Dr . Who Dr.Who lives at drwho.me — audit-grade domain evidence.
additional context — IP + user-agent lookups lookups that complement a dossier — useful when investigating a finding, but not part of the dossier engine itself.
p=reject — strict policy
Why it matters: DMARC binds SPF and DKIM into an enforceable policy (quarantine or reject) and surfaces spoofing attempts via aggregate reports. `p=none` or absent means spoofing succeeds silently (SOC 2 CC6.7).
v=DMARC1; p=reject; pct=100; adkim=r; aspf=r; rua=mailto:dmarc_agg@vali.email
v= DMARC1
p= reject
pct= 100
adkim= r
aspf= r
rua= mailto:dmarc_agg@vali.email fetched 2026-05-23T10:39:21.791Z
~all softfail — receivers may still accept
Why it matters: SPF tells receiving servers which hosts may send mail for the domain. Without it, any sender can forge the envelope-from — the primary mechanism behind business-email-compromise (SOC 2 CC6.7).
Recommendations
Move to -all (hardfail) once your mail flow is confirmed — softfail gives no real protection v=spf1 include:_spf.psm.knowbe4.com include:mail.zendesk.com include:_spf.presscloud.com include:helpscoutemail.com include:kayak.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all
v=spf1 include:_spf.psm.knowbe4.com include:mail.zendesk.com include:_spf.presscloud.com include:helpscoutemail.com include:kayak.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all fetched 2026-05-23T10:39:21.793Z
2 MX record(s) present
Why it matters: MX records direct inbound mail. Misconfiguration silently breaks email delivery and lets attackers stand up parallel MX hosts for spoofing campaigns (ISO 27001 A.8.21).
pri=10 mxa-009e5101.gslb.pphosted.com.pri=10 mxb-009e5101.gslb.pphosted.com.fetched 2026-05-23T10:39:21.794Z
DNSSEC not configured — no DS or DNSKEY records found
Why it matters: DNSSEC cryptographically signs DNS responses, blocking cache-poisoning attacks. US federal civilian agencies are required to enable it under OMB M-22-09 (NIST SC-20).
Recommendations
Enable DNSSEC in your DNS provider's control panel and add the resulting DS record at your registrar
enabled no
DS records —
DNSKEY records — fetched 2026-05-23T10:39:21.795Z
not applicable: no _mta-sts TXT record
Why it matters: MTA-STS forces inbound SMTP to use TLS and refuse downgraded connections. Without it, an in-path attacker can strip TLS and read mail in plaintext (SOC 2 CC6.7).
not applicable: no TLSRPT record
Why it matters: TLS-RPT publishes a reporting address for SMTP-TLS failures. Without it, downgrade attacks on inbound mail go unnoticed (SOC 2 CC7.2).
1/6 DKIM selectors valid
Why it matters: DKIM signs outbound mail so receivers can detect tampering. Missing selectors or rotated-away keys break DMARC alignment and let receivers downgrade trust (ISO 27001 A.8.24).
Recommendations
Check the missing selectors in your DNS provider and re-add any removed records
default: —
google: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDWuUuD6OJIvN9lweAU6bzfFmGVBfUwd1eu3VSjtWMCPbnfTnj1zDTxsGVNqTv1a6nGgLC8+tuDerc2nfpiK4sTqgotz9EdUOgkQebB88At++QJ+0RHPwvmY3S79Te48FR+SMC72mToJwqiU6fgmfrgXqNBL+We4Q0bCnR1d4Yl/wIDAQAB
k1: —
selector1: —
selector2: —
mxvault: — fetched 2026-05-23T10:39:21.810Z
A/AAAA records present
Why it matters: Without authoritative A or AAAA records on the apex, the domain is unreachable. Missing baseline DNS shows up in vendor reviews as evidence of unmanaged infrastructure (SOC 2 CC6.6).
