Dr . Who Dr.Who lives at drwho.me — audit-grade domain evidence.
additional context — IP + user-agent lookups lookups that complement a dossier — useful when investigating a finding, but not part of the dossier engine itself.
2 MX record(s) present
Why it matters: MX records direct inbound mail. Misconfiguration silently breaks email delivery and lets attackers stand up parallel MX hosts for spoofing campaigns (ISO 27001 A.8.21).
pri=10 us-smtp-inbound-1.mimecast.com.pri=10 us-smtp-inbound-2.mimecast.com.fetched 2026-05-23T09:24:42.494Z
p=reject — strict policy
Why it matters: DMARC binds SPF and DKIM into an enforceable policy (quarantine or reject) and surfaces spoofing attempts via aggregate reports. `p=none` or absent means spoofing succeeds silently (SOC 2 CC6.7).
v=DMARC1; p=reject; pct=100; rua=mailto:dmarcreports@forbes.com,mailto:69955ab810e8779@rep.dmarcanalyzer.com; ruf=mailto:69955ab810e8779@for.dmarcanalyzer.com; fo=1;
v= DMARC1
p= reject
pct= 100
rua= mailto:dmarcreports@forbes.com,mailto:69955ab810e8779@rep.dmarcanalyzer.com
ruf= mailto:69955ab810e8779@for.dmarcanalyzer.com
fo= 1 fetched 2026-05-23T09:24:42.498Z
SPF present but all-qualifier unrecognised
Why it matters: SPF tells receiving servers which hosts may send mail for the domain. Without it, any sender can forge the envelope-from — the primary mechanism behind business-email-compromise (SOC 2 CC6.7).
v=spf1 redirect=b45gkw7f._spf._d.mim.ec
v=spf1 redirect=b45gkw7f._spf._d.mim.ec fetched 2026-05-23T09:24:42.501Z
DNSSEC not configured — no DS or DNSKEY records found
Why it matters: DNSSEC cryptographically signs DNS responses, blocking cache-poisoning attacks. US federal civilian agencies are required to enable it under OMB M-22-09 (NIST SC-20).
Recommendations
Enable DNSSEC in your DNS provider's control panel and add the resulting DS record at your registrar
enabled no
DS records —
DNSKEY records — fetched 2026-05-23T09:24:42.503Z
not applicable: no TLSRPT record
Why it matters: TLS-RPT publishes a reporting address for SMTP-TLS failures. Without it, downgrade attacks on inbound mail go unnoticed (SOC 2 CC7.2).
A/AAAA records present
Why it matters: Without authoritative A or AAAA records on the apex, the domain is unreachable. Missing baseline DNS shows up in vendor reviews as evidence of unmanaged infrastructure (SOC 2 CC6.6).
A ttl=82635 151.101.194.49ttl=82635 151.101.66.49ttl=82635 151.101.2.49ttl=82635 151.101.130.49
