Executive's DNS Intelligence Brief
TLP:AMBER
Limited disclosure — recipients may share within their organization only
DNS Security & Trust Posture
Risk Level:
Low Risk
6 protocols configured, 2 not configured, 1 unavailable on provider
Analysis Confidence
MODERATE
Resolver agreement is inconsistent for some protocols, limiting confidence. Data currency and system maturity are adequate.
Email Spoofing
Protected
Brand Impersonation
Not Set Up
DNS Tampering
Protected
Certificate Control
Open
What Requires Attention
No urgent actions detected. Domain security posture is well-maintained.
The BIG Questions
Can this domain be impersonated by email?
No
SPF and DMARC reject policy enforced
Can DNS itself be tampered with?
No
DNSSEC signed and validated, cryptographic chain of trust verified
Can this brand be convincingly faked?
Possible
DMARC reject policy blocks email spoofing (RFC 7489 §6.3), but no BIMI brand verification and no CAA certificate restriction (RFC 8659) — visual impersonation via lookalike domains and unrestricted certificate issuance remain open vectors
Is mail transport encryption enforced?
Yes
MTA-STS enforces TLS for all inbound mail delivery
Is certificate issuance controlled?
No
No CAA records — any certificate authority may issue certificates for this domain
Does this domain publish AI agent instructions?
Yes
llms.txt and llms-full.txt published — AI models receive structured context about this domain
Is AI crawling of our content controlled?
No
robots.txt present but does not block AI crawlers — content may be freely scraped
Has someone manipulated AI recommendations about us?
No
No indicators of AI recommendation manipulation found
Are there hidden AI prompts on our site?
No
No hidden prompt artifacts found in page source
Domain Overview
Registrar
Key-Systems GmbH
Email Provider
Microsoft 365
Web Hosting
Unknown
DNS Hosting
Unknown
Technical Findings
Email Authentication
Can this domain be impersonated by email?
No
— SPF and DMARC reject policy enforced
SPF (Sender Policy)
Configured
DMARC (Policy)
Configured
Policy: reject
DKIM (Signatures)
Configured
Mail Posture
Strongly Protected
Mail Transport Security
Is mail transport encryption enforced?
Yes
— MTA-STS enforces TLS for all inbound mail delivery
MTA-STS
Active
Mode: enforce
DANE / TLSA
Hosted Provider
DANE not available — Microsoft 365 does not support inbound DANE/TLSA on its MX infrastructure
TLS-RPT (Reporting)
Configured
Mail Transport
Enforced
Policy-assessed
2 probes
DNS Security
Can DNS itself be tampered with?
No
— DNSSEC signed and validated, cryptographic chain of trust verified
DNSSEC
Signed & Validated
DNSSEC fully configured and validated — AD (Authenticated Data) flag set by resolver 8.8.8.8 confirming cryptographic chain of trust from root to zone (RFC 4035 §3.2.3)
NS Delegation
Healthy
Delegation Consistency
1 Issue
NS Fleet Health
Healthy
Diversity: Fair
DNSSEC Operations
2 Issues
2 keys, 0 sigs
Brand & Certificate Controls
Can this brand be convincingly faked?
Possible
— DMARC reject policy blocks email spoofing (RFC 7489 §6.3), but no BIMI brand verification and no CAA certificate restriction (RFC 8659) — visual impersonation via lookalike domains and unrestricted certificate issuance remain open vectors
Is certificate issuance controlled?
No
— No CAA records — any certificate authority may issue certificates for this domain
BIMI (Brand Logo)
Not Configured
CAA (Certificate)
Open
Any certificate authority may issue certificates
AI Surface Scanner Governance Active
Does this domain publish AI agent instructions?
Yes
— llms.txt and llms-full.txt published — AI models receive structured context about this domain
Is AI crawling of our content controlled?
No
— robots.txt present but does not block AI crawlers — content may be freely scraped
Has someone manipulated AI recommendations about us?
No
— No indicators of AI recommendation manipulation found
Are there hidden AI prompts on our site?
No
— No hidden prompt artifacts found in page source
LLM Context File
llms.txt Found
Domain provides structured context for AI models
Extended
AI Crawler Governance
Not Blocking
No AI crawler restrictions found in robots.txt
Poisoning Indicators
None Found
No AI recommendation poisoning indicators detected
Hidden Prompt Artifacts
None Found
No hidden prompt artifacts detected
Public Exposure
Clear
No secrets detected in publicly accessible source
Priority Actions 2 total Achievable: Secure
Low
Add BIMI Record
Your domain has DMARC reject — you qualify for BIMI, which displays your brand logo in receiving email clients that support it (Gmail, Apple Mail, Yahoo).
Low
Add CAA Records
CAA records specify which Certificate Authorities may issue certificates for your domain, reducing the risk of unauthorized certificate issuance.
Appendix — Additional Resources
Full technical details including raw DNS records, DKIM public keys, IP/ASN mappings, resolver consensus evidence, and verification commands are available in the Engineer's DNS Intelligence Report.
