Free Tools

Domain Security Scanner

Run a fast domain security preview to check common DNS, SSL/TLS, HSTS, SPF, DMARC, CAA and DNSSEC issues. The public scan is intentionally lightweight.  Create a free account to run the full DomainRisk scan with complete findings, evidence, remediation steps, monitoring history and alerts.

What this quick scan checks

The public scan retrieves publicly available signals in seconds. It is a point-in-time preview, not a substitute for continuous monitoring.

DNS resolution

A and AAAA records, MX presence, CAA records, basic DNSSEC status

TLS certificate

Certificate presence, validity, and expiration date

HSTS

Header presence, max-age strength, and includeSubDomains directive

SPF

Record presence and basic syntax check

DMARC

Record presence and policy level: none, quarantine, or reject

Scoring

Preview security score out of 100 based on the above checks

What the full DomainRisk scan includes

The full scan goes well beyond what the quick preview can retrieve. It runs a complete analysis across every security layer and stores a change history for continuous monitoring.

All findings with technical evidence

Step-by-step remediation guidance

WHOIS governance checks

Subdomain enumeration & exposure

Dangling CNAME & takeover detection

Attack scenario correlation

DKIM selector analysis

90-day change history & volatility

Email & webhook alerts

PDF & CSV export

Continuous monitoring

Explainable 0-100 risk score

Start free — no credit cardExplore all features

Why one-time scans are not enough

A point-in-time check tells you what your domain looks like right now. But security configurations change constantly — often silently. Certificates expire. Deployments reset headers. DNS records are modified during migrations. DMARC policies regress after a vendor change.

TLS certificate expires

A certificate not renewed in time breaks HTTPS for all visitors. Automated renewal failures are common and often go unnoticed until users report errors.

HSTS header dropped after a deploy

A misconfigured reverse proxy or CDN update can silently remove the HSTS header, re-exposing the domain to downgrade attacks.

DMARC policy rolled back

A DNS change during a mail migration can replace p=reject with p=none, re-opening the door to spoofing overnight.

Subdomain hijacked

A removed cloud service leaves a CNAME pointing at an unclaimed resource. An attacker registers the target and takes over the subdomain.

DomainRisk.io monitors your domains continuously and alerts you the moment something changes — so you fix regressions before attackers exploit them.

Frequently asked questions

What is a domain security scanner?
A domain security scanner checks the publicly accessible security configuration of a domain — including DNS records, TLS certificates, HSTS headers, email authentication (SPF and DMARC), and CAA records. It identifies misconfigurations that expose the domain to spoofing, certificate attacks, or protocol downgrade.
What does the quick scan check?
The quick scan checks DNS resolution (A/AAAA), MX presence, SPF and DMARC email authentication, CAA records, DNSSEC status, TLS certificate validity and expiry, and HSTS header configuration. Results are returned in seconds and represent a point-in-time snapshot of publicly visible signals.
Why is the public scan limited?
The public quick scan is intentionally a preview. It checks the most impactful and fast-to-retrieve signals without subdomain discovery, WHOIS analysis, attack scenario correlation, or historical comparison. These deeper checks are available in the full DomainRisk scan after creating a free account.
What is included in the full DomainRisk report?
The full report includes all findings with technical evidence and remediation steps, WHOIS governance checks (registrar locks, expiration, registrant privacy), subdomain enumeration and takeover detection, attack scenario correlation, a weighted risk score across four categories, change history, PDF export, and continuous monitoring with email and webhook alerts.
Why should domain security be monitored continuously?
A point-in-time scan tells you what your domain looks like today. DNS records change, certificates expire, HSTS headers are dropped after deployments, and DMARC policies regress. Continuous monitoring detects those changes and alerts you before attackers discover them — or before they affect deliverability or HTTPS enforcement.
Does this scan include subdomain discovery?
No. The public quick scan only checks the apex domain you enter. Subdomain enumeration, dangling CNAME detection, and subdomain takeover analysis are part of the full DomainRisk scan, available after creating a free account.
Continuous monitoring

Start continuous domain security monitoring

Full findings, remediation steps, WHOIS governance, subdomain exposure, attack scenarios, PDF export, monitoring history and alerts — all in one platform.

Create a free accountSee all features

Scan limit reached

You've used your 5 free scans for this minute.

Create a free account for unlimited scans, continuous monitoring, full findings and remediation guidance.

Create a free account