A list of each validation test that we run as part of a comprehensive domain checkup. This page also lists some tests that we plan to implement in the future.
This test checks to see if information about the domain can be found in the domain name registry.
Tests to make sure the domain's registration will not expire soon.
Tests to make sure the domain is locked, which helps prevent unauthorized attempts to transfer the domain to another registrar.
Tests to make sure there isn't a problem with the status of the domain.
Tests that the registrant's personal information remains private.
Tests the age of the domain
Checks that the domain has at least two name servers defined, for redundancy.
Tests that the name servers for this domain respond to queries.
Checks that the name servers for this domain report that they are authoritative.
Checks that the name servers defined in the whois record match those given by name servers themselves.
Checks that the authoritative name servers and their parent have matching records.
Makes sure that the name servers do not respond to open recursive queries.
Checks that all of the name servers are on different subnets, for fault tolerance.
Checks that the apex domain name record (without the www) is an A record, and not a CNAME record.
Checks the TTL (Time to Live) for the name server DNS record.
Tests that an IP address can be found for the domain name.
Checks the TTL (Time to Live) for the 'A' record.
Tests that an IP address can be found for the 'www' subdomain.
Checks the TTL (Time to Live) for the www subdomain's 'A' record.
Confirms that the IP addresses match for the website with and without the www subdomain.
Tests that the Start of Authority (SOA) refresh value is in the recommended range.
Tests that the Start of Authority (SOA) retry value is in the recommended range.
Tests that the Start of Authority (SOA) expire value is in the recommended range.
Tests that the Start of Authority (SOA) minimum value is in the recommended range.
Tests that the name server in the SOA record matches one found for the domain.
Test that the SOA serial number is valid and matches across all the name servers.
Test that Google (188.8.131.52) and Cloudflare (184.108.40.206) public DNS servers resolve.
Test that all name servers return the same answer for the domain's IP.
Test for missing or bad glue from the name servers.
Make sure server does not allow zone transfer.
Test that TXT records longer than 255 characters are defined and concatenated correctly.
The server accepts a connection and returns a "200 OK" status code.
A website should have one canonical URL for the homepage (https://www.example.com). The other URLs should redirect there.
Tests that "http" requests for a page are upgraded to use SSL.
This tells web browsers that it should only use HTTPS connections to view this website.
Checks to make sure an SSL certificate exists for this domain.
Tests that there is at most one redirect when accessing the website.
Confirms that the SSL certificate is not going to expire soon.
Tests that the hostname defined in the SSL certificate matches the domain name.
If a Let's Encrypt DNS record is found, this tests the TTL for that record.
Examines what software the server reports that it uses.
Confirms that the webpage is declared to be an HTML page with UTF8 encoding.
Tests the 'X-Frame-Options' header which prevents sites from being displayed inside an iframe.
Checks for the presence of the 'X-XSS-Protection' header, which protects against some attacks.
Checks for the presence of the 'X-Content-Type-Options' header, which protects against some attacks.
Checks for the presence of the 'Referrer-Policy' header, which protects data from being leaked to insecure origins.
Checks for the presence of the 'Content-Security-Policy' header, which helps prevent certain types of attacks.
Checks for the presence of the 'Feature-Policy' header, which helps protect your users by limiting certain browser features.
Checks for the presence of the 'Permissions-Policy' header, which helps protect your users by limiting certain browser features.
Checks to see if the website allows the browser to track users using the FLoC algorithm.
Checks the caching headers to make sure they have appropriate values.
Checks the compressions headers to make sure the server can serve pages optimally.
Test that cookies are set with best practices
Checks to see if the site enforces Certificate Transparency.
Tests whether the site strictly enforces CORS.
Tests that 3rd party testing site SSL Labs returns a good grade.
Checks for the existence of the ads.txt file which can reveal which advertisers the website uses.
Checks for a variety of known endpoints found within the .well_known directory and reports what it finds.
