Domain check
Running TLS, DMARC, BIMI, DNS, headers, and MTA-STS checks in parallel...
TLS / SSL
checking...
DMARC
checking...
BIMI
checking...
DNS health
checking...
Headers
checking...
MTA-STS
checking...
Subdomains
checking...
Domain check
Running TLS, DMARC, BIMI, DNS, headers, and MTA-STS checks in parallel...
TLS / SSL
DMARC
BIMI
DNS health
Headers
MTA-STS
Subdomains
Domain check
6 sections checked · TLS 183ms · DMARC 14ms · BIMI 76ms · DNS 543ms · Headers 274ms · MTA-STS 24ms
TLS check for
Checked 5/14/2026, 10:48:26 PM · 183ms
Solid configuration. TLS 1.3, valid cert.
149d until expiry
Or share this URL with the team that owns the records.
Headers
Subject Alternative Names (69)
CN=www.cvs.com, O=CVS Pharmacy Inc, L=Woonsocket, ST=Rhode Island, C=US
issued by CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US
CN=DigiCert Global G2 TLS RSA SHA256 2020 CA1, O=DigiCert Inc, C=US
issued by CN=DigiCert Global Root G2, O=DigiCert Inc, OU=www.digicert.com, C=US
CN=DigiCert Global Root G2, O=DigiCert Inc, OU=www.digicert.com, C=US
issued by CN=DigiCert Global Root G2, O=DigiCert Inc, OU=www.digicert.com, C=US
Negotiated: TLSv1.3 · TLS_AES_256_GCM_SHA384 (TLSv1.3)
TLSv1
Not supported
not supportedTLSv1.1
Not supported
not supportedTLSv1.2
Supported
TLSv1.3
Supported
AI-assisted remediation
Wiredepth Pro sends this report to our AI engine and streams back a 30-day rollout plan tailored to cvs.com, with provider-specific tips when we can infer them from the data. 10 playbooks per month on Pro, 100 on MSP.
DMARC check for
Checked 5/14/2026, 10:48:26 PM · 14ms
Solid: p=reject is enforced.
v=DMARC1; p=reject; fo=1; ri=3600; rua=mailto:[email protected],mailto:e2133a63-86e3-4be6-8067-4a0049bf44b9@rep.usb.mimecastdmarcanalyzer.com; ruf=mailto:[email protected]
Found on the apex domain.
v=spf1 include:%{d}.4e.spf-protect.agari.com exists:%{i}._i.%{d}._d.espf.agari.com ~allAI-assisted remediation
Wiredepth Pro sends this report to our AI engine and streams back a 30-day rollout plan tailored to cvs.com, with provider-specific tips when we can infer them from the data. 10 playbooks per month on Pro, 100 on MSP.
BIMI check for
Checked 5/14/2026, 10:48:26 PM · 76ms
Logo + VMC + DMARC reject pct=100. Gmail and Apple Mail will display.
looked up: default._bimi.cvs.com
v=BIMI1; l=https://def0a2r1nm3zw.cloudfront.net/bimi_asset_2f16699df30a069c3d0646c6b5bc0844.svg; a=https://def0a2r1nm3zw.cloudfront.net/bimi_cert_35e49bc460ab63e570ac6a3c03bf0b01.pem
https://def0a2r1nm3zw.cloudfront.net/bimi_asset_2f16699df30a069c3d0646c6b5bc0844.svg
https://def0a2r1nm3zw.cloudfront.net/bimi_cert_35e49bc460ab63e570ac6a3c03bf0b01.pem
BIMI requires DMARC p=quarantine or p=reject with pct=100. Currently: policy reject, pct 100.
AI-assisted remediation
Wiredepth Pro sends this report to our AI engine and streams back a 30-day rollout plan tailored to cvs.com, with provider-specific tips when we can infer them from the data. 10 playbooks per month on Pro, 100 on MSP.
DNS health for
Checked 5/14/2026, 10:48:26 PM · 543ms
Major issues found. Domain is exposed.
RDAP returned 429
No CAA records published. Any CA can issue certs for this domain.
checked IP: 170.10.152.242 (MX usb-smtp-inbound-2.mimecast.com), 170.10.150.242 (MX usb-smtp-inbound-2.mimecast.com)
Domain intel on cvs.com
✓ Malware / phishing intel: clean
Domain is not on any malware-distribution feed we track.
✓ Active threat intel: clean
No active C2 / botnet IOCs against this domain.
Registered 1996-01-30 - established
Established domains rarely host phishing infrastructure.
for cvs.com
Let's Encrypt is the most common free CA. If you also use a paid CA (Sectigo, DigiCert, etc.), add additional `0 issue "<ca-host>"` records for each.
@0 issue "letsencrypt.org"Authorise wildcard cert issuance. Drop this record if you never need wildcard certs.
@0 issuewild "letsencrypt.org"Where to send incident reports if a CA detects an unauthorised issuance attempt. Point at a real mailbox.
@0 iodef "mailto:[email protected]"AI-assisted remediation
Wiredepth Pro sends this report to our AI engine and streams back a 30-day rollout plan tailored to cvs.com, with provider-specific tips when we can infer them from the data. 10 playbooks per month on Pro, 100 on MSP.
