Why it matters: MX records direct inbound mail. Misconfiguration silently breaks email delivery and lets attackers stand up parallel MX hosts for spoofing campaigns (ISO 27001 A.8.21).
Why it matters: DMARC binds SPF and DKIM into an enforceable policy (quarantine or reject) and surfaces spoofing attempts via aggregate reports. `p=none` or absent means spoofing succeeds silently (SOC 2 CC6.7).
Why it matters: DKIM signs outbound mail so receivers can detect tampering. Missing selectors or rotated-away keys break DMARC alignment and let receivers downgrade trust (ISO 27001 A.8.24).
Recommendations
Check the missing selectors in your DNS provider and re-add any removed records
DNSSEC not configured — no DS or DNSKEY records found
Why it matters: DNSSEC cryptographically signs DNS responses, blocking cache-poisoning attacks. US federal civilian agencies are required to enable it under OMB M-22-09 (NIST SC-20).
Recommendations
Enable DNSSEC in your DNS provider's control panel and add the resulting DS record at your registrar
Why it matters: MTA-STS forces inbound SMTP to use TLS and refuse downgraded connections. Without it, an in-path attacker can strip TLS and read mail in plaintext (SOC 2 CC6.7).
Why it matters: SPF tells receiving servers which hosts may send mail for the domain. Without it, any sender can forge the envelope-from — the primary mechanism behind business-email-compromise (SOC 2 CC6.7).
Recommendations
Move to -all (hardfail) once your mail flow is confirmed — softfail gives no real protection
Why it matters: Without authoritative A or AAAA records on the apex, the domain is unreachable. Missing baseline DNS shows up in vendor reviews as evidence of unmanaged infrastructure (SOC 2 CC6.6).
Why it matters: A valid current TLS certificate is the baseline for data in transit. Expiry, weak chain, or hostname mismatch break HTTPS and fail PCI 4.2.1 / SOC 2 CC6.1.
no CORS headers — cross-origin requests blocked by default
Why it matters: Overly permissive CORS (wildcard with credentials, or reflected origin) lets any origin read authenticated responses from this domain. OWASP A05 misconfiguration territory (NIST AC-4).
origin
https://drwho.me
method
GET
preflight status
403
access-control-* headers
access-control-allow-origin
—
access-control-allow-methods
—
access-control-allow-headers
—
access-control-allow-credentials
—
access-control-max-age
—
access-control-expose-headers
—
no access-control-* headers returned — site does not advertise CORS to this origin
Why it matters: Every certificate issued for this domain is published in Certificate Transparency logs — including subdomains you may have forgotten. Unknown subdomains in CT are pre-disclosed attack surface (ISO 27001 A.8.16).
Why it matters: Bare HTTP requests must redirect to HTTPS without dropping the user mid-chain. Plain-text fallback or open redirects fail PCI 4.2.1 and feed phishing chains (SOC 2 CC6.6).
HTTPS surface reachable (robots ✓, sitemap ✗, title ✓)
Why it matters: Public files — robots.txt, sitemap.xml, head meta — are what attackers see first during reconnaissance. Misadvertised paths, stale sitemaps, and verbose generators leak more than intended (ISO 27001 A.8.9).
Compre productos con Envío Gratis en el día en Mercado Libre. Encuentre miles de marcas y productos a precios increíbles.
social
no OpenGraph or Twitter meta tags found
fetched 2026-05-23T09:36:51.446Z
B
Mostly compliant · 4 items need attention
Aggregate grade across 15 checks. Auditors typically flag any High-severity finding.
Pass
11
Warn
4
Fail
0
What an auditor would flag first
medium
SPF
~all softfail — receivers may still accept
SOC 2 CC6.7ISO 27001 A.13.2.1
low
DKIM
1/6 DKIM selectors valid
SOC 2 CC6.7
low
Security headers
3 security header(s) missing
SOC 2 CC6.6ISO 27001 A.14.1.2
Need this as an artifact your auditor can verify?
Your mercadolibre.com scan flagged 1 medium and 3 low findings. A signed pack covers the apex plus up to 100 CT-discovered subdomains, Ed25519-signed and ISO-timestamped, delivered in 10–30 minutes.
Why it matters: Registrar and expiry tell auditors the domain is owned, current, and not about to lapse. An expired or about-to-expire domain fails business-continuity evidence (SOC 2 A1.2).