How to Check Your Domain's Security Score in 30 Seconds
Your domain is more than a URL. It is the front door to your business, your email reputation, and your customers' trust. A domain security score tells you exactly how locked down that front door is -- and where the gaps are. Here is how to check yours for free.
What Is a Domain Security Score?
A domain security score is a single grade -- typically A through F -- that summarizes the overall security posture of your domain's publicly visible infrastructure. Think of it like a credit score, but for your website and email configuration.
Instead of digging through individual SSL certificate details, DNS records, and email headers yourself, a domain security check aggregates all of that into one result. It answers a simple question: if an attacker looked at your domain right now, how easy would you be to exploit?
This matters for several concrete reasons:
- Customer trust. Expired certificates and missing security headers signal neglect. Visitors see browser warnings. Partners question your competence.
- Email deliverability. Without proper SPF, DKIM, and DMARC records, your emails land in spam -- or worse, attackers send phishing emails that look like they come from your domain.
- Compliance requirements. Frameworks like SOC 2, ISO 27001, and PCI DSS all require baseline security controls that a domain security scan directly measures.
- Attack surface reduction. Every misconfigured header, every missing DNS record, every outdated TLS version is an opportunity for an attacker. A website security grade highlights them all in one place.
The good news: checking your domain security score takes less than 30 seconds and costs nothing.
What Gets Checked in a Security Scan
A comprehensive free domain security scanner evaluates five critical areas of your domain's external attack surface. Each area receives its own score from 0 to 100, and they are combined into a weighted total that determines your final grade.
1. SSL/TLS Certificate (25% of total score)
This checks whether your site uses HTTPS properly. The scan verifies your certificate is valid, not expired, uses a trusted certificate authority, supports modern TLS versions (1.2 or 1.3), and avoids weak cipher suites. An expired or misconfigured certificate is the single fastest way to lose visitor trust.
2. DNS Configuration (15% of total score)
Your DNS records are the foundation of your domain. The scan inventories your A, AAAA, MX, CNAME, NS, and TXT records, checks for DNSSEC (which prevents DNS spoofing), and flags issues like dangling CNAMEs or missing MX records that could expose you to subdomain takeover or email delivery failures.
3. HTTP Security Headers (20% of total score)
Security headers tell browsers how to behave when loading your site. The scan checks for six critical headers: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Permissions-Policy, and Referrer-Policy. Missing headers leave your users vulnerable to clickjacking, XSS, and data leakage. For a deep dive on implementing each one, see our complete guide to HTTP security headers.
4. Email Authentication (25% of total score)
Email authentication records prevent attackers from sending emails that impersonate your domain. The scan checks for three DNS-based protocols: SPF (which servers are allowed to send email for your domain), DKIM (cryptographic signatures that verify email integrity), and DMARC (the policy that tells receiving servers what to do with unauthenticated email). Missing any of these is a serious gap. Our SPF, DKIM, and DMARC setup guide walks through configuring all three.
5. Uptime and Performance (15% of total score)
The scan makes an HTTP request to your domain and measures the response. It checks for a successful status code (200), measures response latency, flags excessive redirect chains, and detects timeouts. A slow or unresponsive domain is both a user experience problem and a potential indicator of infrastructure issues.
Here is how the scoring weights break down:
| Category | Weight | What It Covers |
|---|---|---|
| SSL/TLS | 25% | Certificate validity, chain, protocol version, ciphers |
| DNS | 15% | Record inventory, DNSSEC, dangling records |
| HTTP Headers | 20% | HSTS, CSP, X-Frame-Options, and 3 more |
| Email Auth | 25% | SPF, DKIM, DMARC presence and policy |
| Uptime | 15% | HTTP status, latency, redirects, timeouts |
How to Check Your Domain's Security Score
Running a domain security check with Scanward takes three steps and about 30 seconds of your time.
Step 1: Go to scanward.com and find the free scanner on the homepage.
Step 2: Enter your domain name (for example, yourcompany.com) and click Scan. You do not need an account for the free scan. No email required. No credit card.
Step 3: Review your results. Within seconds, you will see your overall grade (A through F), individual scores for each of the five categories, and specific findings with details about what passed and what needs attention.
Each finding includes enough context to understand the issue. For example, if your SSL certificate expires in 12 days, the scan tells you exactly that -- along with the expiry date and what to do about it.
That is it. No installing agents on your server, no providing login credentials, no waiting for a report to be emailed. The scan runs entirely from the outside, just like an attacker would see your domain.
Try it now -- scan your domain in 30 seconds
Enter your domain and get an instant A-F security grade covering SSL, DNS, headers, email auth, and uptime. Completely free, no signup required.
