Why it matters: MX records direct inbound mail. Misconfiguration silently breaks email delivery and lets attackers stand up parallel MX hosts for spoofing campaigns (ISO 27001 A.8.21).
Why it matters: SPF tells receiving servers which hosts may send mail for the domain. Without it, any sender can forge the envelope-from — the primary mechanism behind business-email-compromise (SOC 2 CC6.7).
Recommendations
Move to -all (hardfail) once your mail flow is confirmed — softfail gives no real protection
Why it matters: DMARC binds SPF and DKIM into an enforceable policy (quarantine or reject) and surfaces spoofing attempts via aggregate reports. `p=none` or absent means spoofing succeeds silently (SOC 2 CC6.7).
Why it matters: DKIM signs outbound mail so receivers can detect tampering. Missing selectors or rotated-away keys break DMARC alignment and let receivers downgrade trust (ISO 27001 A.8.24).
Recommendations
Enable DKIM signing in your mail provider and publish the provided TXT record
Common selectors: google._domainkey, selector1._domainkey (Microsoft), mail._domainkey
no DKIM record on probed selectors (default, google, k1, selector1, selector2, mxvault)
DNSSEC not configured — no DS or DNSKEY records found
Why it matters: DNSSEC cryptographically signs DNS responses, blocking cache-poisoning attacks. US federal civilian agencies are required to enable it under OMB M-22-09 (NIST SC-20).
Recommendations
Enable DNSSEC in your DNS provider's control panel and add the resulting DS record at your registrar
Why it matters: MTA-STS forces inbound SMTP to use TLS and refuse downgraded connections. Without it, an in-path attacker can strip TLS and read mail in plaintext (SOC 2 CC6.7).
Why it matters: Without authoritative A or AAAA records on the apex, the domain is unreachable. Missing baseline DNS shows up in vendor reviews as evidence of unmanaged infrastructure (SOC 2 CC6.6).
Why it matters: Every certificate issued for this domain is published in Certificate Transparency logs — including subdomains you may have forgotten. Unknown subdomains in CT are pre-disclosed attack surface (ISO 27001 A.8.16).
Why it matters: A valid current TLS certificate is the baseline for data in transit. Expiry, weak chain, or hostname mismatch break HTTPS and fail PCI 4.2.1 / SOC 2 CC6.1.
subject cn:
vip-drekar-lasdmzprd-xredirect.qualcomm.com
issuer:
Sectigo Public Server Authentication CA OV R36 / Sectigo Limited
valid:
Jan 23 00:00:00 2026 GMT → Jan 23 23:59:59 2027 GMT
Why it matters: Registrar and expiry tell auditors the domain is owned, current, and not about to lapse. An expired or about-to-expire domain fails business-continuity evidence (SOC 2 A1.2).
Why it matters: Bare HTTP requests must redirect to HTTPS without dropping the user mid-chain. Plain-text fallback or open redirects fail PCI 4.2.1 and feed phishing chains (SOC 2 CC6.6).
no CORS headers — cross-origin requests blocked by default
Why it matters: Overly permissive CORS (wildcard with credentials, or reflected origin) lets any origin read authenticated responses from this domain. OWASP A05 misconfiguration territory (NIST AC-4).
origin
https://drwho.me
method
GET
preflight status
301
access-control-* headers
access-control-allow-origin
—
access-control-allow-methods
—
access-control-allow-headers
—
access-control-allow-credentials
—
access-control-max-age
—
access-control-expose-headers
—
no access-control-* headers returned — site does not advertise CORS to this origin
HTTPS surface reachable (robots ✓, sitemap ✓, title ✓)
Why it matters: Public files — robots.txt, sitemap.xml, head meta — are what attackers see first during reconnaissance. Misadvertised paths, stale sitemaps, and verbose generators leak more than intended (ISO 27001 A.8.9).
robots.txt
present
# Daum search Korea robot
User-agent: daumoa
Disallow: /
# Infoseek robot
User-agent: Ultraseek
Disallow:
# Infoseek robot search
User-agent: Ultraseek-www
Disallow: /
# Alexa / The Internet Archive (this has been disabled for a while)
User-agent: ia_archiver
Disallow: /
#Cuil bot
User-agent: twiceler
Disallow: /
#SEOkicks-Robot
User-agent: SEOkicks-Robot
Disallow: /
Sitemap: https://www.qualcomm.com/sitemap.xml
sitemap.xml
present — 470 url(s)
head
title
Qualcomm: Intelligent Computing Everywhere
description
Learn how Qualcomm transforms industries with leading edge AI, high-performance, low-power computing and unrivaled connectivity.
social
og:description
Learn how Qualcomm transforms industries with leading edge AI, high-performance, low-power computing and unrivaled connectivity.
og:title
Wireless Technology & Innovation | Mobile Technology | Qualcomm
Aggregate grade across 15 checks. Auditors typically flag any High-severity finding.
Pass
12
Warn
3
Fail
0
What an auditor would flag first
medium
SPF
~all softfail — receivers may still accept
SOC 2 CC6.7ISO 27001 A.13.2.1
low
DKIM
no DKIM selectors found — likely not configured
SOC 2 CC6.7
low
DNSSEC
DNSSEC not configured — no DS or DNSKEY records found
SOC 2 CC6.6ISO 27001 A.13.1.1
Need this as an artifact your auditor can verify?
Your qualcomm.com scan flagged 1 medium and 2 low findings. A signed pack covers the apex plus up to 100 CT-discovered subdomains, Ed25519-signed and ISO-timestamped, delivered in 10–30 minutes.