← ip-tracker.online
Security

Domain Security Checklist — DNS, SSL, and Email

9 min read  ·  Complete domain security audit guide

// Why Audit Your Domain?

Your domain is the front door to your organisation on the internet. A single misconfigured DNS record, an expired SSL certificate, or a missing DMARC policy can lead to email spoofing, man-in-the-middle attacks, service outages, or silent traffic hijacking.

This checklist walks through every layer of domain security — DNS, TLS, email authentication, certificate authority controls, and HTTP security headers. Each section includes what to check, why it matters, and how to verify it using a free domain lookup on ip-tracker.online.

Run this audit when onboarding a new domain, after migrating DNS providers, before a compliance review, or quarterly as part of routine security hygiene.

// DNS Records Checklist

DNS is the foundation. If an attacker compromises your DNS, they can redirect all traffic, intercept email, and obtain fraudulent certificates. Verify every record type below.

A and AAAA records

MX records

NS records

TXT records

SOA record

RecordWhat to verifyRisk if wrong
A / AAAAPoints to your serversTraffic hijack, downtime
MXAuthorised mail servers onlyEmail interception
NSYour DNS providerFull DNS takeover
TXTSPF, DMARC, DKIM presentEmail spoofing
CAARestricts certificate issuersFraudulent TLS certs

// SSL Certificate Validity

TLS certificates encrypt traffic between browsers and your servers. An expired, misissued, or weak certificate breaks trust and may expose user data.

What to check

IP Tracker performs a live TLS handshake to inspect the certificate directly from your server — not from a cached database. This gives you real-time validity, expiry, issuer, and SAN data.

Domain: example.com Issuer: Let's Encrypt (R3) Valid from: 2026-06-01 Expires: 2026-08-30 SANs: example.com, www.example.com Status: Valid ✓

Set calendar reminders for certificate renewal. Automated tools like certbot handle Let's Encrypt renewal, but monitoring catches failures before users see browser warnings.

// Email Authentication: SPF, DMARC, DKIM

Email authentication prevents attackers from sending mail that appears to come from your domain. All three mechanisms work together:

SPF checklist

DMARC checklist

DKIM checklist

See our dedicated guide How to Verify SPF and DMARC for detailed walkthroughs and common misconfiguration fixes.

// CAA Records

CAA (Certification Authority Authorization) DNS records specify which Certificate Authorities are permitted to issue certificates for your domain. Without CAA, any CA in the global trust store can issue a certificate for your domain if they validate control — a risk if a CA is compromised or misused.

example.com CAA 0 issue "letsencrypt.org" example.com CAA 0 issue "digicert.com" example.com CAA 0 iodef "mailto:security@example.com"

Checklist:

// Security Headers

While DNS and TLS protect infrastructure, HTTP security headers protect users at the application layer. IP Tracker's domain lookup focuses on DNS and TLS, but your audit should also verify these headers on your web server:

HeaderPurpose
Strict-Transport-SecurityForces HTTPS (HSTS)
Content-Security-PolicyPrevents XSS and injection
X-Frame-OptionsPrevents clickjacking
X-Content-Type-OptionsPrevents MIME sniffing
Referrer-PolicyControls referrer leakage
Permissions-PolicyRestricts browser features

Test headers with browser developer tools (Network tab → response headers) or online scanners like securityheaders.com. Missing HSTS is the most common critical gap — without it, users can be downgraded to HTTP by an active attacker.

// Step-by-Step Audit with IP Tracker

Here is a complete audit workflow using a single tool. Allow 15–20 minutes per domain.

  1. Open ip-tracker.online and enter your domain name.
  2. DNS section — review A, AAAA, MX, NS, TXT, and SOA records. Flag any unexpected entries.
  3. SSL section — confirm certificate is valid, not expired, issued by a trusted CA, and covers all required hostnames.
  4. SPF/DMARC section — verify SPF exists (one record), DMARC is published with an enforcement policy, and DKIM selectors are present.
  5. IP lookup on A record addresses — confirm they geolocate to your expected data centre region and ASN.
  6. Check AAAA records — if present, look up IPv6 addresses to verify they belong to your infrastructure (see our IPv6 Lookup Guide).
  7. RDAP/WHOIS section — confirm domain registration details, expiry date, and registrar are correct.
  8. Document findings — record pass/fail for each checklist item with screenshots.
  9. Fix failures — update DNS records, renew certificates, or tighten DMARC policy as needed.
  10. Re-run the lookup — confirm all fixes are live after DNS propagation (up to 48 hours).

For organisations managing multiple domains, run this audit quarterly and after any infrastructure change — migration to a new mail provider, CDN switch, certificate authority change, or DNS provider transfer.

// Quick Reference: Pass/Fail Criteria

DNS [ ] A records point to correct servers [ ] AAAA records present and correct (if using IPv6) [ ] MX records authorised only [ ] NS records match DNS provider [ ] No stale or unknown TXT records SSL/TLS [ ] Certificate valid and not expiring within 30 days [ ] SANs cover all served hostnames [ ] Issued by trusted CA [ ] TLS 1.2+ supported Email [ ] Single SPF record, ≤10 lookups [ ] DMARC published with p=quarantine or p=reject [ ] DKIM selectors published and signing enabled [ ] rua= address monitored CAA [ ] CAA records restrict to authorised CAs [ ] iodef contact configured Headers (manual check) [ ] HSTS enabled with max-age ≥ 1 year [ ] Content-Security-Policy configured [ ] X-Frame-Options or CSP frame-ancestors set

A domain that passes every item on this list has strong baseline security. No checklist replaces ongoing monitoring, but this audit catches the misconfigurations responsible for the majority of domain-related incidents.

Run a domain security audit now

DNS, SSL, SPF, DMARC, WHOIS, and IP data — complete domain profile in one free lookup.

Open IP & Domain Tracker →

// Related Articles