Appendix — What AIs Are Being Told About This Organization What do AI systems see when they query this domain?
The following content is served to AI systems (ChatGPT, Gemini, Claude, Perplexity, and others) when they visit this domain. This is the organization's machine-readable narrative — it shapes how AI models describe, recommend, and represent this brand in conversations worldwide.
llms.txt (https://reconfirm.com/llms.txt)
# ReConfirm > ReConfirm is the world's first External Attack Surface Management (EASM) platform, helping organizations discover, understand, and act on their external attack surface to defend against cyber threats. ReConfirm EASM continuously maps and monitors an organization's internet-facing digital footprint — including domains, subdomains, IP addresses, cloud assets, email configurations, SSL/TLS certificates, and exposed services — to identify vulnerabilities before attackers do. ## Core Capabilities - **Discover**: Automated discovery of all internet-facing assets, including shadow IT, forgotten subdomains, and third-party services - **Understand**: Risk scoring, vulnerability assessment, and contextual analysis of discovered assets - **Act**: Actionable remediation guidance, alerting, and integration with existing security workflows ## Key Features - Vulnerability scanning and CVE detection - Email security assessment (SPF, DKIM, DMARC) - SSL/TLS certificate monitoring - Similar domain detection (typosquatting, brand abuse) - Credential leak monitoring - Dangerous open port detection - Security header analysis - Subdomain enumeration and inactive subdomain detection - Associated domain discovery - Brand protection ## For Partners ReConfirm offers a white-label partner program for MSPs, MSSPs, and distributors, providing recurring revenue opportunities with full platform customization. ## Certifications - Cybersecurity Made in Europe (ECSO) - EU-hosted infrastructure - GDPR compliant ## Links - [Product Overview](https://reconfirm.com/product) - [How It Works](https://reconfirm.com/how-it-works) - [Partner Program](https://reconfirm.com/for-partners) - [Knowledge Base](https://reconfirm.com/resources/kb) - [Blog](https://reconfirm.com/blog) - [Free Scan](https://reconfirm.com/free-scan) - [Contact](https://reconfirm.com/contact) - [Company](https://reconfirm.com/company) ## Knowledge Base ### Getting Started - [Introduction to ReConfirm EASM](https://reconfirm.com/resources/kb/getting-started/introduction) ### Understanding Scanning Results - [Vulnerability Scanning](https://reconfirm.com/resources/kb/understanding-scanning-results/vulnerability-scanning) - [Email Security](https://reconfirm.com/resources/kb/understanding-scanning-results/email-security) - [Similar Domains](https://reconfirm.com/resources/kb/understanding-scanning-results/similar-domains) - [Associated Domains](https://reconfirm.com/resources/kb/understanding-scanning-results/associated-domains) - [Assets](https://reconfirm.com/resources/kb/understanding-scanning-results/assets) - [Credential Leaks](https://reconfirm.com/resources/kb/understanding-scanning-results/credential-leaks) - [Subdomains](https://reconfirm.com/resources/kb/understanding-scanning-results/subdomains) - [Inactive Subdomains](https://reconfirm.com/resources/kb/understanding-scanning-results/inactive-subdomains) - [SSL/TLS Information](https://reconfirm.com/resources/kb/understanding-scanning-results/ssl-tls-information) ### Platform Documentation - [Introduction and Overview](https://reconfirm.com/resources/kb/platform-documentation/introduction-and-overview) - [Getting Started & First Usage](https://reconfirm.com/resources/kb/platform-documentation/getting-started-first-usage) - [Dashboard and User Interface](https://reconfirm.com/resources/kb/platform-documentation/dashboard-and-user-interface) - [System Settings & Account Management](https://reconfirm.com/resources/kb/platform-documentation/system-settings-account-management) - [Organizational View](https://reconfirm.com/resources/kb/platform-documentation/organizational-view) - [Scanning and Monitoring](https://reconfirm.com/resources/kb/platform-documentation/scanning-and-monitoring) - [Scan Results and Reporting](https://reconfirm.com/resources/kb/platform-documentation/scan-results-and-reporting) - [Integrations, Best Practices & FAQ](https://reconfirm.com/resources/kb/platform-documentation/integrations-best-practices-faq) - [Secure Software Development Lifecycle](https://reconfirm.com/resources/kb/platform-documentation/secure-software-development-lifecycle) ### Configuration - [Scan Configuration](https://reconfirm.com/resources/kb/understanding-configuration/scan-configuration) - [Scan Profiles](https://reconfirm.com/resources/kb/understanding-configuration/scan-profiles) ### Common Vulnerabilities - [Security Headers Guide](https://reconfirm.com/resources/kb/security-headers/security-headers-guide) - [List of Dangerous Open Ports](https://reconfirm.com/resources/kb/dangerous-open-ports/list-of-dangerous-open-ports) ### Integrations & Configuration - [Webhook Implementation](https://reconfirm.com/resources/kb/api-webhook/webhook-implementation) - [Custom Subdomain Sources