Scan Your Domain Free →Understanding Your Grade
Your domain security score maps to a letter grade based on these thresholds:
| Grade | Score Range | What It Means |
|---|---|---|
| A | 90 -- 100 | Excellent. All major security controls are in place and properly configured. You are well-protected against common external attacks. |
| B+ | 80 -- 89 | Good. Most controls are present but there are minor gaps. A few quick fixes will get you to an A. |
| B- | 70 -- 79 | Fair. The basics are covered but notable security headers or email auth records are missing. |
| C+ | 60 -- 69 | Below average. Multiple security controls are missing. Your domain is vulnerable to common attacks. |
| C- | 50 -- 59 | Poor. Significant gaps in your security configuration. Immediate action recommended. |
| D | 40 -- 49 | Very poor. Critical protections like SSL or DMARC are missing or broken. Your domain is at serious risk. |
| F | 0 -- 39 | Failing. Fundamental security infrastructure is absent or severely misconfigured. Fix this immediately. |
Most domains score somewhere between C+ and B+ on their first scan. That is normal. The important thing is knowing where you stand and what to fix first.
Quick Wins to Improve Your Score
If your first scan comes back lower than you expected, these are the highest-impact fixes for each category. Most can be done in under an hour.
SSL/TLS: Renew and upgrade
If your certificate is expired or expiring soon, renew it immediately. If you are using a free certificate from Let's Encrypt, set up auto-renewal with certbot renew so it never expires again. Make sure your server supports TLS 1.2 and 1.3 and has disabled TLS 1.0 and 1.1. In your web server config, that typically looks like:
# Nginx example
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;DNS: Enable DNSSEC
DNSSEC prevents attackers from poisoning your DNS responses. Most registrars (Cloudflare, Namecheap, Google Domains) offer one-click DNSSEC activation. Check your registrar's DNS settings and enable it. While you are there, audit your records for any stale CNAMEs pointing to services you no longer use -- those are subdomain takeover risks.
HTTP Headers: Add the missing six
If your scan flags missing security headers, adding them to your web server or CDN configuration is usually a single config change. Here is a baseline set of headers that covers the essentials:
# Nginx example — add to your server block
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'" always;
add_header X-Frame-Options "DENY" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=()" always;Start with HSTS and X-Content-Type-Options first -- they are safe to deploy immediately. Content-Security-Policy requires more care since a restrictive policy can break inline scripts. For a step-by-step walkthrough, read our HTTP security headers guide.
Email Auth: Set up SPF, DKIM, and DMARC
These three DNS records work together to prevent email spoofing. If you are missing any of them, add them in this order:
1. SPF -- add a TXT record to your domain's DNS:
v=spf1 include:_spf.google.com ~allReplace the include with your actual email provider's SPF domain.
2. DKIM -- generate a DKIM key pair through your email provider (Google Workspace, Microsoft 365, etc.) and publish the public key as a TXT record on a selector subdomain.
3. DMARC -- add a TXT record at _dmarc.yourdomain.com:
v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100Start with p=none if you want to monitor before enforcing, then move to quarantine or reject once you have confirmed legitimate email is passing. Our SPF, DKIM, and DMARC guide covers the full setup process with examples for every major email provider.
Uptime: Fix redirects and slow responses
If your uptime score is low, check for unnecessary redirect chains. A common issue is http://example.com redirecting to http://www.example.com which then redirects to https://www.example.com. That is three hops for what should be one. Configure a single 301 redirect from any non-canonical URL directly to your final HTTPS URL. If response times are slow, look at your server resources, database queries, and whether you have a CDN in front of your origin.
Why Continuous Monitoring Matters
A one-time domain security check tells you where you stand today. But your security posture changes constantly. Certificates expire. DNS records get modified. Someone deploys a code change that drops a security header. A provider updates their infrastructure and your email authentication breaks.
The domains that maintain an A grade are the ones being watched continuously. Here is what can change without warning:
- SSL certificates expire every 90 days (Let's Encrypt) or annually. One missed renewal and your visitors see a full-page browser warning.
- DNS records drift as team members add or modify records. A new CNAME for a marketing tool, a changed MX record for an email migration -- each one can impact your score.
- Deployments remove headers when server configurations get overwritten. A routine update to your Nginx config can silently drop your security headers.
- Email provider changes can invalidate your SPF or DKIM records if the provider changes their sending infrastructure and you do not update your DNS.
- New vulnerabilities emerge. A TLS cipher suite that was acceptable last year may be flagged as weak this year.
Scanward's free tier lets you monitor one domain with automatic scans every 24 hours. If your grade drops or a critical issue is detected -- like an SSL certificate expiring in less than 7 days -- you get an email alert immediately. No need to remember to run the scan manually.
For teams managing multiple domains, the Pro and Agency plans cover 10 or 50 domains with scans running every 12 or 6 hours, plus Slack alerts, historical trend data, and branded PDF reports you can share with clients or management.
The best time to find a security issue is before your customers, your auditor, or an attacker does. Continuous monitoring makes that the default.
Whether you are an IT admin responsible for a handful of company domains, a sysadmin managing infrastructure for clients, or a small business owner who just wants to make sure things are not broken -- knowing your domain security score is the first step. Fixing the issues it finds is the second. Monitoring it continuously is what keeps you safe long-term.
Check your domain's security score now
Scanward scans your SSL, DNS, email security, HTTP headers, and uptime in under 30 seconds -- completely free.
Scan Your Domain Free →