This is a real-format report. Only the domain is fictional. This is exactly what you receive — most first scans include at least one actionable finding.

View pricing →

Overall Risk Level

HIGH

demo-corp.example

65

out of 100

This domain has 2 significant findings that reduce your defenses against common attacks. These are not hypothetical — they represent concrete ways your organization could be targeted.

View Pricing

The findings below are ranked by impact. Start at the top.

Security Posture Summary

⚠️

Email Security

Review

⚠️

TLS

Review

DNS Health

Strong

⚠️

Web Hardening

Review

Port Exposure

Strong

Key Findings

HIGH SPF record missing — your domain can be spoofed
Fix: Easy

Attackers can send email that appears to originate from this domain. Without SPF, there is no mechanism for receiving mail servers to verify that messages claiming to be from demo-corp.example were sent by an authorized server. Domain spoofing is a primary vector in phishing and business email compromise.

Common issue — frequently seen on first scans

These are the kinds of issues most teams don't realize are publicly visible.

HIGH TLS certificate expires in 21 days — users will see browser warnings
Fix: Moderate

The certificate is valid now but expires soon. When it does, browsers will display a security warning and refuse to connect. An expired certificate also frequently disrupts outbound email delivery. This is publicly visible to anyone who checks — including attackers timing social engineering around a visible window of degraded trust.

Often overlooked in internal reviews

MEDIUM HTTP traffic not redirected to HTTPS
Fix: Easy

Requests to the plain HTTP version of this site are served without being redirected to HTTPS. Users who type the domain directly or follow an HTTP link connect without encryption until the page forces a redirect — if it does at all. This exposes session cookies, form data, and page content to network interception.

Fixable in minutes in most environments

LOW HSTS header not configured
Fix: Easy

Without HSTS, browsers have no instruction to always use HTTPS for this domain. Users who visited once over HTTP, or who follow a plain HTTP link, are not automatically upgraded. This leaves a window for SSL stripping attacks.

LOW X-Frame-Options header not configured
Fix: Easy

Without X-Frame-Options, your site can be embedded in an iframe on an attacker-controlled page, enabling clickjacking attacks that trick users into taking actions they didn't intend.

Observations

Informational. These do not affect the risk score.

INFO

DMARC policy is 'none'

A DMARC record exists but the policy is set to none, meaning no action is taken on failures. This provides reporting visibility but no enforcement. Consider upgrading to p=quarantine or p=reject once you've reviewed the failure reports.

INFO

Email provider: Microsoft 365 detected

MX records indicate that Microsoft 365 handles email for this domain.

INFO

CT logs reveal 3 subdomains

Certificate transparency logs show: mail.demo-corp.example, vpn.demo-corp.example, staging.demo-corp.example. Review each — decommission any that are no longer in use.

Remediation Steps

  1. 1

    Publish an SPF record. For Microsoft 365: <code class="font-mono text-accent text-xs">v=spf1 include:spf.protection.outlook.com -all</code>. Add this as a TXT record at your domain root.

  2. 2

    Renew the TLS certificate before it expires in 21 days. If using Let's Encrypt, run <code class="font-mono text-accent text-xs">certbot renew</code> and verify the renewal timer (cron or systemd) is running. If using a managed certificate, initiate renewal through your provider now.

  3. 3

    Configure an HTTP&nbsp;&rarr;&nbsp;HTTPS redirect at the server or load balancer level. In nginx: <code class="font-mono text-accent text-xs">return 301 https://$host$request_uri;</code>

  4. 4

    Add header: <code class="font-mono text-accent text-xs">Strict-Transport-Security: max-age=31536000; includeSubDomains</code>

  5. 5

    Add header: <code class="font-mono text-accent text-xs">X-Frame-Options: DENY</code> (or <code class="font-mono text-accent text-xs">SAMEORIGIN</code> if you embed your own content in iframes)

  6. 6

    Upgrade the DMARC policy from <code class="font-mono text-accent text-xs">p=none</code> to <code class="font-mono text-accent text-xs">p=quarantine</code> after reviewing at least two weeks of DMARC failure reports. Target: <code class="font-mono text-accent text-xs">p=reject</code>.

  7. 7

    Review the 3 subdomains found in CT logs. Decommission any staging or internal services that should not be publicly accessible.

What to do next

Start at the top of the Remediation section.

Findings are ranked by impact. Most fixes are DNS, certificate, or header configuration changes — nothing that requires a redeployment. Re-scan after you've made changes to confirm they've taken effect.

Questions about a finding? Patrick is available for brief consultations.

Technical Details

Email Security
SPF Present ❌ No
SPF Record
DMARC Present ✅ Yes
DMARC Policy none (no enforcement)
DMARC Record v=DMARC1; p=none; rua=mailto:dmarc@demo-corp.example
DKIM Not confirmed (passive scan only)
TLS Certificate
Connected ✅ Yes
Issuer Sectigo Limited
Subject demo-corp.example
Expires 2026-04-25T23:59:59Z
Days Remaining 21
Hostname Match ✅ Yes
TLS Version TLSv1.3
Security Headers
Strict-Transport-Security ❌ Missing
Content-Security-Policy ❌ Missing
X-Frame-Options ❌ Missing
X-Content-Type-Options nosniff
Referrer-Policy ❌ Missing
Permissions-Policy ❌ Missing
Port Exposure
Port 80 (HTTP) 🔓 Open
Port 443 (HTTPS) 🔓 Open
Port 25 (SMTP) 🔒 Closed
Port 465 (SMTPS) 🔒 Closed
Port 587 (SMTP/STARTTLS) 🔒 Closed
Port 8080 (HTTP-alt) 🔒 Closed
Port 8443 (HTTPS-alt) 🔒 Closed
DNS Records
A Records 203.0.113.42
AAAA Records none
MX Records 10 demo-corp-example.mail.protection.outlook.com.
Nameservers ns1.registrar-dns.com., ns2.registrar-dns.com.
WHOIS / Domain Info
Registrar GoDaddy.com, LLC
Created 2019-08-03
Expires 2027-08-03
Domain Age 1705 days

Scope & Limitations: This report reflects publicly observable signals at the time of the scan. It does not assess internal systems, application code, authentication mechanisms, or infrastructure configuration. DKIM detection is best-effort only. WHOIS data accuracy depends on registrar cooperation. Port checks use short timeouts and may miss firewalled services.

SurfaceSentinel — External Security Posture Review

Sample report — demo-corp.example • fictional data for illustration

Most first scans reveal something worth fixing.

If this were your domain, you'd already have something to fix.

Ready to see yours?

Get a report for your domain.

One-time payment. No account required. Results typically under a minute.

See Pricing →