Web Security Overview
Unable to determine
No HTTP servers

This host doesn't seem to have any HTTP servers. We'll focus on evaluating the DNS and email configuration instead.

Email Security Overview
Unable to determine
No SMTP servers

This host doesn't specify any SMTP servers, which probably means that it doesn't receive email. We are unable to evaluate STARTTLS support, TLS, X.509, and DANE configuration.


Name Server Configuration

Correctly functioning name servers are necessary to hold and distribute information that's necessary for your domain name to operate correctly. Examples include converting names to IP addresses, determining where email should go, and so on. More recently, the DNS is being used to communicate email and other security policies.

Test passed
Everything seems to be well configured. Well done.

DNS Configuration

These are the results of individual DNS queries against your nameserver for each resource record type.

Name TTL Type Data
mx.online.net.     900 A 62.210.16.36            
online.net.     43200 NS nsa.online.net.            
online.net.     43200 NS nsb.online.net.            
online.net.     43200 SOA nsa.online.net. dnsmaster.te-dns.net. 2021060201 14400 3600 604800 14400            

DNSSEC

DNSSEC is an extension of the DNS protocol that provides cryptographic assurance of the authenticity and integrity of responses; it's intended as a defense against network attackers who are able to manipulate DNS to redirect their victims to servers of their choice. DNSSEC is controversial, with the industry split largely between those who think it's essential and those who believe that it's problematic and unnecessary.

Feature not implemented or disabled
Your server doesn't support this feature.

Useful DNSSEC Tools

Certification Authority Authorization

CAA (RFC 8659) is a new standard that allows domain name owners to restrict which CAs are allowed to issue certificates for their domains. This can help to reduce the chance of misissuance, either accidentally or maliciously. In September 2017, CAA became mandatory for CAs to implement.

Feature not implemented or disabled
Your server doesn't support this feature.

Analysis

Powerup!
There is no CAA policy on this hostname
CAA policies can be used to restrict which CAs are allowed to issue certificates for a hostname. As such, CAA can be used to enforce an organization-wide policy and to prevent issuance of unauthorized certificates. The CA/Browser forum requires CAs to consult CAA configuration during certificate issuance from September 2017.

Email (SMTP)

An internet hostname can be served by zero or more mail servers, as specified by MX (mail exchange) DNS resource records. Each server can further resolve to multiple IP addresses, for example to handle IPv4 and IPv6 clients. Thus, in practice, hosts that wish to receive email reliably are supported by many endpoint.

Test failed
We've detected serious problems that require your immediate attention.
Server Preference Operational STARTTLS TLS PKI DNSSEC DANE
mx.online.net
62.210.16.36
PTR: mx.online.net
0
220 mx-vit.online.net

EHLO outbound.hardenize.com
250-mx-vit.online.net
250 XFILTERED

QUIT
221 closing connection
Doesn't support STARTTLS. Not applicable,
requires STARTTLS.
Not applicable,
requires TLS.
Not supported. Not applicable,
requires TLS.

Analysis

Notice
This host doesn't have any MX records but accepts own email
This host accepts its own email. According to the SMTP RFC (Section 5.1., "Locating the Target Host"), when a host doesn't have any MX servers configured in DNS, an attempt is made to deliver email directly to the host itself.

Email TLS (SMTP)

Transport Layer Security (TLS) is the most widely used encryption protocol on the Internet. In combination with valid certificates, servers can establish trusted communication channels even with users who have never visited them before. Network attackers can't uncover what is being communicated, even when they can see all the traffic.

Test failed
We've detected serious problems that require your immediate attention.

Analysis

Error
No support for STARTTLS
One or more servers lack support for STARTTLS, which means that they do not support email encryption at all.

Email Certificates (SMTP)

A certificate is a digital document that contains a public key, some information about the entity associated with it, and a digital signature from the certificate issuer. It’s a mechanism that enables us to exchange, store, and use public keys. Being able to reliably verify the identity of a remote server is crucial in order to achieve secure encrypted communication.

Feature not implemented or disabled
Your server doesn't support this feature.

Email DANE (SMTP)

DNS-based Authentication of Named Entities (DANE) is a bridge between DNSSEC and TLS. In one possible scenario, DANE can be used for public key pinning, building on an existing publicly-trusted certificate. In another approach, it can be used to completely bypass the CA ecosystem and establish trust using DNSSEC alone.

Feature not implemented or disabled
Your server doesn't support this feature.

SPF

Sender Policy Framework (SPF) is a protocol that allows domain name owners to control which internet hosts are allowed to send email on their behalf. This simple mechanism can be used to reduce the effect of email spoofing and cut down on spam.