Security headers for
https://www.cvs.com/ · status 200 · checked 5/14/2026, 10:48:26 PM · 274ms
followed 1 redirect: 301 cvs.com/ → 200 www.cvs.com/ → 200
Multiple headers missing or weak.
max-age=31536000 ; includeSubDomains
default-src https://*.cvs.com https://*.caremark.com https://*.cvshealth.com 'self' https://cdn.appdynamics.com *.criteo.com *.criteo.net p11.techlab-cdn.com; script-src 'unsafe-inline' https://*.cvs.com https://*.caremark.com https://*.cvshealth.com 'self' https://d.impactradius-event.com https://*.medallia.com https://*.kampyle.com https://cdn.cookielaw.org https://*.adsrvr.org https://cookie-cdn.cookiepro.com https://geolocation.onetrust.com https://privacyportal.onetrust.com https://*.quantummetric.com https://bat.bing.com https://connect.facebook.net https://*.doubleclick.net https://tags.tiqcdn.com https://*.go-mpulse.net https://cdns.brsrvr.com https://*.adoberesources.net https://www.youtube.com/ https://*.youtube.com/ https://*.bluecore.com https://pagead2.googlesyndication.com https://tpc.googlesyndication.com https://www.googletagmanager.com https://www.googleadservices.com https://console.googletagservices.com https://cdn.appdynamics.com https://request.eprotect.vantivprelive.com https://*.adtrafficquality.google blob: p11.techlab-cdn.com; style-src 'self' 'unsafe-inline' https://*.medallia.com https://*.kampyle.com *.criteo.com *.criteo.net; connect-src https://*.cvs.com https://*.caremark.com https://*.cvshealth.com 'self' https://cvshealth.sjv.io https://*.medallia.com https://*.kampyle.com https://cdn.cookielaw.org https://*.adsrvr.org https://cookie-cdn.cookiepro.com https://geolocation.onetrust.com https://privacyportal.onetrust.com https://col.eum-appdynamics.com https://events.launchdarkly.com https://app.launchdarkly.com https://tags.tiqcdn.com https://dpm.demdex.net https://*.quantummetric.com/ https://www.youtube.com/ https://cm.everesttech.net/ https://pdx-col.eum-appdynamics.com https://securepubads.g.doubleclick.net https://pagead2.googlesyndication.com https://adobedc.demdex.net https://edge.adobedc.net https://csi.gstatic.com https://*.go-mpulse.net https://*.akstat.io/ https://*.bluecore.com https://*.akamaihd.net https://www.googletagmanager.com https://bat.bing.com https://*.adtrafficquality.google https://www.google.com https://dev.virtualearth.net https://www.facebook.com https://ad.doubleclick.net *.criteo.com *.criteo.net p11.techlab-cdn.com; img-src https://*.cvs.com https://*.caremark.com https://*.cvshealth.com 'self' http://*.corp.cvscaremark.com https://str.allinahealthaetna.com/ https://images.ctfassets.net http://images.ctfassets.net https://col.eum-appdynamics.com https://metrics-sentry.cvshealth.com https://cm.everesttech.net https://pdx-col-eum-appdynamics.com https://*.adobecqms.net https://pagead2.googlesyndication.com https://cdn.cookielaw.org https://dpm.demdex.net https://www.facebook.com https://ct.pinterest.com https://ad.doubleclick.net https://bat.bing.com https://googleads.g.doubleclick.net https://ad.doubleclick.net https://csi.gstatic.com https://www.google.com https://p.brsrvr.com https://adservice.google.com https://www.googletagmanager.com https://*.adtrafficquality.google https://cvshealth.sjv.io https://www.ojrq.net https://logs-01.loggly.com https://*.medallia.com https://*.ytimg.com/ https://*.kampyle.com *.criteo.com *.criteo.net data: blob:; frame-src https://*.ubereats.com https://*.googlesyndication.com https://console.googletagservices.com https://www.google.com https://request.eprotect.vantivprelive.com https://cvs.demdex.net https://*.fls.doubleclick.net https://securepubads.g.doubleclick.net https://td.doubleclick.net https://*.adtrafficquality.google https://cvshealth.sjv.io https://*.medallia.com https://www.youtube.com/ https://*.youtube.com/ https://*.kampyle.com *.criteo.com *.criteo.net blob:; object-src data:;
SAMEORIGIN
nosniff
add_header Referrer-Policy strict-origin-when-cross-origin always; add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()" always; # Disables features you almost certainly do not need. Add features back inside the parens if your site does need them.
AI-assisted remediation
Wiredepth Pro sends this report to our AI engine and streams back a 30-day rollout plan tailored to cvs.com, with provider-specific tips when we can infer them from the data. 10 playbooks per month on Pro, 100 on MSP.
MTA-STS + TLS-RPT for
Checked 5/14/2026, 10:48:26 PM · 24ms
No MTA-STS at all. Mail in transit is not enforced.
looked up: _mta-sts.cvs.com
https://mta-sts.cvs.com/.well-known/mta-sts.txt
No TLS-RPT record found. Without it, you do not learn when receivers fail to enforce STS against your domain.
for cvs.com
The id is an opaque string. Bump it whenever you change the policy file, otherwise receivers will keep using the cached version.
_mta-stsv=STSv1; id=20260514224826TLS-RPT lets receivers send you JSON reports when STS / DANE fails. Point the rua at a mailbox you actually monitor.
_smtp._tlsv=TLSRPTv1; rua=mailto:[email protected]Host the file below at https://mta-sts.cvs.com/.well-known/mta-sts.txt with a trusted TLS cert (no self-signed). Replace the mx: line(s) with each of your real mail servers. Start with mode: testing to collect TLS-RPT failure reports before raising to mode: enforce.
version: STSv1 mode: testing mx: mail.cvs.com max_age: 86400
Cloudflare Workers, Pages, or any static host with HTTPS can serve this. The well-known path needs a Content-Type of text/plain.
AI-assisted remediation
Wiredepth Pro sends this report to our AI engine and streams back a 30-day rollout plan tailored to cvs.com, with provider-specific tips when we can infer them from the data. 10 playbooks per month on Pro, 100 on MSP.