Domain Security Audit: Automated with lens or step-by-step

The quick answer: use lens

If you want a single verdict fast, lens is the starting point. It checks DNS, TLS, and IP reputation in parallel and produces a letter-graded health score — no setup, no scripting. Enter your domain at lens.netray.info or run:

curl -sN 'https://lens.netray.info/api/check?d=example.com' \
  | grep '^data:' \
  | awk -F'data: ' '/summary/{print $2;exit}' \
  | jq '{grade: .grade, score: .score, sections: .sections}'

The summary event returns an overall grade (A+ through F), a numeric score, and a per-section breakdown for DNS, TLS, and IP. If any section shows a low grade, use the individual tools below to dig into the details.

For CI pipelines, you can gate a deploy on the overall grade:

# Fail if grade is below B
curl -sN 'https://lens.netray.info/api/check?d=example.com' \
  | grep '^data:' \
  | awk -F'data: ' '/summary/{print $2;exit}' \
  | jq -e '.grade | test("^(A|B)")'

The rest of this guide explains what lens is checking and how to investigate any findings in depth using the individual tools.

What a domain audit covers

A domain security audit examines five pillars: DNS integrity, TLS and certificate health, HTTP header security, email authentication, and IP reputation. Each pillar has distinct failure modes, and weaknesses in one do not cancel out strengths in another — a domain with perfect TLS but no DMARC is still trivially spoofable in email.

DNS integrity covers nameserver configuration, DNSSEC signing, and CAA records. Failures here can redirect traffic, enable cache poisoning, or allow unauthorized certificate issuance. TLS health covers certificate validity, chain completeness, protocol version, and HSTS. An expired certificate or broken chain drops connections; weak protocol versions expose users to downgrade attacks. HTTP header security covers Content-Security-Policy, HSTS, X-Content-Type-Options, and other response headers that harden the browser's handling of your site — missing or misconfigured headers leave users vulnerable to XSS, clickjacking, and MIME-type confusion. Email authentication (SPF, DKIM, DMARC, MTA-STS, DANE) prevents impersonation, protects mail transport integrity, and affects deliverability. IP reputation covers whether your hosting IPs are on blocklists and how they are classified — relevant for deliverability, API access, and trust signals.

The audit described here uses only free tools and can be completed in under five minutes for a typical domain. The goal is to identify the most impactful gaps quickly, not to produce an exhaustive penetration test report.

Step 1: DNS health

Start with the DNS foundation. Run a +check query in the DNS inspector — this queries NS, SOA, A, AAAA, MX, and TXT records, then applies lint rules across them.

Key things to look for:

• Lame delegation — nameservers listed in the parent zone (registrar) that do not answer authoritatively for the zone. Causes intermittent resolution failures.
• NS consistency — the NS records in the parent zone and the NS records returned by the authoritative nameservers should match exactly. Mismatches indicate a partial migration or stale registrar records.
• DNSSEC — check whether the zone is signed and whether the DS record in the parent zone is present and valid. A signed zone with a missing or wrong DS record causes DNSSEC-validating resolvers to hard-fail the entire zone.
• CAA records — restricts which CAs may issue certificates. Absence is not a misconfiguration, but presence with the correct CA greatly reduces unauthorized issuance risk.

A clean DNS check takes 30 seconds. Any lame delegation or DNSSEC validation failure is a P1 issue — fix it before proceeding.

Step 2: Email authentication

Email authentication is the most commonly neglected pillar for domains that do not send transactional email — and the most exploited. Even a domain used only for a website can be spoofed in phishing campaigns if DMARC is absent.

The minimum viable configuration is:

• SPF: a TXT record on the root domain listing authorized sending IPs. Use -all (hard fail) once all senders are enumerated. Watch the 10-lookup limit.
• DMARC: a TXT record at _dmarc.example.com with at minimum p=quarantine. A p=none-only policy provides monitoring but no protection. Include rua to receive aggregate reports.
• DKIM: configured on each sending platform. Required for DMARC alignment when messages are forwarded.