AAAA — NS ttl=172800 ns-1028.awsdns-00.org.ttl=172800 ns-1637.awsdns-12.co.uk.ttl=172800 ns-217.awsdns-27.com.ttl=172800 ns-979.awsdns-58.net.SOA ttl=900 ns-1637.awsdns-12.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400CAA ttl=300 \# 33 00 05 69 6f 64 65 66 6d 61 69 6c 74 6f 3a 73 65 63 75 72 69 74 79 40 66 6f 72 62 65 73 2e 63 6f 6dttl=300 \# 17 00 05 69 73 73 75 65 61 6d 61 7a 6f 6e 2e 63 6f 6dttl=300 \# 19 00 05 69 73 73 75 65 64 69 67 69 63 65 72 74 2e 63 6f 6dttl=300 \# 19 00 05 69 73 73 75 65 67 65 6f 74 72 75 73 74 2e 63 6f 6dttl=300 \# 21 00 05 69 73 73 75 65 67 6c 6f 62 61 6c 73 69 67 6e 2e 63 6f 6dttl=300 \# 22 00 05 69 73 73 75 65 6c 65 74 73 65 6e 63 72 79 70 74 2e 6f 72 67ttl=300 \# 15 00 05 69 73 73 75 65 70 6b 69 2e 67 6f 6f 67ttl=300 \# 18 00 05 69 73 73 75 65 73 65 63 74 69 67 6f 2e 63 6f 6dTXT ttl=60 "1password-site-verification=VJAHF3DA3ZEJ7J26NH4WJ4QDYI"ttl=60 "AiAIjH5HOXMx5tZiyBtD0B/u8mG9qKWaux3SehpuJOv0F+5AvjwJTKsIeI7HR3DR0QDYmJthhZvN8ScuEO9LqA=="ttl=60 "MS=ms55849810"ttl=60 "SFMC-bcDxiJPY-jXu5QtysqxbFjCPLBjk3BSojw81lQrU"ttl=60 "_globalsign-domain-verification=OYfE_CcZQWFlEEOrR5yVCfCtmiQrm0bBdyUAJyg3qE"ttl=60 "_globalsign-domain-verification=f-B_7ErtvSe_2e1SkhSsTab6DQA-AVd2vcvY3gqskQ"ttl=60 "_globalsign-domain-verification=neaEg6fJBhW6Tg3gVqQJIn6pLyiBwIiDdxJ88CLzP6"ttl=60 "_globalsign-domain-verification=uJqsSX1GhpaZSFMhWB8VnlSbH-6c3GbKG4zsuqlwcx"ttl=60 "_globalsign-domain-verification=yMOGr8PalNMtvZPeSrDGFdvgJfngIvOKMbvhlujB3j"ttl=60 "activeprospect-domain-verification=qp+SZ6XBnvREh9uEL2xQLA=="ttl=60 "activeprospect-domain-verification=ua2Bpiq7hQeM3lYKH8kgnQ=="ttl=60 "adobe-idp-site-verification=a6de0a21210eae1c4187cfe64dfb37d7920d64e696bdfb0cad32d55ca6878c06"ttl=60 "anthropic-domain-verification-09rb60=Yuv8hcWdMxtF6VbmFFZFQNzTn"ttl=60 "apple-domain-verification=daIrUUF2LjNKeFrq"fetched 2026-05-23T09:24:42.500Z
ttl=60
ttl=60 "box-domain-verification=a168e4b0fb547cea9aad102fd5b98ad61fc358ddd6ab17b084a1defac10e562a"
ttl=60 "canva-site-verification=0wNoieRvIbw1yAsgkfgEFg"
ttl=60 "datadome-domain-verify=gH4f7bbJndRTMUSvjv8PAP8SOlVa8wKW"
ttl=60 "detectify-verification=5f8e1d4a06c492a8ba7c03abd2c0ef89"
ttl=60 "docusign=d1893713-45af-4fd3-8a65-3ea6d0805b8d"
ttl=60 "google-site-verification=2LeumZRvIXuK3YrTI2IsISp06lXZpHCY1ql9Hdnm7ok"
ttl=60 "google-site-verification=4RdeC2A3Yjqca3_jGnjXGOYJFTVOzhMDw1SoOO7b6Dw"
ttl=60 "google-site-verification=Cv7OXjshytFn0TpR1rgKpHjEY_fROROE67OtoFceBqo"
ttl=60 "google-site-verification=DN-rZTjK3vdARCxismMt2SJDfV2969vhf1paBECwEMM"
ttl=60 "google-site-verification=Q0R44HZFT_-piE4edEVS_jGwyMFoOX4OZ9TGe6zTdys"
