← ip-tracker.online
Security
Domain Security Checklist — DNS, SSL, and Email
9 min read · Complete domain security audit guide
// Why Audit Your Domain?
Your domain is the front door to your organisation on the internet. A single misconfigured
DNS record, an expired SSL certificate, or a missing DMARC policy can lead to email spoofing,
man-in-the-middle attacks, service outages, or silent traffic hijacking.
This checklist walks through every layer of domain security — DNS, TLS, email authentication,
certificate authority controls, and HTTP security headers. Each section includes what to check,
why it matters, and how to verify it using a free domain lookup on
ip-tracker.online.
Run this audit when onboarding a new domain, after migrating DNS providers, before a compliance
review, or quarterly as part of routine security hygiene.
// DNS Records Checklist
DNS is the foundation. If an attacker compromises your DNS, they can redirect all traffic,
intercept email, and obtain fraudulent certificates. Verify every record type below.
A and AAAA records
- Confirm A records point to your intended IPv4 servers — not stale IPs from a previous host.
- Verify AAAA records exist if you support IPv6, and that they point to your infrastructure.
- Check for unexpected A/AAAA records on subdomains you do not recognise.
- Ensure no A records point to private RFC 1918 addresses (indicates misconfiguration).
MX records
- Verify MX records point to your authorised mail servers (Google Workspace, Microsoft 365, etc.).
- Check MX priority values are correct — lower number = higher priority.
- Look for unauthorised MX records that could intercept your email.
- Confirm MX hostnames resolve and are reachable.
NS records
- Verify nameservers match your DNS provider (Cloudflare, Route 53, your registrar, etc.).
- Unexpected NS records may indicate an ongoing or past DNS hijack.
- Confirm at least two nameservers for redundancy.
- Check that NS hostnames themselves resolve correctly.
TXT records
- Review all TXT records — SPF, DMARC, DKIM, domain verification tokens, and third-party integrations.
- Remove TXT records for services you no longer use (old SaaS verifications, deprecated tools).
- Confirm exactly one SPF record exists (see email section below).
SOA record
- Check the SOA serial number increments after changes (indicates DNS is updating).
- Verify the SOA admin contact email is current and monitored.
| Record | What to verify | Risk if wrong |
| A / AAAA | Points to your servers | Traffic hijack, downtime |
| MX | Authorised mail servers only | Email interception |
| NS | Your DNS provider | Full DNS takeover |
| TXT | SPF, DMARC, DKIM present | Email spoofing |
| CAA | Restricts certificate issuers | Fraudulent TLS certs |
// SSL Certificate Validity
TLS certificates encrypt traffic between browsers and your servers. An expired, misissued,
or weak certificate breaks trust and may expose user data.
What to check
- Expiry date — certificate must not be expired; renew at least 30 days before expiration.
- Subject and SANs — the certificate must cover your domain and all subdomains you serve (check Subject Alternative Names).
- Issuer — issued by a trusted Certificate Authority (Let's Encrypt, DigiCert, Sectigo, etc.).
- Chain completeness — intermediate certificates must be properly configured on your server.
- Protocol version — server should support TLS 1.2 or 1.3; TLS 1.0 and 1.1 are deprecated.
- Wildcard scope — wildcard certs (*.example.com) do not cover the apex domain (example.com) unless explicitly included.
IP Tracker performs a live TLS handshake to inspect the certificate directly from your server —
not from a cached database. This gives you real-time validity, expiry, issuer, and SAN data.
Domain: example.com
Issuer: Let's Encrypt (R3)
Valid from: 2026-06-01
Expires: 2026-08-30
SANs: example.com, www.example.com
Status: Valid ✓
Set calendar reminders for certificate renewal. Automated tools like certbot handle Let's Encrypt
renewal, but monitoring catches failures before users see browser warnings.
// Email Authentication: SPF, DMARC, DKIM
Email authentication prevents attackers from sending mail that appears to come from your domain.
All three mechanisms work together:
SPF checklist
- Exactly one SPF TXT record at the domain root starting with v=spf1
- All authorised sending services included (mail provider, marketing tools, transactional email)
- DNS lookup count ≤ 10 (count every include, a, mx, redirect)
- Ending qualifier matches policy: -all (hard fail) recommended for production
DMARC checklist
- TXT record at _dmarc.yourdomain.com starting with v=DMARC1
- Policy set to p=quarantine or p=reject (not p=none in production)
- Aggregate reporting address (rua=) configured and monitored
- Percentage (pct=) at 100 for full enforcement
DKIM checklist
- DKIM TXT records published at selector subdomains (e.g. selector1._domainkey.example.com)
- Keys rotated periodically (annually or per provider recommendation)
- DKIM signing enabled on all outbound mail servers
See our dedicated guide How to Verify SPF and DMARC
for detailed walkthroughs and common misconfiguration fixes.