A ttl=2812 151.101.129.29ttl=2812 151.101.193.29ttl=2812 151.101.1.29ttl=2812 151.101.65.29AAAA ttl=132 2a04:4e42::285ttl=132 2a04:4e42:200::285ttl=132 2a04:4e42:600::285ttl=132 2a04:4e42:400::285NS ttl=83111 blue.foundationdns.org.ttl=83111 blue.foundationdns.com.ttl=83111 blue.foundationdns.net.SOA ttl=1800 blue.foundationdns.com. dns.cloudflare.com. 2404879006 10000 2400 604800 1800CAA ttl=3600 \# 27 00 05 69 6f 64 65 66 6d 61 69 6c 74 6f 3a 6f 70 73 40 6b 61 79 61 6b 2e 63 6f 6dttl=3600 \# 19 00 05 69 73 73 75 65 61 77 73 74 72 75 73 74 2e 63 6f 6dttl=3600 \# 19 00 05 69 73 73 75 65 63 6f 6d 6f 64 6f 63 61 2e 63 6f 6dttl=3600 \# 45 00 05 69 73 73 75 65 64 69 67 69 63 65 72 74 2e 63 6f 6d 3b 20 63 61 6e 73 69 67 6e 68 74 74 70 65 78 63 68 61 6e 67 65 73 3d 79 65 73ttl=3600 \# 21 00 05 69 73 73 75 65 67 6c 6f 62 61 6c 73 69 67 6e 2e 63 6f 6dttl=3600 \# 22 00 05 69 73 73 75 65 6c 65 74 73 65 6e 63 72 79 70 74 2e 6f 72 67ttl=3600 \# 41 00 05 69 73 73 75 65 70 6b 69 2e 67 6f 6f 67 3b 20 63 61 6e 73 69 67 6e 68 74 74 70 65 78 63 68 61 6e 67 65 73 3d 79 65 73ttl=3600 \# 14 00 05 69 73 73 75 65 73 73 6c 2e 63 6f 6dttl=3600 \# 21 00 09 69 73 73 75 65 77 69 6c 64 61 6d 61 7a 6f 6e 2e 63 6f 6dttl=3600 \# 23 00 09 69 73 73 75 65 77 69 6c 64 63 6f 6d 6f 64 6f 63 61 2e 63 6f 6dttl=3600 \# 49 00 09 69 73 73 75 65 77 69 6c 64 64 69 67 69 63 65 72 74 2e 63 6f 6d 3b 20 63 61 6e 73 69 67 6e 68 74 74 70 65 78 63 68 61 6e 67 65 73 3d 79 65 73ttl=3600 \# 26 00 09 69 73 73 75 65 77 69 6c 64 6c 65 74 73 65 6e 63 72 79 70 74 2e 6f 72 67ttl=3600 \# 45 00 09 69 73 73 75 65 77 69 6c 64 70 6b 69 2e 67 6f 6f 67 3b 20 63 61 6e 73 69 67 6e 68 74 74 70 65 78 63 68 61 6e 67 65 73 3d 79 65 73ttl=3600 \# 18 00 09 69 73 73 75 65 77 69 6c 64 73 73 6c 2e 63 6f 6dTXT ttl=3600 "MS=ms32183003"ttl=3600 "_globalsign-domain-verification=p1fktqCHnOA1sE262wg61RlM1M1TddxeBhTTQfKOf-"ttl=3600 "adobe-idp-site-verification=e3698045df155e7f8cf3b02c00c51c334c988ed32d2c35abf118b5455559d0fb"ttl=3600 "airtable-verification=ab2905fae08cc438965f22077ffe0917"ttl=3600 "anthropic-domain-verification-ssadh3=5QlR12RKrK6yot7p3HMOdRp65"ttl=3600 "apple-domain-verification=y2Igt0Wg-UHV70fp8FwwAY0lXT7yuhgjH7LQCBWWn3k"ttl=3600 "atlassian-domain-verification=B1e9uqeJyMnx/b8qh19lhS2HmbMwe7iMsn3YJUdW1FrMfjT5ZIZIApoe6mckiqGv"ttl=3600 "atlassian-sending-domain-verification=ee4a120b-7262-4e68-b208-f80801824d31"ttl=3600 "cisco-ci-domain-verification=20500cc295a110d0573b2bdc2093ab09b58730d8f8b963895b6a3133a368cb25"ttl=3600 "cursor-domain-verification-eerey1=DeRjeVboCFaoJnWyaHOvbIMSV"ttl=3600 "docker-verification=38689d18-8405-471e-8c40-0f79329477db"ttl=3600 "docusign=32480aaa-d033-46e8-8295-f0a0a1a7a5dc"ttl=3600 "docusign=401274e0-a81e-4f1e-9379-3d0cb24b0646"ttl=3600 "docusign=b94148f1-8103-446e-be3c-c780204b2b73"ttl=3600 "docusign=d717820e-c9d2-4c7f-8673-c52c7533107e"fetched 2026-05-23T10:39:21.792Z
