAYeMsQTjODdBCbNf5J0GQ9SK09LhSOZeu2J0t9HF0DtiQG/"
ttl=300 "v=spf1 include:doordash.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"cert expires in 73 days
Why it matters: A valid current TLS certificate is the baseline for data in transit. Expiry, weak chain, or hostname mismatch break HTTPS and fail PCI 4.2.1 / SOC 2 CC6.1.
Recommendations
Schedule certificate renewal — consider enabling auto-renewal
subject cn: doordash.com
issuer: WE1 / Google Trust Services
valid: May 7 04:17:29 2026 GMT → Aug 5 05:17:26 2026 GMT
authorized: yes
sha256: 96:1F:B4:CF:BD:54:41:32:48:5F:EF:33:C6:5B:55:38:DB:FE:75:A6:33:42:85:45:83:95:5B:34:99:FA:96:70 sans doordash.com *.doordash.com fetched 2026-05-23T09:35:38.079Z
no CORS headers — cross-origin requests blocked by default
Why it matters: Overly permissive CORS (wildcard with credentials, or reflected origin) lets any origin read authenticated responses from this domain. OWASP A05 misconfiguration territory (NIST AC-4).
origin https://drwho.me method GET preflight status 302 access-control-* headers
access-control-allow-origin —
access-control-allow-methods —
access-control-allow-headers —
access-control-allow-credentials —
access-control-max-age —
access-control-expose-headers — no access-control-* headers returned — site does not advertise CORS to this origin
fetched 2026-05-23T09:35:38.176Z
HTTPS served correctly
Why it matters: Bare HTTP requests must redirect to HTTPS without dropping the user mid-chain. Plain-text fallback or open redirects fail PCI 4.2.1 and feed phishing chains (SOC 2 CC6.6).
final status: 403 · 2 hops
[302] https://doordash.com/[403] https://www.doordash.com/fetched 2026-05-23T09:35:38.233Z
domain registered until 2031-06-18
Why it matters: Registrar and expiry tell auditors the domain is owned, current, and not about to lapse. An expired or about-to-expire domain fails business-continuity evidence (SOC 2 A1.2).
registrar MarkMonitor Inc.
created 2013-06-18T19:11:18Z
expires 2031-06-18T19:11:18Z
statuses clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited, clientTransferProhibited https://icann.org/epp#clientTransferProhibited, clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited, serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited, serverTransferProhibited https://icann.org/epp#serverTransferProhibited, serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited fetched 2026-05-23T09:35:38.360Z
HTTPS surface reachable (robots ✓, sitemap ✗, title ✓)
Why it matters: Public files — robots.txt, sitemap.xml, head meta — are what attackers see first during reconnaissance. Misadvertised paths, stale sitemaps, and verbose generators leak more than intended (ISO 27001 A.8.9).
robots.txt
present User-agent: *
Disallow: /store/so-much-maple-juneau-19113/
Disallow: /orders/
Disallow: /orders/track/*
Disallow: /order_history/
Disallow: /sv/
Allow: /consumer/login/
Disallow: /consumer/invite/
Disallow: /consumer/
Allow: /dasher/signup/$
Disallow: /dasher/signup/*
Disallow: /dasher/login*
Disallow: /dasher/application*
Disallow: /dasher
Disallow: /apply/*
Disallow: /qr-code/*
Disallow: /dashpass-redeem
Disallow: /merchant/applyV2/*
Disallow: /securitynotice
Disallow: /dd/*
Disallow: /cart/*
Disallow: /confirm-group-cart-payment/*
Disallow: /s/*
Disallow: /caredash/*
Disallow: /caredash-recipient/*
Disallow: /product/*
Disallow: /browse/merchants/*/products/*
Disallow: /browse/products/*
Disallow: /gifts/*
Disallow: /teams/join/*
User-agent: ia_archiver
Disallow: /
User-agent: Googlebot
Disallow:
User-agent: Googlebot-image
