Back to Blog

How to Audit Your Domain's Security Posture: A Complete Guide

Step-by-step guide to assessing your domain's security posture — from DNS and SSL to email authentication, exposed services, and breach exposure. Practical tools and techniques included.

domain security posturesecurity audit guidedomain OSINTcybersecurity assessmentdomain protection

What Is a Domain Security Posture

Your domain's security posture is the sum of all its defensive configurations, exposures, and vulnerabilities as seen from the outside. It answers a simple question: if an attacker looked at your domain right now, what would they find?

Most organizations have blind spots. They configure SSL once and forget about it. They add SPF records but never progress to DMARC enforcement. They decommission services but leave DNS records pointing to abandoned infrastructure. Each blind spot is an opportunity for attackers.

A security posture audit systematically examines every externally visible layer of your domain to identify weaknesses before attackers do.

Step 1: Enumerate Your Domain Assets

Before you can assess security, you need a complete inventory of what you are protecting.

Subdomain Discovery

Your registered domain is just the tip of the iceberg. Most organizations have dozens to hundreds of subdomains, many forgotten or unmaintained.

Techniques:

  • Certificate Transparency logs (crt.sh): Query all SSL certificates ever issued for your domain. This reveals subdomains you may have forgotten about.
  • DNS brute forcing: Tools like Subfinder or Amass try common subdomain names against your domain's DNS servers.
  • Search engine dorking: Google searches like site:*.yourdomain.com reveal indexed subdomains.
  • Web archive: The Wayback Machine archives pages from subdomains that may no longer be active but still have DNS records.

What to look for:

  • Subdomains pointing to decommissioned services (dangling CNAMEs — subdomain takeover risk)
  • Development or staging environments exposed to the internet
  • Internal tools accessible without VPN (Jenkins, Grafana, admin panels)
  • Legacy applications that are no longer maintained or patched

IP Address and Network Mapping

Identify all IP addresses associated with your domain:

  • A records for all domains and subdomains
  • MX records (mail servers)
  • Reverse DNS lookups on known IP ranges
  • Cloud provider asset discovery (AWS, Azure, GCP — check if resources are associated with your domain)

Step 2: Assess DNS Security

DNS is the foundation. If DNS is compromised, nothing else matters.

Record Hygiene

Review every DNS record for accuracy and necessity:

  • A/AAAA records: Do all records point to active, maintained servers?
  • CNAME records: Do all aliases resolve to services you still control?
  • MX records: Are your mail servers correctly prioritized? Are there any unexpected MX records that could indicate a mail interception attack?
  • TXT records: Are SPF, DKIM, and DMARC records present and correctly configured?
  • NS records: Are your nameservers what you expect? Unauthorized NS changes are a sign of DNS hijacking.

DNSSEC

Check if DNSSEC is enabled and properly configured. DNSSEC prevents DNS spoofing by cryptographically signing responses. Without it, attackers on the network path can redirect your users to malicious servers.

CAA Records

Certificate Authority Authorization records specify which certificate authorities are allowed to issue certificates for your domain. Without CAA records, any CA can issue a certificate for your domain, increasing the risk of unauthorized certificate issuance.

Step 3: Evaluate SSL/TLS Configuration

SSL misconfiguration is one of the most common findings in security audits.

Certificate Health

For every subdomain with an SSL certificate:

  • Is the certificate valid (not expired, not self-signed for production)?
  • Is the certificate chain complete (no missing intermediates)?
  • Is the certificate using adequate key strength (RSA 2048+ or ECDSA 256+)?
  • Is the certificate from a trusted CA?
  • Does the certificate cover the correct domain names (check SANs)?

Protocol Configuration

  • Disable TLS 1.0 and 1.1. These versions have known vulnerabilities and are deprecated by all major browsers.
  • Enable TLS 1.3 where possible. TLS 1.3 removes vulnerable cipher suites by design and reduces handshake latency.
  • Disable weak cipher suites. RC4, 3DES, and export-grade ciphers should never be enabled.

