Free · No account required

Free Domain
Security Tools

Instant checks for the most critical domain security signals — DNS, SSL/TLS, HSTS, SPF and DMARC. Built on the same engine as the DomainRisk platform. No account required.

Start here

Domain Security Scanner

Run a fast security preview across all key layers of your domain. Get a score, risk level and top findings in seconds.

  • DNS resolution & MX
  • SPF & DMARC email auth
  • TLS certificate validity
  • HSTS header
  • CAA records & DNSSEC
  • Preview score out of 100
Scan a domain

HSTS Checker

Check whether your domain enforces HTTPS via a valid Strict-Transport-Security header with a strong max-age and includeSubDomains.

  • HSTS present or absent
  • max-age value & strength
  • includeSubDomains directive
  • Preload flag
  • Risk level assessment
Check HSTS

DMARC Checker

Verify your domain's DMARC record, policy enforcement level, subdomain policy and pct coverage to detect email spoofing gaps.

  • DMARC record present or absent
  • Policy: none, quarantine, or reject
  • Subdomain policy via sp= tag
  • Enforcement coverage via pct= tag
  • Risk level assessment
Check DMARC

Tools vs full platform

These tools are a free preview of what the DomainRisk platform does continuously — across your entire domain portfolio.

Free tools

  • Point-in-time check only
  • Single domain at a time
  • Limited findings — no evidence
  • No remediation guidance
  • No subdomain discovery
  • No WHOIS governance
  • No attack scenarios
  • No history or change detection
  • No alerts
  • No PDF export

DomainRisk platform

Free trial
  • Continuous monitoring — hourly, daily or weekly
  • Unlimited domains on paid plans
  • All findings with technical evidence
  • Step-by-step remediation for every issue
  • Subdomain enumeration & takeover detection
  • WHOIS governance checks
  • Attack scenario correlation
  • 90-day change history & volatility score
  • Email & webhook alerts
  • PDF & CSV export
Start free — no credit card

What attackers look for in your domain

Missing or weak DMARC

Without an enforcing DMARC policy such as p=quarantine or p=reject, spoofed emails are more likely to pass through receiving mail systems.

No HSTS enforcement

Without Strict-Transport-Security, browsers accept plain HTTP connections. SSL-stripping attacks intercept traffic before HTTPS is negotiated.

Expiring TLS certificates

A lapsed certificate breaks HTTPS for all visitors and removes trust indicators. Attackers time attacks to coincide with the outage window.

Dangling subdomains

A subdomain pointing at a decommissioned cloud resource can be claimed by an attacker, serving malicious content under your brand.

Missing CAA records

Without CAA records, certificate issuance is not restricted to approved certificate authorities, increasing the risk of unauthorized or misissued certificates.

No SPF record

Without SPF, receiving mail servers lose one important signal for checking whether a server is authorized to send email for your domain.

Frequently asked questions

Are these tools really free?
Yes. All tools on this page are completely free and require no account. They are intentionally limited previews of the DomainRisk platform — designed to give you immediate value on your most critical domain security signals.
What is the difference between the Domain Security Scanner and the individual checkers?
The Domain Security Scanner runs a combined quick scan across DNS, SSL/TLS, HSTS, SPF, DMARC, CAA and DNSSEC in one shot and returns a preview score. The individual checkers — HSTS Checker and DMARC Checker — go deeper on a single control, showing raw header or record values, parsing results, and detailed explanations of what each field means.
How accurate are the results?
Results reflect what is publicly visible at the time of the scan. DNS propagation delays, CDN caching, or region-specific routing may occasionally affect results. For authoritative, repeatable results across your full domain portfolio, the DomainRisk platform runs scans on a fixed schedule and stores historical snapshots for comparison.
Do these tools check subdomains?
No. The free tools only check the apex domain you enter. Subdomain enumeration, dangling CNAME detection, and subdomain takeover analysis require the full DomainRisk scan, available after creating a free account.
What does the full DomainRisk platform include that these tools do not?
The full platform adds WHOIS governance checks, subdomain enumeration and takeover detection, attack scenario correlation, 90-day change history, a weighted 0–100 risk score across four categories, step-by-step remediation guidance with technical evidence, continuous monitoring, email and webhook alerts, and PDF and CSV export.
How often can I scan the same domain?
The public tools apply a basic rate limit per IP and per domain to protect infrastructure. Results are cached for up to one hour per domain. For continuous, scheduled monitoring without limits, use the DomainRisk platform.
Continuous monitoring

Go beyond one-time checks.
Monitor continuously.

DomainRisk monitors every domain in your portfolio on an ongoing basis — alerting you the moment a certificate expires, a DMARC policy regresses, or a subdomain becomes vulnerable.

Create a free accountSee all features