Check your email security, website security headers and Mozilla Observatory grade in seconds
This page runs three instant checks against any domain or URL you enter. The email security scanner reads your DNS records to verify whether SPF, DKIM and DMARC are correctly configured -- the three protocols that prevent attackers from sending email that impersonates your domain. The security headers scanner checks your website's HTTP response headers, which tell browsers how to handle your content and protect visitors from common attacks. The Mozilla Observatory check gives your site an independent letter grade based on a broader set of security best practices.
No account is needed and nothing is stored. Enter a domain or URL and results appear within 30 seconds.
HTTP security headers are instructions your web server sends to browsers when a page is loaded. They are invisible to visitors but control how browsers handle your content.
Content-Security-Policy (CSP) restricts which scripts, styles and resources a browser is allowed to load, reducing the risk of cross-site scripting (XSS) attacks. It is one of the most impactful headers to get right and also one of the most complex to configure without breaking functionality.
X-Frame-Options prevents your pages from being embedded in iframes on other sites, which is a common technique in clickjacking attacks. Strict-Transport-Security (HSTS) forces browsers to connect over HTTPS even if a user types a plain HTTP address. X-Content-Type-Options stops browsers from guessing at file types, closing off a class of injection vulnerabilities.
Missing headers rarely cause visible problems until something goes wrong. A clean set of headers is a baseline expectation for any business handling customer data or running transactions online.
SPF (Sender Policy Framework) is a DNS record that lists the mail servers authorised to send email on behalf of your domain. If it is missing or misconfigured, receiving mail servers may reject your messages or allow spoofed versions through.
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing email so recipients can verify the message has not been altered in transit. Without it, your emails are easier to tamper with and more likely to be marked as spam.
DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together and tells receiving servers what to do when a check fails -- whether to quarantine the message, reject it or do nothing. A policy of p=none means you are monitoring only; p=quarantine or p=reject gives active protection.
If any of these records are missing or set to a permissive policy, your domain can be used to send phishing emails that appear to come from your business. See our email security service for help getting this right.
Mozilla Observatory is a powerful tool for analysing your website security posture.
It checks for correct HTTP headers, TLS settings and more.
Enter your URL below and wait a few seconds to get started.
Mozilla Observatory grades websites from F to A+ based on a weighted set of security checks. It covers much of the same ground as the headers scanner but applies Mozilla's own scoring model and flags additional issues such as subresource integrity, cookie security attributes and referrer policy.
A score below C suggests meaningful gaps in your web security posture. An A or A+ does not mean your site is unbreachable, but it does mean the most commonly exploited browser-level weaknesses have been addressed. If your score is lower than expected, use the Full Report link after your scan to see exactly which tests failed and why.
Most of the issues these tools surface are fixable -- but they require access to your DNS provider, your web server configuration and sometimes your email platform, and they need to be done carefully to avoid breaking existing mail flow or site functionality. Getting DMARC wrong, for example, can cause legitimate email to be rejected.
If you would rather have a specialist handle it, our email security service covers SPF, DKIM and DMARC setup and ongoing monitoring, while our penetration testing service goes further than automated checks to find vulnerabilities that scanners miss. For businesses looking to meet a recognised security standard, Cyber Essentials certification addresses secure configuration across your entire environment.
Yes. No account, no email address and no payment is required. The checks run against public DNS records and your website's HTTP responses.
Any publicly accessible domain. Enter the root domain for email checks (e.g. yourbusiness.co.uk) and the full URL for header and Observatory scans (e.g. https://yourbusiness.co.uk).
No. The scans read publicly available information only -- DNS records and HTTP response headers. No login credentials are used and no content is written to your server.
SPF records can fail for several reasons beyond simply being absent. Common issues include too many DNS lookups (the limit is ten), outdated entries for mail services you no longer use, or a missing ~all or -all qualifier at the end of the record.
After any change to your DNS settings, mail platform or web server configuration. As a general baseline, running checks quarterly is a reasonable habit for most SMEs.
Found gaps in your setup? Keeping on top of security fixes alongside your day-to-day workload is where many SMEs struggle. Our Admin Automation service can help reduce the operational overhead -- so nothing slips through the cracks.