ttl=3600 "google-site-verification=7Swb0dHV4cMeHcGWVdFuKZYVA6rhwGfDU0scbwz22-c"
ttl=3600 "google-site-verification=EMk53mZVKZzMKDvuxN7Izz5SrGePcS6YL9UU-O5p3Cw"
ttl=3600 "google-site-verification=Ne2Q3MQtiFamXAbgdT27mGRHEP1uH6u0S3hxE8oEIUg"
ttl=3600 "google-site-verification=RkXPYTo0sfAReK2PL4rFLzDvF69y68je5By3mbLYtTI"
ttl=3600 "google-site-verification=U_6jqgvCpjeeNLZEUNq4kW-yF4KXPrcUUifhpyjlJyQ"
ttl=3600 "google-site-verification=atbvv5AjB8MGJiGm0kJQicx405wRnH3IXkvhmevhlWs"
ttl=3600 "google-site-verification=hR-vohAQxRsRyvUskvHc58Ebvc4yVW7FXc7pyRzIdz4"
ttl=3600 "google-site-verification=w24oU5jGpVa8SU1Tznbo4CU8_m_WL6o-yDo0gosSBKY"
ttl=3600 "jamf-site-verification=0aiX3pBSM2fa-OoV_DbSDg"
ttl=3600 "linear-domain-verification=5h25z4iybzed"
ttl=3600 "loom-site-verification=cf88c3547adb422198e2effdcbc1822c"
ttl=3600 "meltwater_sso_20220613_TRITON-9222"
ttl=3600 "mgverify=19b8eb35bd233256b9c7b140bd3739975015fc9e05f760bf919fe5999bd01f0f"
ttl=3600 "notion-domain-verification=ulKLX952hySY2ToVspcw3nuYFf7ANxdT5aOZR2JpUby"
ttl=3600 "onetrust-domain-verification=1d14495f61ec44ddb84c7e861332306b"
ttl=3600 "onetrust-domain-verification=5785b70b49c94d87b375b04a26cb9a99"
ttl=3600 "onetrust-domain-verification=91fa27999c43422991e04989039fab48"
ttl=3600 "openai-domain-verification=08273489"
ttl=3600 "openai-domain-verification=dv-d02WfHAbY79UMiEztHNqRWoE"
ttl=3600 "smartsheet-site-validation=VnoFFHldpjUduBdwSfSrHI1U3dlbsp4P"
ttl=3600 "stripe-verification=0541ddd99d259a6b83784688d152e53689b3c7b62ab2a94c1af4881d8c325667"
ttl=3600 "stripe-verification=36a8ae673d2824b08508d33f51fbd183a78e598178cf455b3941b48b1ed1848c"
ttl=3600 "stripe-verification=6bb69f06400ffd81c173e80ece77f9cb903fd23583d37619628834425c8e0335"
ttl=3600 "stripe-verification=6fc06b28a4dce12135cfc982ee67b4f50ecdf24931633f46ed324b939e2d132c"
ttl=3600 "stripe-verification=7ce9b2bea1ac18f9f8081a240f771d3d36e6177de24d42e48b3c8f7fd5b0ba47"
ttl=3600 "stripe-verification=87f88a3ae169a524f546ed203d0cb22535e7f0e722a5004814cb828d3d1b342f"
ttl=3600 "stripe-verification=a3cd1e5407820ba2f4e9df948ed7871a2303c8488c66b781302677cccd05fde0"
ttl=3600 "stripe-verification=c6ba89f5464c6bfe6ee74b5e0b09d8f67bca1ba9d28ffb7c4d51067344241bbe"
ttl=3600 "teamviewer-sso-verification=f75e9fa8bd764fe28cfd406ac0863d88"
ttl=3600 "v=spf1 include:_spf.psm.knowbe4.com include:mail.zendesk.com include:_spf.presscloud.com include:helpscoutemail.com include:kayak.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all"cert expires in 68 days
Why it matters: A valid current TLS certificate is the baseline for data in transit. Expiry, weak chain, or hostname mismatch break HTTPS and fail PCI 4.2.1 / SOC 2 CC6.1.