Feature not implemented or disabled
Your server doesn't support this feature.

DMARC

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a scalable mechanism by which a mail-originating organization can express domain-level policies and preferences for message validation, disposition, and reporting, that a mail-receiving organization can use to improve mail handling.

Feature not implemented or disabled
Your server doesn't support this feature.

DMARC Policy Information

The location from which we obtained this policy.Policy location _dmarc.online.net
DMARC version used by this policy.v DMARC1
Indicates the policy to be enacted by the receiver at
the request of the domain owner. Possible values are:
none, quarantine, and reject.
p
none
Requested mail receiver policy for all subdomains.
Same format as for the p tag.
sp
none
Addresses to which aggregate feedback is to be sent.rua mailto:dmarc@mailinblue.com!10m
Addresses to which message-specific failure
information is to be reported.
ruf
mailto:dmarc@mailinblue.com!10m
Specifies the format to be used when reporting failures.rf afrf
Percentage of messages from mail stream to
which the DMARC policy is to be applied.
pct
100
Interval between aggregate reports. Defaults to 86400.ri 86400

Analysis

Info
DMARC policy found

Policy: v=DMARC1; p=none; sp=none; rua=mailto:dmarc@mailinblue.com!10m; ruf=mailto:dmarc@mailinblue.com!10m; rf=afrf; pct=100; ri=86400

Host: _dmarc.online.net

Good
Valid external destination

Permission record location: online.net._report._dmarc.mailinblue.com

External destination: mailto:dmarc@mailinblue.com

Permission record contents: v=DMARC1

Good
Valid external destination

Permission record location: online.net._report._dmarc.mailinblue.com

External destination: mailto:dmarc@mailinblue.com

Permission record contents: v=DMARC1

Good
Policy is valid
Good. You have a valid DMARC policy.
Powerup!
Activate DMARC policy
Although syntactically valid, your DMARC policy is effectively disabled. An effective policy must set the value of the 'p' directive to either 'quarantine' or 'reject'. In addition, if the 'pct' directive is present, it must be set to a value other than zero. (The default is 100, which means to apply policy to all emails.)

MTA Strict Transport Security

SMTP Mail Transfer Agent Strict Transport Security (MTA-STS) is a mechanism enabling mail service providers to declare their ability to receive Transport Layer Security (TLS) secure SMTP connections, and to specify whether sending SMTP servers should refuse to deliver to MX hosts that do not offer TLS with a trusted server certificate.

Feature not implemented or disabled
Your server doesn't support this feature.

SMTP TLS Reporting

SMTP TLS Reporting (RFC 8460), or TLS-RPT for short, describes a reporting mechanism and format by which systems sending email can share statistics and specific information about potential failures with recipient domains. Recipient domains can then use this information to both detect potential attacks and diagnose unintentional misconfigurations. TLS-RPT can be used with DANE or MTA-STS.

Feature not implemented or disabled
Your server doesn't support this feature.

HTTP (80)

To observe your HTTP implementation, we submit a request to the homepage of your site on port 80, follow all redirections (even when they take us to other domain names), and record the returned HTTP headers.

Feature not implemented or disabled
Your server doesn't support this feature.

URL: http://mx.online.net/

Analysis

Warning
HTTP connection failed
We were not able to successfully complete this request.

Message: Connect to mx.online.net:80 [mx.online.net./62.210.16.36] failed: Connection refused (Connection refused)

HTTP (443)

To observe your HTTPS implementation, we submit a request to the homepage of your site on port 443, follow all redirections (even when they take us to other domain names), and record the returned HTTP headers. We use the most recent set of headers returned from the tested hostname for further tests such as HSTS and HPKP.

Feature not implemented or disabled
Your server doesn't support this feature.

URL: https://mx.online.net/

Analysis

Warning
HTTP connection failed
We were not able to successfully complete this request.

Message: Connect to mx.online.net:443 [mx.online.net./62.210.16.36] failed: Connection refused (Connection refused)

WWW TLS

Transport Layer Security (TLS) is the most widely used encryption protocol on the Internet. In combination with valid certificates, servers can establish trusted communication channels even with users who have never visited them before. Network attackers can't uncover what is being communicated, even when they can see all the traffic.

Unable to test (dependency failed)
This test depends on the results of another test, which hasn't completed.

TLS Configuration: mx.online.net (62.210.16.36)

Analysis

Error
TLS connection failed
We failed to connect to the server using TLS.

Error message: Connection refused (Connection refused)

WWW Certificates

A certificate is a digital document that contains a public key, some information about the entity associated with it, and a digital signature from the certificate issuer. It’s a mechanism that enables us to exchange, store, and use public keys. Being able to reliably verify the identity of a remote server is crucial in order to achieve secure encrypted communication.