Disallow:
# Sitemaps
Sitemap: https://www.doordash.com/sitemap-store-doordash-index.xml
Sitemap: https://www.doordash.com/sitemap-business-doordash-index.xml
Sitemap: https://www.doordash.com/sitemap-business_menu-doordash-index.xml
Sitemap: https://www.doordash.com/sitemap-city-doordash-index.xml
Sitemap: https://www.doordash.com/sitemap-city_es_US-doordash-index.xml
Sitemap: https://www.doordash.com/sitemap-city_fr_CA-doordash-index.xml
Sitemap: https://www.doordash.com/sitemap-city_cuisine-doordash-index.xml
Sitemap: https://www.doordash.com/sitemap-city_cuisine_es_US-doordash-index.xml
Sitemap: https://www.doordash.com/sitemap-city_cuisine_fr_CA-doordash-index.xml
Sitemap: https://www.doordash.com/sitemap-dish-doordash-index.xml
Sitemap: https://www.doordash.com/sitemap-dynamic-doordash-index.xml
Sitemap: https://www.doordash.com/sitemap-static-doordash-index.xml
Sitemap: https://www.doordash.com/sitemap-cuisine-doordash-index.xml
Sitemap: https://www.doordash.com/sitemap-city_business-doordash-index.xml
Sitemap: https://www.doordash.com/sitemap-products-doordash-index.xml
Sitemap: https://www.doordash.com/sitemap-product_categories-doordash-index.xml
Sitemap: https://www.doordash.com/sitemap-block_party-doordash-index.xml
Sitemap: https://www.doordash.com/sitemap-nv_categories-doordash-index.xml head
title Just a moment... description — social
no OpenGraph or Twitter meta tags found
fetched 2026-05-23T09:35:38.621Z
B
Mostly compliant · 3 items need attention
Aggregate grade across 15 checks. Auditors typically flag any High-severity finding.
Pass 12
Warn 3
Fail 0 What an auditor would flag first medium SPF
~all softfail — receivers may still accept
SOC 2 CC6.7 ISO 27001 A.13.2.1
low DKIM
2/6 DKIM selectors valid
SOC 2 CC6.7
low TLS certificate
cert expires in 73 days
SOC 2 CC6.6 ISO 27001 A.13.1.1
Need this as an artifact your auditor can verify?
Your doordash.com scan flagged 1 medium and 2 low findings. A signed pack covers the apex plus up to 100 CT-discovered subdomains, Ed25519-signed and ISO-timestamped, delivered in 10–30 minutes.
15-check summary DNS records A/AAAA records present MX 5 MX record(s) present SPF ~all softfail — receivers may still accept DMARC p=reject — strict policy DKIM 2/6 DKIM selectors valid TLS certificate cert expires in 73 days Redirect chain HTTPS served correctly Security headers all security headers present CORS no CORS headers — cross-origin requests blocked by default Web surface HTTPS surface reachable (robots ✓, sitemap ✗, title ✓) MTA-STS not applicable: no _mta-sts TXT record TLS-RPT not applicable: no TLSRPT record DNSSEC DNSSEC enabled — DS records present and chain validated (AD flag) WHOIS domain registered until 2031-06-18 Certificate Transparency 55 subdomain(s) found in CT logs (13 wildcard cert(s)) 55 subdomain(s) found in CT logs (13 wildcard cert(s))
Why it matters: Every certificate issued for this domain is published in Certificate Transparency logs — including subdomains you may have forgotten. Unknown subdomains in CT are pre-disclosed attack surface (ISO 27001 A.8.16).
source certspotter
certificates seen 100
subdomains in CT 55 discovered (full list in Domain Audit Report)
wildcards *.admin-gateway.doordash.com, *.api-dasher.doordash.com, *.api-drive.doordash.com, *.api.doordash.com, *.doordash.com, *.identity.doordash.com, *.mcp.doordash.com, *.merchanthelp.doordash.com, *.otel-mobile.doordash.com, *.rbff.doordash.com, *.ss.doordash.com, *.static-edge.doordash.com, *.top.doordash.com fetched 2026-05-23T09:35:39.427Z