Recommendations
Schedule certificate renewal — consider enabling auto-renewal
subject cn: kayak.com
issuer: R13 / Let's Encrypt
valid: May 1 17:43:14 2026 GMT → Jul 30 17:43:13 2026 GMT
authorized: yes
sha256: 7E:F4:B4:D5:CB:26:23:B1:28:13:21:20:1C:1B:BF:6E:15:A0:02:1C:07:C5:39:E8:75:37:E1:42:54:3D:75:58 fetched 2026-05-23T10:39:21.847Z
no CORS headers — cross-origin requests blocked by default
Why it matters: Overly permissive CORS (wildcard with credentials, or reflected origin) lets any origin read authenticated responses from this domain. OWASP A05 misconfiguration territory (NIST AC-4).
origin https://drwho.me method GET preflight status 301 access-control-* headers
access-control-allow-origin —
access-control-allow-methods —
access-control-allow-headers —
access-control-allow-credentials —
access-control-max-age —
access-control-expose-headers — no access-control-* headers returned — site does not advertise CORS to this origin
fetched 2026-05-23T10:39:21.881Z
check failed: crt.sh: Error: crt.sh http 429; certspotter: Error: certspotter http 429
Why it matters: Every certificate issued for this domain is published in Certificate Transparency logs — including subdomains you may have forgotten. Unknown subdomains in CT are pre-disclosed attack surface (ISO 27001 A.8.16).
crt.sh: Error: crt.sh http 429; certspotter: Error: certspotter http 429
domain registered until 2027-05-02
Why it matters: Registrar and expiry tell auditors the domain is owned, current, and not about to lapse. An expired or about-to-expire domain fails business-continuity evidence (SOC 2 A1.2).
registrar 101domain GRS Limited
created 1995-04-13T04:00:00Z
expires 2027-05-02T03:59:59Z
statuses clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited, clientTransferProhibited https://icann.org/epp#clientTransferProhibited, serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited, serverTransferProhibited https://icann.org/epp#serverTransferProhibited, serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited fetched 2026-05-23T10:39:22.019Z
HTTPS served correctly
Why it matters: Bare HTTP requests must redirect to HTTPS without dropping the user mid-chain. Plain-text fallback or open redirects fail PCI 4.2.1 and feed phishing chains (SOC 2 CC6.6).
final status: 200 · 2 hops
[301] https://kayak.com/[200] https://www.kayak.com/fetched 2026-05-23T10:39:22.135Z
B
Mostly compliant · 5 items need attention
Aggregate grade across 15 checks. Auditors typically flag any High-severity finding.
Pass 10
Warn 5
Fail 0 What an auditor would flag first medium SPF
~all softfail — receivers may still accept
SOC 2 CC6.7 ISO 27001 A.13.2.1
medium Security headers
3 security header(s) missing
SOC 2 CC6.6 ISO 27001 A.14.1.2
low DKIM
1/6 DKIM selectors valid
SOC 2 CC6.7
Need this as an artifact your auditor can verify?