Unable to test (dependency failed)
This test depends on the results of another test, which hasn't completed.

DANE (443)

DNS-based Authentication of Named Entities (DANE) is a bridge between DNSSEC and TLS. In one possible scenario, DANE can be used for public key pinning, building on an existing publicly-trusted certificate. In another approach, it can be used to completely bypass the CA ecosystem and establish trust using DNSSEC alone.

Feature not implemented or disabled
Your server doesn't support this feature.

Cookies

Cookies are small chunks of text that are sent between your browser and a website. They are often essential to the operation of the site and sometimes contain sensitive information. Session cookies sent from secure sites must be explicitly marked as secure to prevent being obtained by active network attackers.

Unable to test (dependency failed)
This test depends on the results of another test, which hasn't completed.

Mixed Content

On virtually all web sites, HTML markup, images, style sheets, JavaScript, and other page resources arrive not only over multiple connections but possibly from multiple servers and sites spread across the entire Internet. For a page to be properly encrypted, it’s necessary that all the content is retrieved over HTTPS. In practice, that’s very often not the case, leading to mixed content security problems.

Unable to test (dependency failed)
This test depends on the results of another test, which hasn't completed.

HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) vastly improves security of the network encryption layer. With HSTS enabled, browsers no longer allow clicking through certificate warnings errors, which are typically trivial to exploit. Additionally, they will no longer submit insecure (plaintext) requests to the site in question, even if asked.

Unable to test (dependency failed)
This test depends on the results of another test, which hasn't completed.

HSTS Policy  Main host

URL from which this policy was obtained.Location https://mx.online.net

HTTP Public Key Pinning

HTTP Public Key Pinning (HPKP) enables site operators to restrict which certificates are considered valid for their domain names. With a valid HPKP configuration, sites can defeat man in the middle (MITM) attacks using fraudulent or misissued certificates. HPKP is an advanced feature, suitable for use by only high-profile web sites.

Unable to test (dependency failed)
This test depends on the results of another test, which hasn't completed.

Content Security Policy

Content Security Policy (CSP) is a security mechanism that allows web sites control how browsers process their pages. In essence, sites can restrict what types of resources are loaded and from where. CSP policies can be used to defend against cross-site scripting, prevent mixed content issues, as well as report violations for investigation.

Unable to test (dependency failed)
This test depends on the results of another test, which hasn't completed.

Subresource Integrity

Subresource Integrity (SRI) is a new standard that enables browsers to verify the integrity of embedded page resources (e.g., scripts and stylesheets) when they are loaded from third-party web sites. With SRI deployed, remote resources can be used safely, without fear of them being modified by malicious parties.

Unable to test (dependency failed)
This test depends on the results of another test, which hasn't completed.

Expect CT

Expect-CT is a response HTTP header that web sites can use to monitor problems related to their Certificate Transparency (CT) compliance. Should any CT issues arise, browsers that support this header will submit reports to the specified reporting endpoint.

Unable to test (dependency failed)
This test depends on the results of another test, which hasn't completed.

Frame Options

The X-Frame-Options header controls page framing, which occurs when a page is incorporated into some other page, possibly on a different site. If framing is allowed, attackers can employ clever tricks to make victims perform arbitrary actions on your site; they do this by showing their web site while forwarding the victim's clicks to yours.

Unable to test (dependency failed)
This test depends on the results of another test, which hasn't completed.

XSS Protection

Modern browsers ship with built-in defenses against Cross-Site Scripting (XSS), usually known as XSS Auditors. Web sites are allowed to control the defenses if they specify an X-XSS-Protection header in their HTTP responses. Recommended policies are either to block XSS attacks, or disable the defenses if you think false positives are possible. Filtering, where offending fragments of data are removed, is not recommended because it can be abused by attackers to selectively deactivate script files.

Unable to test (dependency failed)
This test depends on the results of another test, which hasn't completed.

Content Type Options

Some browsers use a technique called content sniffing to override response MIME types provided by HTTP servers and interpret responses as something else (usually HTML). This behavior, which could potentially lead to security issues, should be disabled by attaching an X-Content-Type-Options header to all responses.

Unable to test (dependency failed)
This test depends on the results of another test, which hasn't completed.

HTML Analysis

Analysis of page content, including SRI.

Unable to test (dependency failed)
This test depends on the results of another test, which hasn't completed.

Base URL

Active Content

Type Status Location
None

Passive Content

Type Status Link
None

Links

Type Status Link
None