TLS and Email Security Checks Across Your Full Domain

What TLS checks does VeilScan perform?

VeilScan performs TLS checks against every live HTTPS host discovered across your domain:

• Certificate validity — whether the certificate is valid and issued by a trusted CA
• Certificate expiry — certificates within 30 days of expiry are flagged; expired certificates are flagged as Critical
• Cipher suite strength — weak ciphers (RC4, 3DES, NULL ciphers, EXPORT ciphers) are flagged. Modern cipher preference (AES-GCM, ChaCha20) is verified.
• Protocol version support — SSLv2, SSLv3, TLS 1.0, and TLS 1.1 are deprecated and flagged when accepted
• HSTS header — HTTP Strict Transport Security header presence, max-age value, and inclusion of subdomains directive
• Certificate chain — full chain validity including intermediate certificates

TLS misconfigurations on production subdomains expose your users to interception and man-in-the-middle attacks, and affect compliance with PCI DSS (which explicitly prohibits TLS 1.0 and 1.1) and ISO 27001.

Why do email security records matter for attack surface?

SPF, DKIM, and DMARC are DNS records that control which servers are allowed to send email from your domain and what receivers should do with unauthenticated email. Missing or misconfigured records enable email spoofing — one of the most common phishing attack vectors:

• SPF (Sender Policy Framework) — a DNS TXT record listing the mail servers authorised to send email for your domain. Without SPF, any mail server can claim to send email from your domain.
• DKIM (DomainKeys Identified Mail) — cryptographic signing of outgoing email. Without DKIM, emails cannot be verified as genuinely sent by your infrastructure.
• DMARC (Domain-based Message Authentication) — the policy that tells receiving mail servers what to do with email that fails SPF or DKIM checks. A DMARC policy of p=none is informational only — it does not prevent spoofed email from being delivered. p=quarantine or p=reject is required to block spoofed email.

A domain without a p=reject or p=quarantine DMARC policy can be spoofed to target your customers in phishing campaigns, impersonating your brand with your own domain name.

Are TLS and email checks run on all subdomains?

Yes. TLS and email checks run against the full list of discovered subdomains, not just the root domain. This is important because subdomains often have inconsistent TLS configuration — particularly staging environments, legacy service subdomains, and third-party integrations that were set up and forgotten.

Email security records (SPF, DKIM, DMARC) are checked at the root domain level since they apply to the full domain. Subdomain-specific email configuration issues are also checked where relevant.

See: What is DMARC? · What is an SPF Record? · What is DKIM? · What is a TLS Misconfiguration?

What are the most common questions?

Are TLS and email checks included on the free plan?

Yes. TLS and email security checks are included in the free scan. Findings from these checks appear at Medium or Low severity on the free plan. Critical or High severity TLS and email findings (such as an expired certificate or no DMARC policy) are detected but require a paid plan to view in full. See all plans.

What if I do not control the DNS records for my domain?

VeilScan checks what is currently published in DNS. If your DNS is managed by a third party, you will need to work with them to implement SPF, DKIM, and DMARC records. VeilScan provides the specific record values needed as remediation guidance alongside each finding.

Can VeilScan check TLS on non-standard ports?

VeilScan scans TLS on common HTTPS ports and on other ports where TLS is detected (such as SMTPS, IMAPS, or non-standard HTTPS deployments). TLS on standard HTTPS port 443 is always checked; additional ports are checked where TLS is detected during port scanning.