ttl=60 "google-site-verification=Xn4XFgtsz0Vg597dd8D8rO4jI6vC9pB7yseCSveG3h8"
ttl=60 "google-site-verification=Y4n4S0k7HGrE1sAHYlupK4YAjw4d_oSAeoGy6mLe8Mw"
ttl=60 "google-site-verification=cXpgpgls018QgvO6u7ZwfMVCNWo_woBz1bvNa4UoBEQ"
ttl=60 "google-site-verification=lYYbu_dzlcI_soF2GSXrdoAGm2XDbIAjDZyu0vhKwxc"
ttl=60 "google-site-verification=nPz5kafgk6DGWCT24sR_kxBZ6HdDWmVEPcT67LVTDi4"
ttl=60 "google-site-verification=xE03wJxteQXWM1cwqmiAVTgaQ3StFNRzuCXOobAACEs"
ttl=60 "google-site-verification=yZQq_-7hQQZvLkdcyiFtwW6OR3Z622l79OSUvBRsqNc"
ttl=60 "jamf-site-verification=yHj9RKO_tLsE0_uN0pJFnA"
ttl=60 "klaviyo-site-verification=UeguZL"
ttl=60 "klaviyo-site-verification=UkVi3K"
ttl=60 "loom-site-verification=2203b12049644a5f96f8b3027d420d7f"
ttl=60 "mandrill_verify.3ujpkQolFHR740mhYiRgYw"
ttl=60 "mgverify=735062366c4a3c7a10b6c50bcba26706a11ad9fc277ff9b88f65478b3517f0a1"
ttl=60 "monday-com-verification=ndOawG8XV4mwyFS7aJZKgKvfWc_nN6gc6_5rUrvAS7A"
ttl=60 "openai-domain-verification=dv-w07b4qQxAzb1Klu9YesisWnX"
ttl=60 "pardot1025723=b54db22127fb6a86162b160a380d9c5c2c50bcb8cb300ab427037bbc1b85407c"
ttl=60 "pardot1032633=53abf112b6eecacc916172589fb4d4bd8c30db4bd1b5330035aa2b700d3ed6b0"
ttl=60 "pardot796133=6fd42896c075674c6c76877e3b89bdf5968ef1481049531e12ea9bdb8f2ff83e"
ttl=60 "pardot796133=9f1e666d7433483f4b9dc2e20e381f5585877aded11d3d17f1f597438ebb9726"
ttl=60 "pardot801473=19f8d9f3e51ca9f5e26b0d692435f822cdca35fb4777c78de68ae6c257d5b038"
ttl=60 "pardot801473=bf9d7022b0bc982f001c58f637feb87b69c9c2b03e8a6b856130925bea8ac117"
ttl=60 "pardot862611=cc07d11f1e6b06dc86f90b7be4df47547054f36ffae67809000382108c396476"
ttl=60 "sending_domain1025723=07a4a21499775df2794df065a6dc2e7c2c01a21593cea6162497f05bca993eaa"
ttl=60 "sending_domain1032633=35ec75414af614386e4c539f6b6f70dec43759367a0507621bf72396033c96df"
ttl=60 "shopify-verification-code=ylk8pVI1nugZQA5xPbN6LkHm7sD6CK"
ttl=60 "smartsheet-site-validation=cK_DmMDOyw92iKzuKOQwA0xEgc1QbECt"
ttl=60 "stripe-verification=0d973d45747a457f5e2624c6116631d31e007d32d42654cca280f9b38da539f3"
ttl=60 "teamviewer-sso-verification=27c248ca0d8b4160ae3d1de1a514f350"
ttl=60 "teamviewer-sso-verification=d48556548a9646a3af6d65f6f2da0bff"
ttl=60 "tollbit-domain-verification=f8c8756d26a28b62f839818a4beacd34fb4032d5c5dad7f2bea69856cf265082"
ttl=60 "v=spf1 redirect=b45gkw7f._spf._d.mim.ec"cert valid for 203 days
Why it matters: A valid current TLS certificate is the baseline for data in transit. Expiry, weak chain, or hostname mismatch break HTTPS and fail PCI 4.2.1 / SOC 2 CC6.1.
