We built something we’ve wanted for a while - a free security scanner that lets you check your website and email security in seconds. Enter your domain name, and it runs a series of automated tests with results explained in plain English. No cybersecurity degree required.

Try it at darkhorseitsecurity.com.

Here’s what it checks and why each piece matters.

Email authentication: SPF, DKIM, and DMARC

These three work together to prove your emails are actually coming from you - and to tell other email providers what to do when they’re not.

SPF (Sender Policy Framework)

SPF is a DNS record that lists which servers are authorized to send email on behalf of your domain. The scanner checks whether your SPF record exists, whether it’s safely configured, whether it has proper closure rules like -all, and whether it stays within DNS lookup limits.

If your SPF is misconfigured or missing, anyone can send emails that look like they come from your domain. That’s how spoofing works - and it’s how phishing attacks impersonate legitimate businesses.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC tells email providers what to do when an email fails SPF or DKIM checks. The policies range from weak to strong:

  • p=none - monitoring only, no enforcement (weak)
  • p=quarantine - suspicious emails go to spam
  • p=reject - failed emails are blocked entirely (strongest)

The scanner checks whether a DMARC policy exists, what enforcement level it’s set to, and whether reporting is configured. A surprising number of domains have no DMARC policy at all, which means anyone can impersonate them with zero consequences.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to your emails that proves they haven’t been tampered with in transit. The scanner identifies DKIM keys from Google Workspace and Microsoft 365. Missing or misconfigured DKIM reduces the confidence that your emails are legitimate.

SSL and website encryption

The padlock icon in your browser means your site uses HTTPS with an SSL/TLS certificate. The scanner examines your certificate’s issue and expiration dates, the issuing authority, whether HTTP properly redirects to HTTPS, and whether HSTS (HTTP Strict Transport Security) is enabled.

An expired certificate triggers browser warnings that will stop visitors from reaching your site. It’s one of the most common and most preventable website issues we see.

Website security headers

Security headers are instructions your website sends to browsers telling them how to behave. They prevent specific types of attacks. The scanner checks for:

  • Strict-Transport-Security - forces HTTPS connections
  • Content-Security-Policy - prevents unauthorized scripts from running
  • X-Frame-Options - prevents clickjacking (embedding your site in a hidden frame)
  • X-Content-Type-Options - prevents MIME type sniffing
  • Referrer-Policy - controls what information is shared when users click links
  • Permissions-Policy - restricts browser feature access (camera, microphone, etc.)

Most small business websites are missing several of these. They’re not hard to add, but they’re easy to overlook.

Blacklist and email reputation checks

If your email server’s IP address ends up on a spam blacklist, your emails may go straight to spam folders or not get delivered at all. The scanner checks your domain’s mail server IP against established spam blocklists and flags any issues.

This is especially important if you’ve recently changed email providers or if you’ve noticed delivery problems.

Why we built it this way

The goal was education, not intimidation. Most security scanners dump a wall of technical data that only an IT professional can interpret. Ours explains what each result means in plain language and gives you guidance on what to do about it - without needing a cybersecurity background.

Quick security checklist

  • Configure SPF, DKIM, and DMARC for your domain
  • Monitor your SSL certificate expiration dates
  • Implement HTTPS universally (no mixed content)
  • Enable security headers on your web server
  • Periodically check your domain’s email reputation

If your scan turns up issues you’re not sure how to fix, get in touch. This is exactly the kind of thing we help Fargo-Moorhead businesses with every day.