Your kayak.com scan flagged 2 medium and 3 low findings. A signed pack covers the apex plus up to 100 CT-discovered subdomains, Ed25519-signed and ISO-timestamped, delivered in 10–30 minutes.
15-check summary DNS records A/AAAA records present MX 2 MX record(s) present SPF ~all softfail — receivers may still accept DMARC p=reject — strict policy DKIM 1/6 DKIM selectors valid TLS certificate cert expires in 68 days Redirect chain HTTPS served correctly Security headers 3 security header(s) missing CORS no CORS headers — cross-origin requests blocked by default Web surface HTTPS surface reachable (robots ✓, sitemap ✓, title ✓) MTA-STS not applicable: no _mta-sts TXT record TLS-RPT not applicable: no TLSRPT record DNSSEC DNSSEC not configured — no DS or DNSKEY records found WHOIS domain registered until 2027-05-02 Certificate Transparency check failed: crt.sh: Error: crt.sh http 429; certspotter: Error: certspotter http 429 HTTPS surface reachable (robots ✓, sitemap ✓, title ✓)
Why it matters: Public files — robots.txt, sitemap.xml, head meta — are what attackers see first during reconnaissance. Misadvertised paths, stale sitemaps, and verbose generators leak more than intended (ISO 27001 A.8.9).
robots.txt
present #Build version: R818d
#Generated on: Fri May 22 01:00:00 EDT 2026
User-agent: *
Allow: /api/search/V8/hotel/
Allow: /i/api/search/v1/hotels/poll
Allow: /i/api/session/refresh
Allow: /h/xplanding
Allow: /flights/$
Allow: /hotels/$
Allow: /cars/$
Allow: /trains/$
Allow: /trips/users/
Allow: /cruises/
Allow: /hotels/sitemap
Allow: /cars/sitemap
Allow: /charm/g/
Allow: /tweb/app/
Allow: /s/horizon/compareTo
Allow: /k/authajax
Allow: /h/mobileapis/
Allow: /f/smarty
Allow: /s/mobileutil
Allow: /api/search/V8
Allow: /charm/
Allow: /trips/$
Allow: /things-to-do/$
Disallow: /things-to-do/*
Disallow: /charm/horizon/cars/citycars/CityCarsAgencyMapViewLink
Disallow: /charm/horizon/cars/airportcars/AirportCarsResults
Disallow: /charm/horizon/common/search/PreloadAction
Disallow: /s/horizon/common/layout/AjaxFooterLinks
Disallow: /charm/horizon/common/layout/AjaxFooterLinks
Disallow: /s/horizon/common/privacy/AjaxHeaderCookiesMessage
Disallow: /charm/horizon/common/privacy/AjaxHeaderCookiesMessage
Disallow: /s/horizon/common/privacy/AjaxStyleJamHeaderCookiesMessage
Disallow: /s/horizon/common/layout/StyleJamNavMenu
Disallow: /charm/horizon/common/privacy/AjaxStyleJamHeaderCookiesMessage
Disallow: /charm/horizon/flights/flightdeals/frontdoor/FlightDealsLinks
Disallow: /charm/horizon/common/compareto/slide/SlideCompareToAction
Disallow: /charm/horizon/common/layout/MoreNavContentApiAction
Disallow: /charm/horizon/common/layout/NavMenuContent
Disallow: /charm/horizon/flights/flightroutes/AjaxGoodToKnow
Disallow: /charm/horizon/flights/cabinclassflightroutes/AjaxCabinClassFlightRoutesGoodToKnow
Disallow: /charm/horizon/flights/flightroutes/AjaxWhenToBookCharts
Disallow: /charm/horizon/flights/flightroutes/AjaxFlightRouteInfoTable
Disallow: /charm/horizon/flights/flightroutes/CountryCityRouteFAQAction
Disallow: /charm/horizon/restaurants/static_details/ajax/RestaurantDetailsReviewsList
Disallow: /charm/horizon/hotels/cityguides/CityGuidesBacklinkActivityUrls