subject cn: forbes.com
issuer: GlobalSign Atlas R3 DV TLS CA 2025 Q4 / GlobalSign nv-sa
valid: Nov 10 19:01:53 2025 GMT → Dec 12 19:01:52 2026 GMT
authorized: yes
sha256: F6:D3:33:54:C3:77:6D:BC:36:80:C0:36:04:D3:F6:BC:E9:F7:50:A8:56:92:05:8A:B1:BF:81:76:96:23:3D:8B fetched 2026-05-23T09:24:42.566Z
CORS headers present but no allow-origin set
Why it matters: Overly permissive CORS (wildcard with credentials, or reflected origin) lets any origin read authenticated responses from this domain. OWASP A05 misconfiguration territory (NIST AC-4).
origin https://drwho.me method GET preflight status 301 access-control-* headers
access-control-allow-origin —
access-control-allow-methods —
access-control-allow-headers —
access-control-allow-credentials true
access-control-max-age —
access-control-expose-headers — fetched 2026-05-23T09:24:42.599Z
check failed: crt.sh: Error: crt.sh http 429; certspotter: Error: certspotter http 429
Why it matters: Every certificate issued for this domain is published in Certificate Transparency logs — including subdomains you may have forgotten. Unknown subdomains in CT are pre-disclosed attack surface (ISO 27001 A.8.16).
crt.sh: Error: crt.sh http 429; certspotter: Error: certspotter http 429
HTTPS served correctly
Why it matters: Bare HTTP requests must redirect to HTTPS without dropping the user mid-chain. Plain-text fallback or open redirects fail PCI 4.2.1 and feed phishing chains (SOC 2 CC6.6).
final status: 200 · 2 hops
[301] https://forbes.com/[200] https://www.forbes.com/fetched 2026-05-23T09:24:42.681Z
2/6 DKIM selectors valid
Why it matters: DKIM signs outbound mail so receivers can detect tampering. Missing selectors or rotated-away keys break DMARC alignment and let receivers downgrade trust (ISO 27001 A.8.24).
Recommendations
Check the missing selectors in your DNS provider and re-add any removed records
default: —
google: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtSWZ52AgrP9UX724e3IQYIgJdGge0M2yg2V5c9plx5Oy6qkX67BOCGBQ8IIWoFplqkSpXenbG42hyC2TaVIaXJtTY8RWL3wHsRLbWlBI7uc+WaVjLxKpeNj5SS128dlEbMgsODDmXg/ZpSd8Oh9+gW9ahcBu2DHLKoeaZWKycjRV4/5J8O1x/wNC+umK76ZJVcif3AMYjZrgKKeUxg0adw7CswrvXyoqLgMET+yufKP48l3CPwVG01ouzavhSwIiJuVCuTlfU4oNpkSBhTZZC4AJ5GiGxk5tbBb8q+3w8pXx8Ntu/soPnvBxwSbzNbS5ZV/F/i19fQDIZgAhiqohcwIDAQAB
k1: —
selector1: —
selector2: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDH/0HJFfbInbEJZQAhx4JNPR1+DylNU4LzcmdtiAdddEhwwZZowqeFWBaSdZpKvj4oc4iqfO5iL8+AEE80nBcJe2POj5RNkkCvTbtQIhMMjilPdLedcQt6Scmm+BsPNbP7c9QarKNcJhFF0moY1CuE2gtF5vekbqbJZxLoPJeViQIDAQAB;
mxvault: — fetched 2026-05-23T09:24:42.688Z
not applicable: no _mta-sts TXT record
Why it matters: MTA-STS forces inbound SMTP to use TLS and refuse downgraded connections. Without it, an in-path attacker can strip TLS and read mail in plaintext (SOC 2 CC6.7).
