The Anatomy of a 30-Point Security Audit (And Why Every Domain Needs One)

Regő Botond Ronyecz Posted on May 30 The Anatomy of a 30-Point Security Audit (And Why Every Domain Needs One) # zerohook # dns # domain # cybersecurity Most domains have between six and ten security misconfigurations that their owners do not know about. Not because the owners are careless. Because DNS is a layered system built over four decades, where each layer adds its own records, requirements, and failure modes — and where a misconfiguration in one layer often has no visible symptom until an attacker finds it first. An open DNS resolver. A dangling CNAME pointing to a deleted Heroku app. An SMTP server that answers user enumeration queries. A DNSSEC chain with an expired signature. None of these appear in uptime monitors. None of them trigger alerts. All of them are exploitable. A structured security audit checks every layer systematically. This post walks through all 30 checks — what each one tests, what a failure means in practice, and why the check exists. How the Audit Is Organized The 30 checks fall into five categories, each targeting a different attack surface on the same domain. Category Checks What it covers Email Security 8 Authentication, deliverability, blacklist status DNS Security 10 Record integrity, configuration, cryptography Infrastructure Security 6 Server exposure, zone data, redundancy Compliance Mapping 4 NIS2, GDPR, ISO 27001, PCI-DSS Additional Checks 2 Certificate and domain expiry Every check produces one of three outputs: pass, fail with severity rating, or warning. Every fail produces a fix guide. The aggregate result is an Email Health Score from 0 to 100. Category 1: Email Security (8 Checks) These eight checks cover everything that determines whether your outgoing email reaches the inbox — and whether your domain can be spoofed to send email you never sent. Check 1: SPF Record Validation What it tests: Whether a TXT record starting with v=spf1 exists at your root domain, whether it is syntactically valid, and whether it lists all