// CAA Records
CAA (Certification Authority Authorization) DNS records specify which
Certificate Authorities are permitted to issue certificates for your domain. Without CAA,
any CA in the global trust store can issue a certificate for your domain if they validate
control — a risk if a CA is compromised or misused.
example.com CAA 0 issue "letsencrypt.org"
example.com CAA 0 issue "digicert.com"
example.com CAA 0 iodef "mailto:security@example.com"
Checklist:
- CAA records exist for your domain (absence means any CA can issue)
- Only your authorised CAs are listed in issue tags
- An iodef tag points to a monitored security contact for violation reports
- CAA records exist on both the apex domain and relevant subdomains
- Wildcard CAA (issuewild) is configured if you use wildcard certificates
// Security Headers
While DNS and TLS protect infrastructure, HTTP security headers protect
users at the application layer. IP Tracker's domain lookup focuses on DNS and TLS, but
your audit should also verify these headers on your web server:
| Header | Purpose |
| Strict-Transport-Security | Forces HTTPS (HSTS) |
| Content-Security-Policy | Prevents XSS and injection |
| X-Frame-Options | Prevents clickjacking |
| X-Content-Type-Options | Prevents MIME sniffing |
| Referrer-Policy | Controls referrer leakage |
| Permissions-Policy | Restricts browser features |
Test headers with browser developer tools (Network tab → response headers) or online scanners
like securityheaders.com. Missing HSTS is the most common critical gap — without it, users
can be downgraded to HTTP by an active attacker.
// Step-by-Step Audit with IP Tracker
Here is a complete audit workflow using a single tool. Allow 15–20 minutes per domain.
- Open ip-tracker.online and enter your domain name.
- DNS section — review A, AAAA, MX, NS, TXT, and SOA records. Flag any unexpected entries.
- SSL section — confirm certificate is valid, not expired, issued by a trusted CA, and covers all required hostnames.
- SPF/DMARC section — verify SPF exists (one record), DMARC is published with an enforcement policy, and DKIM selectors are present.
- IP lookup on A record addresses — confirm they geolocate to your expected data centre region and ASN.
- Check AAAA records — if present, look up IPv6 addresses to verify they belong to your infrastructure (see our IPv6 Lookup Guide).
- RDAP/WHOIS section — confirm domain registration details, expiry date, and registrar are correct.
- Document findings — record pass/fail for each checklist item with screenshots.
- Fix failures — update DNS records, renew certificates, or tighten DMARC policy as needed.
- Re-run the lookup — confirm all fixes are live after DNS propagation (up to 48 hours).
For organisations managing multiple domains, run this audit quarterly and after any
infrastructure change — migration to a new mail provider, CDN switch, certificate authority
change, or DNS provider transfer.
// Quick Reference: Pass/Fail Criteria
DNS
[ ] A records point to correct servers
[ ] AAAA records present and correct (if using IPv6)
[ ] MX records authorised only
[ ] NS records match DNS provider
[ ] No stale or unknown TXT records
SSL/TLS
[ ] Certificate valid and not expiring within 30 days
[ ] SANs cover all served hostnames
[ ] Issued by trusted CA
[ ] TLS 1.2+ supported
Email
[ ] Single SPF record, ≤10 lookups
[ ] DMARC published with p=quarantine or p=reject
[ ] DKIM selectors published and signing enabled
[ ] rua= address monitored
CAA
[ ] CAA records restrict to authorised CAs
[ ] iodef contact configured
Headers (manual check)
[ ] HSTS enabled with max-age ≥ 1 year
[ ] Content-Security-Policy configured
[ ] X-Frame-Options or CSP frame-ancestors set
A domain that passes every item on this list has strong baseline security. No checklist
replaces ongoing monitoring, but this audit catches the misconfigurations responsible for
the majority of domain-related incidents.
Run a domain security audit now
DNS, SSL, SPF, DMARC, WHOIS, and IP data — complete domain profile in one free lookup.
Open IP & Domain Tracker →