Back to Blog

Free Domain Security Audit: What to Look For

A practical guide to auditing your domain's security posture for free — DNS records, SSL certificates, email authentication, and the gaps that free tools miss.

domain security auditfree security scanDNS securitySSL certificate checkemail authentication

Why Your Domain Needs a Security Audit

Your domain is the front door to your business. It handles your email, hosts your website, and often connects to dozens of internal systems. Yet most organizations never audit their domain's security posture — or they do it once and never revisit.

Attackers know this. Domain misconfiguration is behind some of the most damaging breaches in recent years: email spoofing attacks that bypass spam filters, subdomain takeovers that serve malware from your own infrastructure, and DNS hijacking that redirects your customers to phishing pages.

A proper domain security audit checks the layers that most people never look at. Here is what to examine and which free tools can help.

Layer 1: DNS Configuration

DNS is the foundation of your domain. Misconfigurations here cascade into every other layer.

Check Your DNS Records

Start with a full DNS record dump. Free tools like dig, nslookup, or web-based services like DNSChecker.org let you query all record types.

What to look for:

  • Orphaned CNAME records pointing to decommissioned services (Heroku, AWS S3, GitHub Pages). These enable subdomain takeover attacks — an attacker can claim the abandoned service and serve content from your subdomain.
  • Wildcard DNS records (*.yourdomain.com) that resolve to an IP address. These expand your attack surface by making every possible subdomain resolvable.
  • Open zone transfers (AXFR). If your DNS server allows zone transfers to anyone, attackers can download your complete DNS topology in seconds.
  • Missing or incorrect CAA records. Certificate Authority Authorization records specify which CAs can issue certificates for your domain. Without them, any CA can issue a certificate, increasing the risk of fraudulent certificate issuance.

DNSSEC Status

DNSSEC (Domain Name System Security Extensions) cryptographically signs your DNS records, preventing cache poisoning and man-in-the-middle attacks. Check if DNSSEC is enabled using tools like Verisign's DNSSEC Analyzer.

Most domains still do not enable DNSSEC. If yours does not, you are relying entirely on the integrity of every DNS resolver in the chain between your server and your users.

Layer 2: SSL/TLS Certificates

An SSL certificate does not mean your connection is secure. The configuration matters enormously.

Certificate Chain Validation

Use SSL Labs' free SSL Test (ssllabs.com/ssltest) to check:

  • Certificate validity and expiry. Expired certificates trigger browser warnings that drive away users and can be exploited in downgrade attacks.
  • Certificate chain completeness. Missing intermediate certificates cause validation failures in some browsers and mobile devices.
  • Key strength. RSA keys shorter than 2048 bits or ECDSA keys shorter than 256 bits are considered weak.
  • Certificate Transparency logs. Verify your certificate appears in public CT logs. If unauthorized certificates have been issued for your domain, CT log monitoring will catch them.

Protocol and Cipher Configuration

The SSL Labs test also evaluates your TLS configuration:

  • TLS versions. TLS 1.0 and 1.1 are deprecated and vulnerable. Only TLS 1.2 and 1.3 should be enabled.
  • Cipher suites. Weak ciphers (RC4, 3DES, export-grade) should be disabled. Prefer AEAD ciphers like AES-GCM and ChaCha20-Poly1305.
  • Forward secrecy. Ensure your server supports forward-secret key exchanges (ECDHE). Without forward secrecy, a compromised server key decrypts all past traffic.
  • HSTS headers. HTTP Strict Transport Security forces browsers to always use HTTPS. Check if the Strict-Transport-Security header is present with an adequate max-age (at least 31536000 seconds / 1 year).

Layer 3: Email Authentication

Email spoofing is one of the most common attack vectors, and it is entirely preventable with proper DNS configuration.

SPF (Sender Policy Framework)

SPF specifies which mail servers are authorized to send email on behalf of your domain. Query your SPF record:

dig TXT yourdomain.com | grep "v=spf1"

Common issues:

  • Missing SPF record. Without SPF, anyone can send email as your domain.
  • Overly permissive SPF. Using +all or ?all instead of -all (hard fail) weakens SPF enforcement.
  • Too many DNS lookups. SPF has a 10-lookup limit. Exceeding it causes SPF to fail silently.

DKIM (DomainKeys Identified Mail)

DKIM cryptographically signs outgoing emails. Verify your DKIM records exist and use adequate key lengths (2048-bit RSA minimum).

DMARC (Domain-based Message Authentication)

DMARC ties SPF and DKIM together and tells receiving servers what to do with messages that fail authentication. Check your DMARC record:

dig TXT _dmarc.yourdomain.com

Critical checks:

  • Policy level. p=none only monitors — it does not block spoofed emails. Move to p=quarantine or p=reject to actually protect recipients.
  • Reporting. Ensure rua and ruf tags point to addresses you monitor. DMARC reports reveal who is sending email as your domain.
  • Subdomain policy. Without sp=reject, attackers can spoof emails from subdomains like billing.yourdomain.com.

Layer 4: Exposed Services and Ports

Port Scanning

Free tools like Shodan.io or Censys.io let you check what services your domain exposes to the internet. Look for:

  • Unnecessary open ports. Database ports (3306, 5432, 27017), admin panels (8080, 8443), and development servers should never be publicly accessible.
  • Outdated service versions. Banner grabbing reveals software versions. Cross-reference with CVE databases for known vulnerabilities.
  • Default credentials. Services exposed to the internet with default login pages (phpMyAdmin, Kibana, Grafana) are prime targets for automated attacks.

Subdomain Enumeration

Use free tools like crt.sh (Certificate Transparency logs) or Subfinder to discover all subdomains. Each subdomain is a potential entry point. Look for:

  • Development or staging environments (dev., staging., test.)
  • Forgotten admin panels (admin., panel., cms.)
  • Internal tools accidentally exposed (jenkins., grafana., jira.)

What Free Tools Miss

Free tools are excellent for point checks, but they have significant blind spots:

  • No historical context. Free scans show the current state. They cannot tell you if your domain appeared in breach databases, if credentials linked to your domain are circulating, or if attackers have previously targeted your infrastructure.
  • No correlation. Checking DNS, SSL, email, and ports separately misses the connections between them. A comprehensive audit correlates findings across all layers.
  • No risk scoring. Raw findings without prioritization leave you guessing about what to fix first.
  • No dark web coverage. Free tools scan public infrastructure. They do not check if your domain, employee credentials, or internal documents are being traded in underground markets.

Getting a Complete Picture

A free audit covers the visible surface. For the full picture — including breach exposure, credential leaks, dark web mentions, and correlated risk analysis — you need an intelligence-grade scan.

Run a Rikon Domain Intelligence Scan for a comprehensive PDF report covering DNS security, SSL configuration, email authentication, exposed services, breach exposure, and an AI-generated remediation plan. One-time payment of $39.99 — no subscription, no data retained.

Check your digital exposure now

Get an AI-analyzed intelligence report for your email or domain in minutes.

Scan Email — $19.99Scan Domain — $39.99