If the domain does not send email at all, publish v=spf1 -all and v=DMARC1; p=reject to tell receivers to reject any mail claiming to be from this domain. This is the strongest possible posture for a non-sending domain and takes two DNS records to implement.

The DNS inspector's +check mode reports all email authentication records and flags common issues: multiple SPF records (a permerror), DMARC stuck at p=none, missing MX, and MTA-STS configuration mismatches.

Step 3: TLS certificate

Certificate issues are operationally impactful and often the most visible to end users. Check four things:

• Validity and expiry — is the certificate currently valid? How many days until expiry? Under 14 days is a P1 for most organizations; under 30 days should trigger immediate review of the renewal process.
• Chain completeness — the server must send the full chain (leaf + intermediates). A missing intermediate causes failures in some clients even if the root CA is trusted, because the client cannot build the path to the root. This is a very common misconfiguration.
• Protocol version — TLS 1.0 and 1.1 are deprecated and disabled in all modern browsers. TLS 1.2 is acceptable but TLS 1.3 should be the preferred version where supported. Check whether the server correctly negotiates 1.3 with clients that support it.
• HSTS — the Strict-Transport-Security header should be present with a max-age of at least 6 months (15768000 seconds). HSTS preloading requires 1 year, includeSubDomains, and preload directive.

For multi-IP deployments (CDN, load balancer, anycast), check whether all IPs serve the same certificate. Certificate mismatches across IPs cause intermittent failures that are hard to debug from a single-IP vantage point.

Step 4: IP reputation

Look up the IP addresses your domain resolves to. The key signals from IP enrichment are:

• Network type classification — hosting or cdn is expected for most production services. residential on a production IP is unusual and warrants investigation.
• Blacklist membership — if your IP is on Spamhaus DROP or similar lists, outbound email will be rejected and some security tools will flag inbound connections from your infrastructure.
• ASN and organization — confirms the IP is actually hosted with your expected cloud or CDN provider. An unexpected ASN can indicate DNS hijacking or a misconfigured CDN origin.

For email-sending IPs specifically, reputation matters more. Shared hosting IPs carry the history of all tenants. If deliverability is a concern, check whether your sending IP is listed on major email-specific blocklists (Spamhaus ZEN, Barracuda, etc.).

Reading the results

Not all findings are equally urgent. A practical priority order:

1. Expired certificate — users cannot connect. Fix immediately.
2. Missing or broken SPF/DMARC — active spoofing risk. Fix within 24 hours.
3. Lame delegation or broken DNSSEC — intermittent resolution failures or hard failures for DNSSEC-validating resolvers. Fix within 24 hours.
4. Weak TLS version (1.0/1.1 enabled) — deprecated, potential downgrade risk. Schedule within the current sprint.
5. Missing HSTS or short max-age — leaves users vulnerable to SSL stripping on first visit. Schedule within the current sprint.
6. No CAA records — increases unauthorized issuance risk. Low urgency; add when convenient.
7. Missing DANE/TLSA — advanced protection, rarely deployed. Backlog unless you have specific requirements.

Automating the audit

The simplest automation is the lens SSE endpoint — one request, all five signals, one grade:

# Get the overall grade and per-section scores
curl -sN 'https://lens.netray.info/api/check?d=example.com' \
  | grep '^data:' \
  | awk -F'data: ' '/summary/{print $2;exit}' \
  | jq '{grade: .grade, score: .score, sections: .sections}'

For threshold alerting on individual fields, the three component APIs return structured data with explicit pass/warn/fail fields:

# DNS check (returns JSON with lint results)
curl -s "https://dns.netray.info/api/query?q=example.com+check" | jq .

# TLS inspection (returns JSON with cert, chain, graded checks)
curl -s "https://tls.netray.info/api/inspect?h=example.com" | jq .

# IP enrichment for the domain's A record
IP=$(dig +short example.com | head -1)
curl -s "https://ip.netray.info/${IP}" | jq .

Use lens for high-level pass/fail gating in CI; use the individual APIs when you need to alert on specific fields such as days-until-expiry, DMARC policy, or lint error counts.