HTTPS surface reachable (robots ✓, sitemap ✗, title ✓)
Why it matters: Public files — robots.txt, sitemap.xml, head meta — are what attackers see first during reconnaissance. Misadvertised paths, stale sitemaps, and verbose generators leak more than intended (ISO 27001 A.8.9).
robots.txt
present User-agent: *
Allow: /ajax/follow_info*
Allow: /ajax/getUniregUserData*
Disallow: /following/
Disallow: /search/
Disallow: /follow/
Disallow: /ajax/
Disallow: /author/following/
Disallow: /blog/following/
Disallow: /json/
Disallow: /header/channels/
Disallow: /find-more/
Disallow: /preview/
Disallow: *wp-admin*
Disallow: /typeahead/
Disallow: /pepe/
Disallow: /media-manager/
Disallow: /coupons/visit/*
Disallow: /test/
Disallow: /advisor/*zx1fa*
Disallow: /advisor/journey/
Disallow: /wui/
User-agent: googlebot-news
Disallow: /sites/adobe/
Disallow: /sites/arizonacommerce/
Disallow: /sites/bmoharrisbank/
Disallow: /sites/businessaviation/
Disallow: /sites/capitalonespark/
Disallow: /sites/cdw/
Disallow: /sites/centurylink/
Disallow: /sites/dell/
Disallow: /sites/emc/
Disallow: /sites/ey/
Disallow: /sites/fedex/
Disallow: /sites/fidelity/
Disallow: /sites/gyro/
Disallow: /sites/hsbc/
Disallow: /sites/houlihanlawrence/
Disallow: /sites/hiscox/
Disallow: /sites/ibm/
Disallow: /sites/infosys/
Disallow: /sites/mdanderson/
Disallow: /sites/medidata/
Disallow: /sites/microsoft/
Disallow: /sites/microsoftdynamics/
Disallow: /sites/netapp/
Disallow: /sites/northwesternmutual/
Disallow: /sites/oppenheimerfunds/
Disallow: /sites/oracle/
Disallow: /sites/pace/
Disallow: /sites/raymondjames/
Disallow: /sites/sage/
Disallow: /sites/samsung/
Disallow: /sites/sap/
Disallow: /sites/sungardas/
Disallow: /sites/taboola/
Disallow: /sites/ups/
Disallow: /sites/delta/
Disallow: /sites/airbus/
Disallow: /sites/symantec/
Disallow: /sites/paypal/
Disallow: /sites/olddominion/
Disallow: /sites/salesforce/
Disallow: /sites/gapinternational/
Disallow: /sites/sprintbusiness/
Disallow: /sites/transamerica/
Disallow: /sites/constantcontact/
Disallow: /sites/robertocoin/
Disallow: /sites/canon/
Disallow: /sites/samsungbusiness/
Disallow: /sites/att/
Disallow: /sites/lasvegas/
Disallow: /sites/iowa/
Disallow: /sites/teradata/
Disallow: /sites/thehartford/
Disallow: /sites/statoil/
Disallow: /sites/cit/
Disallow: /sites/deloitte/
Disallow: /sites/huawei/
Disallow: /sites/relateiq/
Disallow: /sites/cftc/
Disallow: /sites/celebritycruises/
Disallow: /sites/universityofcalifornia/
Disallow: /sites/coxbusiness/
Disallow: /sites/pega/
Disallow: /sites/athenahealth/
Disallow: /sites/etrade/
Disallow: /sites/comcastbusiness/
Disallow: /sites/optum/
Disallow: /sites/seagate/
Disallow: /sites/rbcwealthmanagement/
Disallow: /sites/avigilon/
Disallow: /sites/citi/
Disallow: /sites/castlight/
Disallow: /sites/hyatt/
Disallow: /sites/johnhancock/
Disallow: /sites/koreanair/
Disallow: /sites/merrilllynch/
Disallow: /sites/ptc/
Disallow: /sites/toyota/
Disallow: /sites/unify/
Disallow: /sites/xerox/
Disallow: /sites/united/
Disallow: /sites/zenithwatches/
Disallow: /sites/jpmorganchase/
Disallow: /sites/ramcommercial/
Disallow: /sites/puremichigan/
Disallow: /sites/tmfgroup/
Disallow: /sites/usaa/
Disallow: /sites/emerson/
Disallow: /sites/aberdeen/
Disallow: /sites/kellogg/
Disallow: /sites/zurich/
Disallow: /sites/freeenterprise/
Disallow: /sites/allclearid/
Disallow: /sites/accenture/
Disallow: /sites/mercedesbenz/
Disallow: /sites/nice/
Disallow: /sites/riverbed/
Disallow: /sites/pimco/