Checks to see if the server supports HTTP/2.
Confirms that the SSL certificate uses strong encryption.
Common File Validation
Checks for the existence of a favicon image that is formatted correctly.
Tests that the favicon contains 16x16 and 32x32 icons.
Checks that an icon is defined in the HTML for the 16x16 size.
Checks that an icon is defined in the HTML for the 32x32 size.
Checks the web manifest for a 192x192 icon and checks to make sure the image is correct.
Checks the web manifest for a 512x512 icon and checks to make sure the image is correct.
Checks that the "apple-touch-icon.png" is defined, located in the correct spot and is the right size.
Checks that a mask icon is defined and formatted correctly.
Looks for a web manifest file declared in the HTML and checks to make sure it exists.
Checks that the web manifest file has contents formatted as JSON.
Checks each key/value inside the web manifest file to make sure they are formatted correctly.
Makes sure that a robots.txt file exists.
Checks the robots.txt file for the location of a sitemap.
Checks to make sure robots can crawl parts of the website.
The filesize of a robots.txt file should be less than 500KiB.
Tests each line of the robots.txt file to check for syntax errors.
Check to see if a sitemap is defined and validates the file format if it exists.
Tests that there is HTML content that can be viewed on the homepage.
Measures the degree to which content moves or jiggles as other content continues to load, causing a poor user experience.
Measures the time when the page first displays anything other than a blank screen.
Measures the time from when a user interacts with the page to when the browser can process that interaction.
Measures the perceived load speed by marking when the first large chunk of content is displayed.
The overall summary of the speed of the website.
Checks how quickly the contents of the page are visibly loaded.
The total time that the browser is blocked from handling user inputs.
How long it takes for the page to become responsive to user inputs.
Checks the title of the page to make sure it exists in the right spot and is a good length.
Looks for the Charset meta tag and makes sure it is UTF-8.
Checks for a description meta tag and makes sure it is the proper length.
Checks that a viewport meta tag exists with width and initial-scale attributes.
Looks for the canonical link tag in the <head> section of the html.
Tests for unused or unminified CSS.
An SPF record helps prevent forged emails from being sent from the domain.
Checks the SPF record to make sure it is formatted correctly and has no errors.
Checks the length of the SPF record to make sure it isn't too long.
To get the most value from a SPF record, it should use the strictest matching.
Checks the TTL (Time to Live) for the SPF record.
Suggests optimizations to the SPF record if certain criteria are met.
A DKIM record provides a way for a receiver to authenticate that an email is valid.
Checks that each DKIM selector returns a record.
Validates that the DKIM record is formatted correctly and has no errors.
Tests that the DKIM record using strong encryption.
A DMARC record improves email authentication and allows errors to be reported.
Validates that the DMARC record is formatted correctly and has no errors.
Tests that the DMARC policy is enabled and not in testing mode.
Confirms that DMARC error reports are enabled.
A BIMI record defines how a logo can appear in the customer's inbox.
Tests whether the BIMI record is formatted correctly.
A valid DMARC record with a quarantine or reject policy is required for BIMI to function.
An MX record defines how email is received by the domain owners.
Tests that the MX record is a valid hostname.
Tests that an IP address can be found for the MX records.
Validates the Preference/Priority number for each MX record.
Checks the TTL (Time to Live) for the MX record.
Checks the MX records for duplicates.
Offers a suggestion for reordering the SPF mechanisms in order of importance.
Test that emails sent from the domain are correctly signed.
A suggestion to register a trademark. This is a requirement for having a BIMI record.
Validate the SVG image to make sure it is formatted correctly.
Validate the certificate
Checks to see if a PTR record can be found, for reverse DNS lookups.
Tests that the mail server responds quickly.
Checks that the mail server does not behave as an open relay.
Checks to see if the mail server appears on a variety of public blacklists.
Tests that the SVG image provided in the BIMI record is formatted correctly.