How Secure Is Your
Business Domain?

Seven areas across two groups, all run for real. The four email-authentication checks — MX records, SPF anti-spoofing policy, DMARC enforcement, and DKIM signing — are live DNS lookups. The three web/TLS checks — SSL certificate validity, HTTPS-redirect enforcement, and security response headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) — are real TLS and HTTP connections made from our server. Nothing is simulated, and a check that genuinely cannot run is reported as such rather than guessed.

Yes, completely free with no signup required. Enter your domain and get your full security posture in seconds. The scan runs server-side using public DNS and a standard HTTPS connection to your site — exactly what any visitor or mail server already sees. We do not store your results or use your domain for anything beyond showing you the score.

Without SPF and DMARC, anyone can send email that appears to come from your domain — a technique called email spoofing. It is used in business email compromise (BEC) attacks, the number one cybercrime by dollar loss per the FBI IC3. It also degrades your email deliverability over time.

Fix email security first: SPF, DMARC, and DKIM together prevent spoofing and improve deliverability. SSL and HTTPS redirect come next since they affect every site visitor. Security headers round out the hardening. Leonidas configures all of these as part of every managed IT and cybersecurity engagement.

Each failed check is a real attack surface that adversaries actively exploit against small businesses. Missing DMARC means spoofed emails reach your employees. An expiring SSL cert locks visitors out of your site. Missing HSTS exposes sessions to downgrade attacks. These are the actual entry points used in real SMB compromises.