Disallow: /sites/netjets/
Disallow: /sites/vmware/
Disallow: /sites/visa/
Disallow: /sites/statefarm/
Disallow: /sites/philips/
Disallow: /sites/adp/
Disallow: /sites/zenithwatches/
Disallow: /sites/citrix/
Disallow: /sites/gwcic/
Disallow: /sites/cargill/
Disallow: /sites/bankofsingapore/
Disallow: /sites/dbsbank/
Disallow: /sites/gradsoflife/
Disallow: /sites/internationaliotcouncil/
Disallow: /pega/customers-for-life
Disallow: /celebritycruises/guide-to-the-globe
Disallow: /sites/disneyinstitute/
Disallow: /sites/concertocloud/
Disallow: /sites/capitalonefutureedge/
Disallow: /sites/mahindracomviva/
Disallow: /sites/workday/
Disallow: /sites/colorado/
Disallow: /sites/charlesschwab/
Disallow: /sites/chicagobooth/
Disallow: /sites/morganstanley/
Disallow: /sites/opentext/
Disallow: /sites/icims/
Disallow: /sites/thriventmutualfunds/
Disallow: /sites/cbre/
Disallow: /sites/univer head
title Forbes description Forbes is a global media company, focusing on business, investing, technology, entrepreneurship, leadership, and lifestyle. social
og:site_name Forbes
og:title Forbes
og:type website
og:url https://www.forbes.com/
og:image:type image/jpeg,image/gif,image/png
og:description Forbes is a global media company, focusing on business, investing, technology, entrepreneurship, leadership, and lifestyle.
twitter:card summary_large_image
twitter:site @forbes
twitter:title Forbes
twitter:description Forbes is a global media company, focusing on business, investing, technology, entrepreneurship, leadership, and lifestyle. fetched 2026-05-23T09:24:42.711Z
domain registered until 2027-06-16
Why it matters: Registrar and expiry tell auditors the domain is owned, current, and not about to lapse. An expired or about-to-expire domain fails business-continuity evidence (SOC 2 A1.2).
registrar MarkMonitor Inc.
created 1993-06-17T04:00:00Z
expires 2027-06-16T04:00:00Z
statuses clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited, clientTransferProhibited https://icann.org/epp#clientTransferProhibited, clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited fetched 2026-05-23T09:24:42.746Z
A-
Audit-ready · 3 minor advisories
Aggregate grade across 15 checks. Auditors typically flag any High-severity finding.
Pass 12
Warn 3
Fail 0 What an auditor would flag first low SPF
SPF present but all-qualifier unrecognised
SOC 2 CC6.7 ISO 27001 A.13.2.1
low DKIM
2/6 DKIM selectors valid
SOC 2 CC6.7
low DNSSEC
DNSSEC not configured — no DS or DNSKEY records found
SOC 2 CC6.6 ISO 27001 A.13.1.1
Need this as an artifact your auditor can verify?
Your forbes.com scan flagged 3 low findings. A signed pack covers the apex plus up to 100 CT-discovered subdomains, Ed25519-signed and ISO-timestamped, delivered in 10–30 minutes.
15-check summary DNS records A/AAAA records present MX 2 MX record(s) present SPF SPF present but all-qualifier unrecognised DMARC p=reject — strict policy DKIM 2/6 DKIM selectors valid TLS certificate cert valid for 203 days Redirect chain HTTPS served correctly Security headers 1 security header(s) missing CORS CORS headers present but no allow-origin set Web surface HTTPS surface reachable (robots ✓, sitemap ✗, title ✓) MTA-STS not applicable: no _mta-sts TXT record TLS-RPT not applicable: no TLSRPT record DNSSEC DNSSEC not configured — no DS or DNSKEY records found WHOIS domain registered until 2027-06-16 Certificate Transparency check failed: crt.sh: Error: crt.sh http 429; certspotter: Error: certspotter http 429