We fan out and run the full posture check set against the domain in parallel: a live TLS handshake on port 443, DMARC and SPF lookup with full tag parsing, DNS health (DNSSEC, CAA, NS, MX, registration expiry, mail blocklists), security headers from the homepage response (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy), MTA-STS / TLS-RPT policy retrieval, and BIMI record validation.
The result is a single report with a per-tool letter grade and a worst-grade summary at the top, so you know in five seconds whether something is wrong without reading the individual sections. Click into any section to see the raw findings and the per-tool drill-down.
Same checks the standalone tools run, just executed together. If you only need one signal (just TLS, just DMARC), the standalone pages are linked at the bottom of this report and from the navigation.
Worst-grade pill at the top is your triage anchor. A B-overall posture is fine but a C on TLS while everything else is A means TLS is the thing to fix first.
Sub-section grades use the same scale as the standalone tools. They aggregate sub-findings into a single letter so a tab labelled "DMARC: A" means the policy + tags + alignment + reporting are all in good shape, not just one of them.
"NOT TESTED" sections appear when the domain doesn't have the corresponding feature configured (no MX records means MTA-STS / BIMI are not applicable), not when the check failed. Failed checks show a clear error message with a retry option.
How long does the full check take?
Typically 3-8 seconds. We parallelise every sub-check so you wait for the slowest one (usually the TLS handshake or RDAP lookup), not the sum of all checks. Slow domains with heavy SPF nesting or DNSSEC chain validation can occasionally push past 10 seconds.
Is the check rate-limited?
Yes - per-IP burst protection (60 checks per 5 minutes) so a runaway script can't pin our infrastructure. Real human use is well below that threshold. If you need bulk scoring across many domains, the Vendor scoring tool batches up to 25 in one shot, and Wiredepth Pro / MSP run continuous monitoring across your whole portfolio.
Does this work for non-public / internal domains?
Only public domains. Our checks come from our infrastructure - private DNS zones, internal MX, and self-signed certs on internal hosts are unreachable from the public internet. Wiredepth Enterprise can deploy on-prem probes that run the same checks from inside your network for internal hosts.
Why is my grade lower than I expected?
Most common causes: (1) DMARC at p=none (you're observing only, not enforcing), (2) SPF over the 10-lookup limit (silent permerror), (3) HSTS missing or with a too-short max-age, (4) DNSSEC partially configured (signed zone with no DS at parent). Each section explains the specific deduction.
How is this different from running each tool separately?
Functionally identical results - it's the same underlying check code. Convenience: one URL, one input, one report instead of seven tabs. The unified view also surfaces cross-tool findings that single-tool views miss (e.g. SPF at 9 lookups + a new sender about to be added shows up clearly side-by-side).
Can I get this continuously?
Yes - Wiredepth Starter ($30/mo) runs the full check set continuously on saved domains with alerts on regression. Pro ($79/mo) adds the threat-intel layer, all anchored on your monitored apex: brand watchlist, your-apex on leak sites, credentials at your apex in breach corpora, CVEs on the tech serving your apex, real-time CT-log subdomain alerts.