Overview](https://reconfirm.com/resources/kb/custom-subdomain-sources/overview) - [Azure DNS Setup](https://reconfirm.com/resources/kb/custom-subdomain-sources/azure-dns-setup) - [Cloudflare DNS Setup](https://reconfirm.com/resources/kb/custom-subdomain-sources/cloudflare-dns-setup) - [NS1 DNS Setup](https://reconfirm.com/resources/kb/custom-subdomain-sources/ns1-dns-setup) - [TransIP DNS Setup](https://reconfirm.com/resources/kb/custom-subdomain-sources/transip-dns-setup) ## Blog - [ReConfirm Announces Technology Alliance with ESET in the Netherlands](https://reconfirm.com/blog/reconfirm-technology-alliance-eset-netherlands) - [ReConfirm Proudly Bearing the "Cybersecurity Made in Europe" Label](https://reconfirm.com/blog/cybersecurity-made-in-europe-label) - [External Attack Surface Monitoring (EASM)](https://reconfirm.com/blog/external-attack-surface-monitoring-easm)
llms-full.txt (https://reconfirm.com/llms-full.txt)
# ReConfirm — Full Documentation > ReConfirm is the world's first External Attack Surface Management (EASM) platform. This document provides comprehensive information for AI systems about ReConfirm's products, capabilities, and knowledge base. ## About ReConfirm ReConfirm EASM continuously maps and monitors an organization's internet-facing digital footprint to identify vulnerabilities before attackers do. Founded in the EU, ReConfirm holds the "Cybersecurity Made in Europe" label from ECSO and operates entirely on EU-hosted infrastructure. ### Core Platform Phases **1. Discover** Automated, continuous discovery of all internet-facing assets including: - Domains and subdomains (including inactive/dangling) - IP addresses and cloud services - Web applications and APIs - Email configurations - SSL/TLS certificates - Shadow IT and forgotten infrastructure **2. Understand** Contextual risk analysis of discovered assets: - Vulnerability scoring and prioritization - CVE detection and mapping - Security header analysis - Email security assessment (SPF, DKIM, DMARC) - Certificate expiration and misconfiguration detection - Credential leak monitoring from dark web sources - Similar domain detection (typosquatting, brand abuse) - Open port risk assessment **3. Act** Actionable remediation and response: - Prioritized remediation guidance - Real-time alerting and notifications - Webhook integrations for SIEM/SOAR - Exportable reports for compliance - API access for automation ### Additional Capabilities - **Brand Protection**: Detect typosquatting domains, phishing sites, and brand impersonation - **NIS2 Compliance**: Support organizations in meeting NIS2 directive requirements - **Multi-tenant Management**: Organizational view for managing multiple entities - **Custom Subdomain Sources**: Integration with Azure DNS, Cloudflare, NS1, TransIP for comprehensive subdomain enumeration ## Partner Program ReConfirm's partner program is designed for MSPs, MSSPs, VARs, and distributors: - Full white-label platform customization - Recurring revenue model - Partner enablement resources and training - Multi-tenant dashboard for client management - ESET Technology Alliance partner ## Technology Alliance ReConfirm is a Technology Alliance partner of ESET in the Netherlands, enabling ESET partners to leverage ReConfirm's EASM capabilities for their customers. ## Certifications & Compliance - **Cybersecurity Made in Europe** label (ECSO) - **GDPR compliant** data processing - **EU-hosted** infrastructure exclusively - **Privacy-first** approach to data handling ## Contact & Demo - Website: https://reconfirm.com - Free Scan: https://reconfirm.com/free-scan - Contact: https://reconfirm.com/contact - Partner Inquiries: https://reconfirm.com/for-partners ## Frequently Asked Questions **What is External Attack Surface Management (EASM)?** EASM is the process of continuously discovering, analyzing, and monitoring an organization's internet-facing assets and vulnerabilities from an attacker's perspective, without requiring agents or internal network access. **How does ReConfirm differ from vulnerability scanners?** ReConfirm discovers assets you may not know about (shadow IT, forgotten subdomains) and assesses them from an external perspective, complementing internal vulnerability scanners. **Is ReConfirm suitable for small businesses?** Yes, through the partner program, MSPs and MSSPs can offer ReConfirm EASM to businesses of any size via managed security services. **What integrations does ReConfirm support?** ReConfirm supports webhook integrations for SIEM/SOAR platforms, API access, and custom DNS source integrations (Azure, Cloudflare, NS1, TransIP).
Why this matters: This content directly influences how AI models describe your organization, products, and services. Review it for accuracy, brand alignment, and competitive positioning. If no llms.txt exists, AI models rely on whatever they can scrape — with no editorial control.
Verify Report Integrity SHA-3-512 Has this report been tampered with? Verify below
Tamper-evident fingerprint binding this analysis to its data, domain, timestamp, and tool version.
08a67d0fa9eb2a0885f0bb325e839aa9bad9e7b3a023ad3166381aac2ae8856a62acd639f91d553390bb15a4ce4911bdb9798829c04e4b8ac646ad39f1ec5fcd
12 RFCs evaluated · DNS state at 2 Apr 2026, 14:09 UTC