DNS Tool

Executive's DNS Intelligence Brief

Generated 11 Feb 2026, 22:42 UTC
Duration 4.8s
Version v26.12.17
Integrity 3c55e23145aa031cad5572cf2a338d58cbd431c06dc86c5ad335fecf1fa05b8894b3ec27b4f835efa6a3b4b9a4a5c6a6475ca9959ccb77894a1b35b718a8c912

TLP:AMBER

Limited disclosure — recipients may share within their organization only

Subject Domain

westbyforcongress.com

Executive's DNS Intelligence Brief

Board-level domain security assessment — westbyforcongress.com

11 Feb 2026, 22:42 UTC · 4.8s · SHA-3-512: 3c55✱✱✱✱ Verify

Engineer

DNS Security & Trust Posture

Risk Level: Medium Risk

5 protocols configured, 2 not configured

1 action required

Email Spoofing

Protected

Brand Impersonation

Not Set Up

DNS Tampering

Protected

Certificate Control

Open

What Requires Attention

Critical No DKIM found

The BIG Questions

Can this domain be impersonated by email? Not Assessed

Can DNS itself be tampered with? Not Assessed

Can this brand be convincingly faked? Not Assessed

Is mail transport encryption enforced? Not Assessed

Is certificate issuance controlled? Not Assessed

Domain Overview

Registrar GoDaddy.com, LLC

Email Provider Microsoft 365

Web Hosting Unknown

DNS Hosting GoDaddy

Technical Findings

Email Authentication

SPF (Sender Policy) Configured

DMARC (Policy) Configured Policy: quarantine

DKIM (Signatures) Not Detected

Mail Posture Email: Enabled

Mail Transport Security

MTA-STS Active Mode: enforce

DANE / TLSA Hosted Provider DANE not available — Microsoft 365 does not support inbound DANE/TLSA on its MX infrastructure

TLS-RPT (Reporting) Configured

Mail Transport Not Enforced Policy-assessed

DNS Security

DNSSEC Signed & Validated

DNSSEC fully configured and validated — AD (Authenticated Data) flag set by resolver 8.8.8.8 confirming cryptographic chain of trust from root to zone (RFC 4035 §3.2.3)

NS Delegation Healthy

Brand & Certificate Controls

BIMI (Brand Logo) Not Configured

CAA (Certificate) Open Any certificate authority may issue certificates

Priority Actions 6 total Achievable: Low Risk

Medium Enable DKIM for Microsoft 365

DKIM is only configured for third-party services, not your primary mail platform (Microsoft 365). Enable DKIM signing in Microsoft 365 settings to cover all outbound mail.

selector1._domainkey.westbyforcongress.com TXT "v=DKIM1; k=rsa; p=<public_key>"

Low Upgrade SPF to hard fail (-all)

Your SPF record uses ~all (softfail) and no DKIM signing was detected. Without DKIM, SPF is your only line of defense — upgrading to -all (hardfail) instructs receivers to reject unauthorized senders outright. Verify all legitimate sending sources are included before switching. If you configure DKIM, ~all becomes the industry-standard best practice because DMARC evaluates both SPF and DKIM alignment (RFC 7489 §10.1).

westbyforcongress.com TXT "v=spf1 include:secureserver.net -all"

Low Upgrade DMARC to reject policy

Your DMARC policy is quarantine — spoofed messages are flagged. Upgrading to p=reject blocks them entirely. Review aggregate reports to confirm legitimate senders are aligned.

_dmarc.westbyforcongress.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc-reports@westbyforcongress.com"

Low Add CAA records

Publish CAA DNS records to restrict which Certificate Authorities can issue TLS certificates for your domain. Specify your preferred CA (e.g., letsencrypt.org, digicert.com). CAA is advisory — CAs must check it before issuing, but absence means any CA can issue.

westbyforcongress.com CAA 0 issue "letsencrypt.org"

Low Deploy DANE/TLSA for email transport

DNSSEC is already enabled — you can strengthen email transport security by publishing DANE TLSA records. DANE binds your mail server's TLS certificate to DNS, preventing man-in-the-middle attacks on SMTP connections.

_25._tcp.mail.westbyforcongress.com TLSA 3 1 1 <certificate_hash>

Low Configure BIMI brand logo

Publish a BIMI DNS record pointing to your brand logo (SVG Tiny PS format). For full support in Gmail, you will also need a Verified Mark Certificate (VMC).

default._bimi.westbyforcongress.com TXT "v=BIMI1; l=https://westbyforcongress.com/logo.svg"

Appendix — Additional Resources

Full technical details including raw DNS records, DKIM public keys, IP/ASN mappings, resolver consensus evidence, and verification commands are available in the Engineer's DNS Intelligence Report.

View Engineer's DNS Intelligence Report

Verify Report Integrity SHA-3-512 Has this report been tampered with? Verify below

Tamper-evident fingerprint binding this analysis to its data, domain, timestamp, and tool version.

3c55e23145aa031cad5572cf2a338d58cbd431c06dc86c5ad335fecf1fa05b8894b3ec27b4f835efa6a3b4b9a4a5c6a6475ca9959ccb77894a1b35b718a8c912

12 RFCs evaluated · DNS state at 11 Feb 2026, 22:42 UTC

Rules of Engagement

What You May Do

What You May Not Do

Executive's DNS Intelligence Brief

Intelligence Dissemination

What Requires Attention

The BIG Questions

Domain Overview

Technical Findings

Email Authentication

Mail Transport Security

DNS Security

Brand & Certificate Controls

Priority Actions 6 total Achievable: Low Risk

Appendix — Additional Resources

Verify Report Integrity SHA-3-512 Has this report been tampered with? Verify below