DNS Tool

Executive's DNS Intelligence Brief

Generated 13 Feb 2026, 08:23 UTC
Duration 34.1s
Version v26.12.28
Integrity f58b1c06e38595ad47c20352784c30cbbeb8ff50ee1ee03c28481339438506ca468d838cb4c10c0e60f6f2b4487ac85dc9d6fad3916436d3ef50780f84585651

TLP:AMBER

Limited disclosure — recipients may share within their organization only

Subject Domain

blauw.com

Executive's DNS Intelligence Brief

Board-level domain security assessment — blauw.com

13 Feb 2026, 08:23 UTC · 34.1s · SHA-3-512: f58b✱✱✱✱ Verify

Engineer

DNS Security & Trust Posture

Risk Level: Medium Risk

4 protocols configured, 3 not configured

1 action required 1 recommendation

Email Spoofing

Partial

Brand Impersonation

Not Set Up

DNS Tampering

Protected

Certificate Control

Open

What Requires Attention

Critical DMARC enforcement partial — only 40% of mail subject to policy

Recommended No DMARC aggregate reporting (rua) configured — unable to monitor authentication results

The BIG Questions

Can this domain be impersonated by email? Not Assessed

Can DNS itself be tampered with? Not Assessed

Can this brand be convincingly faked? Not Assessed

Is mail transport encryption enforced? Not Assessed

Is certificate issuance controlled? Not Assessed

Domain Overview

Registrar Realtime Register B.V.

Email Provider Microsoft 365

Web Hosting Cloudflare (CDN)

DNS Hosting Unknown

Technical Findings

Email Authentication

SPF (Sender Policy) Configured

DMARC (Policy) Partial Policy: quarantine

DKIM (Signatures) Configured

Mail Posture Email: Enforced

Mail Transport Security

MTA-STS Partial

DANE / TLSA Hosted Provider DANE not available — Barracuda does not support inbound DANE/TLSA on its MX infrastructure

TLS-RPT (Reporting) Not Configured

Mail Transport Not Enforced Policy-assessed

DNS Security

DNSSEC Signed & Validated

DNSSEC fully configured and validated — AD (Authenticated Data) flag set by resolver 8.8.8.8 confirming cryptographic chain of trust from root to zone (RFC 4035 §3.2.3)

NS Delegation Healthy

Brand & Certificate Controls

BIMI (Brand Logo) Not Configured

CAA (Certificate) Open Any certificate authority may issue certificates

Priority Actions 5 total Achievable: Low Risk

Medium Add DMARC aggregate reporting

Add a rua= tag to your DMARC record to receive aggregate reports about authentication results. Without reporting, you cannot see who is sending email as your domain or whether legitimate mail is failing authentication.

_dmarc.blauw.com TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@blauw.com"

Medium Deploy MTA-STS policy

Publish an MTA-STS DNS record and host a policy file at https://mta-sts.blauw.com/.well-known/mta-sts.txt. This tells senders to require TLS when delivering mail to your domain.

_mta-sts.blauw.com TXT "v=STSv1; id=20240101"

Low Upgrade DMARC to reject policy

Your DMARC policy is quarantine — spoofed messages are flagged. Upgrading to p=reject blocks them entirely. Review aggregate reports to confirm legitimate senders are aligned.

_dmarc.blauw.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc-reports@blauw.com"

Low Add CAA records

Publish CAA DNS records to restrict which Certificate Authorities can issue TLS certificates for your domain. Specify your preferred CA (e.g., letsencrypt.org, digicert.com). CAA is advisory — CAs must check it before issuing, but absence means any CA can issue.

blauw.com CAA 0 issue "letsencrypt.org"

Low Configure TLS-RPT reporting

TLS-RPT (TLS Reporting) sends you reports about TLS connection failures when other servers try to deliver mail to your domain. Helps diagnose MTA-STS and STARTTLS issues.

_smtp._tls.blauw.com TXT "v=TLSRPTv1; rua=mailto:tls-reports@blauw.com"

Appendix — Additional Resources

Full technical details including raw DNS records, DKIM public keys, IP/ASN mappings, resolver consensus evidence, and verification commands are available in the Engineer's DNS Intelligence Report.

View Engineer's DNS Intelligence Report

Verify Report Integrity SHA-3-512 Has this report been tampered with? Verify below

Tamper-evident fingerprint binding this analysis to its data, domain, timestamp, and tool version.

f58b1c06e38595ad47c20352784c30cbbeb8ff50ee1ee03c28481339438506ca468d838cb4c10c0e60f6f2b4487ac85dc9d6fad3916436d3ef50780f84585651

12 RFCs evaluated · DNS state at 13 Feb 2026, 08:23 UTC

Rules of Engagement

What You May Do

What You May Not Do

Executive's DNS Intelligence Brief

Intelligence Dissemination

What Requires Attention

The BIG Questions

Domain Overview

Technical Findings

Email Authentication

Mail Transport Security

DNS Security

Brand & Certificate Controls

Priority Actions 5 total Achievable: Low Risk

Appendix — Additional Resources

Verify Report Integrity SHA-3-512 Has this report been tampered with? Verify below