DNS Tool

Engineer's DNS Intelligence Report

Generated 19 Apr 2026, 10:30 UTC
Duration 60.7s
Version v26.46.21
Integrity 475cf3ab8a83c5a9b09fed06e67078203acf38c250e5101b103ab1fd5825ecf1bd3237a368b24a3e64cc65aeb824ba923667aab190f348ce71b6ec61205caf4c

TLP:AMBER

Limited disclosure — recipients may share within their organization only

Subject Domain

ohg-nagold.de

Engineer's DNS Intelligence Report

ohg-nagold.de

19 Apr 2026, 10:30 UTC · 60.7s ·v26.46.21 · SHA-3-512: 475c✱✱✱✱ Verify ·Archived ·Cross-Referenced

Executive Topology

Recon Mode Snapshot Re-analyze New Domain

DNS Security & Trust Posture Risk Level: High Risk

Confidence: MODERATE · 66/100

2 protocols configured, 7 not configured Why we go beyond letter grades

What’s Wrong Publish an SPF record to authorize legitimate mail senders Add DMARC aggregate reporting (rua) for visibility into email authentication DKIM signing inferred from provider — could not directly verify selector

Jump To: SPF MTA-STS TLS-RPT BIMI DANE DNSSEC CAA

Email Spoofing

Partial

Brand Impersonation

Not Setup

DNS Tampering

Unsigned

Certificate Control

Open

Recommended

Publish an SPF record to authorize legitimate mail senders, Add DMARC aggregate reporting (rua) for visibility into email authentication

Monitoring

DKIM signing inferred from provider — could not directly verify selector

Configured

DMARC (reject), DKIM (inferred via Unknown)

Not Configured

SPF, MTA-STS, TLS-RPT, BIMI, DANE, DNSSEC, CAA

Priority Actions 7 total Achievable posture: Moderate Risk

Critical Publish SPF Record

Add an SPF record to authorize mail servers for this domain.

SPF tells receiving servers which IPs may send mail for your domain.

Field	Value
Type	`TXT`
Host	`ohg-nagold.de` (root of domain)
Value	`v=spf1 ~all`

RFC 7208

Medium Add DMARC Aggregate Reporting

Add a rua= tag to receive aggregate DMARC reports. Without reporting, you cannot monitor authentication failures.

Aggregate reports show who is sending mail as your domain and whether it passes authentication.

Field	Value
Type	`TXT`
Host	`_dmarc.ohg-nagold.de` (add to existing DMARC record)
Value	`rua=mailto:dmarc-reports@ohg-nagold.de`

RFC 7489 §7.1

Medium Enable DNSSEC

DNSSEC is not enabled for this domain. DNSSEC provides cryptographic authentication of DNS responses, preventing cache poisoning and DNS spoofing attacks.

RFC 4035

Low Add BIMI Record

Your domain has DMARC reject — you qualify for BIMI, which displays your brand logo in receiving email clients that support it (Gmail, Apple Mail, Yahoo).

BIMI displays your verified brand logo next to your emails in supporting mail clients.

Field	Value
Type	`TXT`
Host	`default._bimi.ohg-nagold.de` (BIMI default record)
Value	`v=BIMI1; l=https://ohg-nagold.de/brand/logo.svg`

RFC 9495

Low Add CAA Records

CAA records specify which Certificate Authorities may issue certificates for your domain, reducing the risk of unauthorized certificate issuance.

CAA constrains which CAs can issue certificates for this domain.

Field	Value
Type	`CAA`
Host	`ohg-nagold.de` (root of domain — adjust CA to match your provider)
Value	`0 issue "letsencrypt.org"`

RFC 8659

Low Add TLS-RPT Reporting

TLS-RPT (TLS Reporting) sends you reports about TLS connection failures when other servers try to deliver mail to your domain.

TLS-RPT sends you reports about TLS connection failures to your mail servers.

Field	Value
Type	`TXT`
Host	`_smtp._tls.ohg-nagold.de` (SMTP TLS reporting record)
Value	`v=TLSRPTv1; rua=mailto:tls-reports@ohg-nagold.de`

RFC 8460

Low Deploy MTA-STS

MTA-STS enforces TLS encryption for inbound mail delivery, preventing downgrade attacks on your mail transport.

MTA-STS tells sending servers to require TLS when delivering mail to your domain.

Field	Value
Type	`TXT`
Host	`_mta-sts.ohg-nagold.de` (MTA-STS policy record)
Value	`v=STSv1; id=ohg-nagold.de`

RFC 8461

Open Remediation Workspace — Copy-Paste Ready Records

Registrar (RDAP) LIVE

Unknown

Where domain was purchased

Email Service Provider

Unknown

Limited Protection

Web Hosting

Unknown

Where website is hosted

DNS Hosting

Unknown

Where DNS records are edited

Footprint

Email Security Methodology Can this domain be impersonated by email? Partially DMARC present but no SPF

SPF Record RFC 7208 §4 Gold

Does this domain declare who may send email on its behalf? No

Warning

No SPF record found

RFC Stance: RFC 7208 defines the SPF mechanism for domains that choose to publish sender authorization. The standard does not mandate SPF publication — it is a voluntary security control.

Operational Security: We flag its absence because any server on the internet can send email claiming to be this domain. Attackers send from a domain — they do not need the domain to have email infrastructure.

RFC Failure Mode: Unlike DMARC (where unknown tags are silently ignored per RFC 7489 §6.3), SPF with unrecognized mechanisms produces a PermError per RFC 7208 §4.6 — the record fails loudly rather than silently.

Related CVEs: CVE-2024-7208 (multi-tenant domain spoofing), CVE-2024-7209 (shared SPF exploitation), CVE-2023-51764 (SMTP smuggling bypasses SPF)

DMARC Policy RFC 7489 §6.3 Gold

Are spoofed emails rejected or quarantined? Yes — reject policy

Rules of Engagement

What You May Do

What You May Not Do

Engineer's DNS Intelligence Report

Intelligence Dissemination

Email Security Methodology Can this domain be impersonated by email? Partially DMARC present but no SPF