Why it matters: SPF tells receiving servers which hosts may send mail for the domain. Without it, any sender can forge the envelope-from — the primary mechanism behind business-email-compromise (SOC 2 CC6.7).
Recommendations
Move to -all (hardfail) once your mail flow is confirmed — softfail gives no real protection
Why it matters: MX records direct inbound mail. Misconfiguration silently breaks email delivery and lets attackers stand up parallel MX hosts for spoofing campaigns (ISO 27001 A.8.21).
DNSSEC not configured — no DS or DNSKEY records found
Why it matters: DNSSEC cryptographically signs DNS responses, blocking cache-poisoning attacks. US federal civilian agencies are required to enable it under OMB M-22-09 (NIST SC-20).
Recommendations
Enable DNSSEC in your DNS provider's control panel and add the resulting DS record at your registrar
Why it matters: MTA-STS forces inbound SMTP to use TLS and refuse downgraded connections. Without it, an in-path attacker can strip TLS and read mail in plaintext (SOC 2 CC6.7).
Why it matters: A valid current TLS certificate is the baseline for data in transit. Expiry, weak chain, or hostname mismatch break HTTPS and fail PCI 4.2.1 / SOC 2 CC6.1.
Why it matters: Bare HTTP requests must redirect to HTTPS without dropping the user mid-chain. Plain-text fallback or open redirects fail PCI 4.2.1 and feed phishing chains (SOC 2 CC6.6).
Why it matters: Overly permissive CORS (wildcard with credentials, or reflected origin) lets any origin read authenticated responses from this domain. OWASP A05 misconfiguration territory (NIST AC-4).
Why it matters: Every certificate issued for this domain is published in Certificate Transparency logs — including subdomains you may have forgotten. Unknown subdomains in CT are pre-disclosed attack surface (ISO 27001 A.8.16).
Why it matters: DMARC binds SPF and DKIM into an enforceable policy (quarantine or reject) and surfaces spoofing attempts via aggregate reports. `p=none` or absent means spoofing succeeds silently (SOC 2 CC6.7).
Why it matters: DKIM signs outbound mail so receivers can detect tampering. Missing selectors or rotated-away keys break DMARC alignment and let receivers downgrade trust (ISO 27001 A.8.24).
Recommendations
Check the missing selectors in your DNS provider and re-add any removed records
Why it matters: Registrar and expiry tell auditors the domain is owned, current, and not about to lapse. An expired or about-to-expire domain fails business-continuity evidence (SOC 2 A1.2).
Why it matters: Without authoritative A or AAAA records on the apex, the domain is unreachable. Missing baseline DNS shows up in vendor reviews as evidence of unmanaged infrastructure (SOC 2 CC6.6).
HTTPS surface reachable (robots ✓, sitemap ✓, title ✓)
Why it matters: Public files — robots.txt, sitemap.xml, head meta — are what attackers see first during reconnaissance. Misadvertised paths, stale sitemaps, and verbose generators leak more than intended (ISO 27001 A.8.9).
robots.txt
present
User-Agent: *
Content-Signal: ai-train=yes, search=yes, ai-input=yes
Allow: /
# Allow all current docs
Allow: /docs/*/current
# Allow docs that do not use /current
Allow: /docs/aura
Allow: /docs/browser
Allow: /docs/genai
Allow: /docs/getting-started
Allow: /docs/kafka-streams
# Index all versions of the Cypher manual and the Cypher cheat sheet
Allow: /docs/cypher-manual
Allow: /docs/cypher-cheat-sheet
# Allow docs home and related pages
Allow: /docs/index.html
Allow: /docs/sitemap_index.xml
Allow: /docs/create-applications
Allow: /docs/connectors
Allow: /docs/cypher
Allow: /docs/developer-tools
Allow: /docs/resources
Allow: /docs/security-docs
Allow: /docs/visualize
# Allow docs/reference but don't index license or usage-data
Allow: /docs/reference/
Disallow: /docs/reference/license
Disallow: /docs/reference/usage-data
Allow: /videos/$
Allow: /docs/llms.txt
Disallow: /docs/labs
Disallow: /components
Disallow: /docs/*/*
Disallow: /docs/*.*
Disallow: /docs/java-reference/current/javadocs
Disallow: /docs/api/java-driver/current/index.html?*
Disallow: /docs/*/toc.html
Disallow: /training_content/*
Disallow: /tag/
Sitemap: https://neo4j.com/sitemap_index.xml
Sitemap: https://neo4j.com/docs/sitemap_index.xml
sitemap.xml
present — 19 url(s)
head
title
Neo4j Graph Intelligence Platform
description
Connect data as it's stored with Neo4j. Perform powerful, complex queries at scale and speed with our graph data platform.
social
og:locale
en_US
og:type
website
og:title
Neo4j Graph Intelligence Platform
og:description
Connect data as it's stored with Neo4j. Perform powerful, complex queries at scale and speed with our graph data platform.
Aggregate grade across 15 checks. Auditors typically flag any High-severity finding.
Pass
12
Warn
3
Fail
0
What an auditor would flag first
medium
SPF
~all softfail — receivers may still accept
SOC 2 CC6.7ISO 27001 A.13.2.1
low
DKIM
1/6 DKIM selectors valid
SOC 2 CC6.7
low
DNSSEC
DNSSEC not configured — no DS or DNSKEY records found
SOC 2 CC6.6ISO 27001 A.13.1.1
Need this as an artifact your auditor can verify?
Your neo4j.com scan flagged 1 medium and 2 low findings. A signed pack covers the apex plus up to 100 CT-discovered subdomains, Ed25519-signed and ISO-timestamped, delivered in 10–30 minutes.