Security Headers

Check HTTP response headers on all web-facing services:

  • Strict-Transport-Security (HSTS): Forces HTTPS connections. Include includeSubDomains and consider HSTS preloading.
  • Content-Security-Policy (CSP): Prevents XSS and injection attacks by controlling which resources the browser can load.
  • X-Frame-Options or CSP frame-ancestors: Prevents clickjacking by controlling whether your pages can be embedded in iframes.
  • X-Content-Type-Options: Prevents MIME-type sniffing attacks.
  • Permissions-Policy: Controls which browser features (camera, microphone, geolocation) your pages can access.

Step 4: Audit Email Authentication

Email spoofing remains one of the most effective attack vectors. A domain with weak email authentication is a liability.

SPF Assessment

  • Does the SPF record exist and end with -all (hard fail)?
  • Does the SPF record stay within the 10-DNS-lookup limit?
  • Are all legitimate sending services included (Google Workspace, SendGrid, Mailchimp, etc.)?
  • Are there overly broad includes that authorize more senders than necessary?

DKIM Assessment

  • Are DKIM selectors configured for all sending services?
  • Are DKIM keys using adequate length (2048-bit RSA minimum)?
  • Are DKIM signatures being validated by receiving servers? (Check DMARC aggregate reports)

DMARC Assessment

  • Is a DMARC record published at _dmarc.yourdomain.com?
  • Is the policy set to quarantine or reject? (p=none only monitors, it does not protect)
  • Is the subdomain policy (sp=) set? Without it, attackers can spoof emails from any subdomain.
  • Are aggregate (rua) and forensic (ruf) reports being collected and analyzed?
  • What is the DMARC pass rate? Anything below 95% indicates configuration issues.

Step 5: Scan for Exposed Services

Port and Service Analysis

Use Shodan, Censys, or Nmap to identify all internet-facing services on your IP addresses:

  • Close unnecessary ports. Only services that must be publicly accessible should be reachable from the internet.
  • Check service versions. Outdated software with known CVEs is the most common initial access vector.
  • Remove default pages. Default web server pages, database admin interfaces, and framework debug pages reveal technology stack details to attackers.
  • Verify access controls. Admin panels, API endpoints, and management interfaces should require authentication and ideally be restricted by IP or VPN.

Cloud Resource Exposure

Check for misconfigured cloud resources:

  • S3 buckets or equivalent object storage with public read access
  • Kubernetes dashboards exposed without authentication
  • Database instances with public endpoints
  • API gateways without proper authentication

Step 6: Check Breach Exposure

This is the layer most self-audits miss. Even with perfect technical configuration, your domain's security is compromised if employee credentials have leaked.

What to Check

  • Do any email addresses on your domain appear in known breach databases?
  • Are leaked passwords still potentially valid (not changed since the breach)?
  • Has your domain been mentioned in dark web forums or paste sites?
  • Are there any credential combo lists actively targeting your organization?

Why It Matters

A single leaked credential from a third-party breach — a developer's password from a breached SaaS tool, an executive's credentials from a compromised personal account — can provide initial access to corporate systems. Breach monitoring is not optional for a complete security posture assessment.

Putting It All Together

A thorough domain security audit requires checking all six layers. The challenge is that most free tools address only one layer at a time, and none cover breach exposure comprehensively.

Run a Rikon Domain Intelligence Scan to get a comprehensive security posture assessment in a single PDF report. Rikon covers DNS configuration, SSL/TLS analysis, email authentication, exposed services, breach exposure, and provides an AI-generated remediation plan prioritized by risk severity.

One-time payment of $39.99. No subscription. No recurring fees. Complete analysis delivered in minutes.

Your domain is the front door to everything you do online. Audit it before someone else does.

Check your digital exposure now

Get an AI-analyzed intelligence report for your email or domain in minutes.

Scan Email — $19.99Scan Domain — $39.99