DNS Tool

Executive's DNS Intelligence Brief

Generated 11 Feb 2026, 17:15 UTC
Duration 15.0s
Integrity 1accdbe5f0a5aab87bd1f055ab1adf33d1d06283c7f29fce67b889e4e9efb4b9e7c7a05e4c80f9f21d3324be0ac789b58335278419ad4a8f78b1da5502a10507

TLP:AMBER

Limited disclosure — recipients may share within their organization only

Subject Domain

weather.gov

Executive's DNS Intelligence Brief

Board-level domain security assessment — weather.gov

11 Feb 2026, 17:15 UTC · 15.0s · SHA-3-512: 1acc✱✱✱✱ Verify

Engineer

DNS Security & Trust Posture

Risk Level: High Risk

2 protocols configured, 4 not configured

1 action required 2 recommendations

Email Spoofing

Partial

Brand Impersonation

Not Set Up

DNS Tampering

Protected

Certificate Control

Open

What Requires Attention

Critical No SPF record

Recommended DKIM not discoverable via common selectors — may be configured with custom or rotating selectors (RFC 6376 §3.6.2.1)

Recommended No CAA records

The BIG Questions

Can this domain be impersonated by email? Not Assessed

Can DNS itself be tampered with? Not Assessed

Can this brand be convincingly faked? Not Assessed

Is mail transport encryption enforced? Not Assessed

Is certificate issuance controlled? Not Assessed

Domain Overview

Registrar get.gov (Registrant: REDACTED FOR PRIVACY)

Email Provider Unknown

Web Hosting Unknown

DNS Hosting Akamai Edge DNS

Technical Findings

Email Authentication

SPF (Sender Policy) Partial

DMARC (Policy) Configured Policy: reject

DKIM (Signatures) Not Detected

Mail Posture No-Mail: Partial

Mail Transport Security

MTA-STS Partial

DANE / TLSA Hosted Provider No MX records available — DANE check skipped

TLS-RPT (Reporting) Not Configured

Mail Transport Not assessed

DNS Security

DNSSEC Signed & Validated

DNSSEC fully configured and validated — AD (Authenticated Data) flag set by resolver 8.8.8.8 confirming cryptographic chain of trust from root to zone (RFC 4035 §3.2.3)

NS Delegation Healthy

Brand & Certificate Controls

BIMI (Brand Logo) Not Configured

CAA (Certificate) Open Any certificate authority may issue certificates

Priority Actions 6 total Achievable: Low Risk

Critical Publish SPF record

SPF (Sender Policy Framework) tells receiving mail servers which IP addresses are authorized to send email for your domain. Without SPF, any server can claim to send as your domain.

yourdomain.com TXT "v=spf1 include:_spf.google.com ~all"

Medium Add CAA records

Publish CAA DNS records to restrict which Certificate Authorities can issue TLS certificates for your domain. Specify your preferred CA (e.g., letsencrypt.org, digicert.com).

yourdomain.com CAA 0 issue "letsencrypt.org"

Medium Deploy MTA-STS policy

Publish an MTA-STS DNS record and host a policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt. This tells senders to require TLS when delivering mail to your domain.

_mta-sts.yourdomain.com TXT "v=STSv1; id=20240101"

Low Verify DKIM configuration

DKIM selectors were not discoverable via common selector names. This does not confirm DKIM is absent — your provider may use custom or rotating selectors that cannot be enumerated through DNS (RFC 6376 §3.6.2.1). Check your email provider's DKIM settings to confirm signing is enabled.

selector1._domainkey.yourdomain.com TXT "v=DKIM1; k=rsa; p=<public_key>"

Low Configure TLS-RPT reporting

TLS-RPT (TLS Reporting) sends you reports about TLS connection failures when other servers try to deliver mail to your domain. Helps diagnose MTA-STS and STARTTLS issues.

_smtp._tls.yourdomain.com TXT "v=TLSRPTv1; rua=mailto:tls-reports@yourdomain.com"

Low Configure BIMI brand logo

Publish a BIMI DNS record pointing to your brand logo (SVG Tiny PS format). For full support in Gmail, you will also need a Verified Mark Certificate (VMC).

default._bimi.yourdomain.com TXT "v=BIMI1; l=https://yourdomain.com/logo.svg"

Appendix — Additional Resources

Full technical details including raw DNS records, DKIM public keys, IP/ASN mappings, resolver consensus evidence, and verification commands are available in the Engineer's DNS Intelligence Report.

View Engineer's DNS Intelligence Report

Verify Report Integrity SHA-3-512 Has this report been tampered with? Verify below

Tamper-evident fingerprint binding this analysis to its data, domain, timestamp, and tool version.

1accdbe5f0a5aab87bd1f055ab1adf33d1d06283c7f29fce67b889e4e9efb4b9e7c7a05e4c80f9f21d3324be0ac789b58335278419ad4a8f78b1da5502a10507

12 RFCs evaluated · DNS state at 11 Feb 2026, 17:15 UTC

Rules of Engagement

What You May Do

What You May Not Do

Executive's DNS Intelligence Brief

Intelligence Dissemination

What Requires Attention

The BIG Questions

Domain Overview

Technical Findings

Email Authentication

Mail Transport Security

DNS Security

Brand & Certificate Controls

Priority Actions 6 total Achievable: Low Risk

Appendix — Additional Resources

Verify Report Integrity SHA-3-512 Has this report been tampered with? Verify below