Disallow: /charm/horizon/hotels/venue/ConventionCenterCarsResults
Disallow: /charm/horizon/common/upgrade/UpgradeBrowser
Disallow: /charm/horizon/flights/airport/AirportFlightStatusTable
Disallow: /charm/horizon/common/core/AjaxMany
Disallow: /charm/horizon/flights/flightroutes/LatestFlightDealsAjax
Disallow: /charm/horizon/flights/flightroutes/IpOriginAjax
Disallow: /s/horizon/common/corporate/PlatformToBusiness
Disallow: /charm/horizon/cars/citycars/CityCarsAgencyMap
Disallow: /charm/horizon/flights/airport/AirportMap
Disallow: /charm/horizon/flights/search/NonstopAvailabilityAction
Disallow: /vs/
Disallow: /%20/
Disallow: /maps/
Disallow: /tweb/
Disallow: /sem/
Disallow: /horizon/sem/
Disallow: /*/landing/*.html
Disallow: /semi/
Disallow: /hotels/
Disallow: /flights/
Disallow: /cars/
Disallow: /h/
Disallow: /s/
Disallow: /k/
Disallow: /r/
Disallow: /out
Disallow: /tracking
Disallow: /akamai-sureroute-test-object.html
Disallow: /mail/termsandconditions
Disallow: /clickthrough.jsp
Disallow: /empty.html
Disallow: /moira/
Disallow: /adclick
Disallow: /bookings
Disallow: /labs
Disallow: /carreservation
Disallow: /hotelreservation
Disallow: /flightreservation
Disallow: /mscarreservation
Disallow: /SNflightreservation
Disallow: /msflightreservation
Disallow: /mshotelreservation
Disallow: /FDcarreservation
Disallow: /FDflightreservation
Disallow: /FDhotelreservation
Disallow: /splitbookingflightreservation
Disallow: /splitbookinghotelreservation
Disallow: /book
Disallow: /rentals/
Disallow: /global
Disallow: /trains/
Disallow: /huddle/
Disallow: /guides/u/*
Disallow: /guides/admin*
Disallow: /guides/missing
Disallow: /guides/noaccess
Disallow: /s/horizon/common/personalization/guidebooks/
Disallow: /restaurants/
Disallow: /ugtm
Disallow: /curated/
Disallow: /nearby/
Disallow: /platform2business
Disallow: /playground
Disallow: /sandbox
Disallow: /benchmark
Disallow: /charm/horizon/common/layout/SocialMediaLinks
Disallow: /charm/horizon/
Disallow: /nox/
Disallow: /gtm
Disallow: /mgtm
Disallow: /trips/
Disallow: /book/
Disallow: /charm/horizon/flights/flightroutes/AjaxPackageSearchForm
Disall sitemap.xml
present — 116 url(s)
head
title Search Flights, Hotels & Rental Cars | KAYAK description KAYAK searches hundreds of other travel sites at once to find the information you need to make the right decisions on flights, hotels & rental cars. social
og:image https://content.r9cdn.net/rimg/provider-logos/common/socialmedia/kayak-logo.png?width=1200&height=630&crop=false
og:image:width 1200
og:image:height 630
og:title Search Flights, Hotels & Rental Cars | KAYAK
og:type article
og:description KAYAK searches hundreds of other travel sites at once to find the information you need to make the right decisions on flights, hotels & rental cars.
og:site_name KAYAK
twitter:description KAYAK searches hundreds of other travel sites at once to find the information you need to make the right decisions on flights, hotels & rental cars.
twitter:image:src https://content.r9cdn.net/rimg/provider-logos/common/socialmedia/kayak-logo.png?width=440&height=220&crop=false
twitter:card summary_large_image
twitter:site @KAYAK
twitter:creator @KAYAK fetched 2026-05-23T10:39:22.272Z