Domain check
Running TLS, DMARC, BIMI, DNS, headers, and MTA-STS checks in parallel...
TLS / SSL
checking...
DMARC
checking...
BIMI
checking...
DNS health
checking...
Headers
checking...
MTA-STS
checking...
Subdomains
checking...
Domain check
Running TLS, DMARC, BIMI, DNS, headers, and MTA-STS checks in parallel...
TLS / SSL
DMARC
BIMI
DNS health
Headers
MTA-STS
Subdomains
Domain check
6 sections checked · TLS 806ms · DMARC 16ms · BIMI 54ms · DNS 1232ms · Headers 804ms · MTA-STS 305ms
TLS check for
Checked 5/14/2026, 10:49:12 PM · 806ms
Excellent: TLS 1.3, valid cert, HSTS preload set.
227d until expiry
Or share this URL with the team that owns the records.
DNS health
Subject Alternative Names (13)
CN=www.gov.uk, O=Government Digital Service, L=London, ST=Greater London, C=GB
issued by CN=GlobalSign RSA OV SSL CA 2018, O=GlobalSign nv-sa, C=BE
CN=GlobalSign RSA OV SSL CA 2018, O=GlobalSign nv-sa, C=BE
issued by CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
issued by CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R3
Negotiated: TLSv1.3 · TLS_AES_128_GCM_SHA256 (TLSv1.3)
TLSv1
Not supported
not supportedTLSv1.1
Not supported
not supportedTLSv1.2
Supported
TLSv1.3
Supported
AI-assisted remediation
Wiredepth Pro sends this report to our AI engine and streams back a 30-day rollout plan tailored to gov.uk, with provider-specific tips when we can infer them from the data. 10 playbooks per month on Pro, 100 on MSP.
DMARC check for
Checked 5/14/2026, 10:49:12 PM · 16ms
Solid: p=reject is enforced.
v=DMARC1;p=reject;sp=none;np=reject;adkim=s;aspf=s;fo=1;rua=mailto:[email protected]
Found on the apex domain.
v=spf1 -all
AI-assisted remediation
Wiredepth Pro sends this report to our AI engine and streams back a 30-day rollout plan tailored to gov.uk, with provider-specific tips when we can infer them from the data. 10 playbooks per month on Pro, 100 on MSP.
BIMI check for
Checked 5/14/2026, 10:49:12 PM · 54ms
No BIMI record published.
looked up: default._bimi.gov.uk
No VMC URL declared. Required by Gmail and Apple Mail to display the logo.
BIMI requires DMARC p=quarantine or p=reject with pct=100. Currently: policy reject, pct 100.
for gov.uk
Replace the URLs with the real locations of your SVG Tiny PS logo and VMC pem. Both must be HTTPS with a trusted cert. Gmail and Apple Mail also require DMARC at p=quarantine or p=reject and pct=100.
default._bimiv=BIMI1; l=https://gov.uk/bimi-logo.svg; a=https://gov.uk/bimi-vmc.pemAI-assisted remediation
Wiredepth Pro sends this report to our AI engine and streams back a 30-day rollout plan tailored to gov.uk, with provider-specific tips when we can infer them from the data. 10 playbooks per month on Pro, 100 on MSP.
DNS health for
Checked 5/14/2026, 10:49:12 PM · 1232ms
Some critical hardenings missing.
No CAA records published. Any CA can issue certs for this domain.
No MX records found. This domain does not receive mail.
checked IP: 151.101.0.144 (apex gov.uk (no MX)), 151.101.64.144 (apex gov.uk (no MX)), 151.101.192.144 (apex gov.uk (no MX)), 151.101.128.144 (apex gov.uk (no MX))
Domain intel on gov.uk
✓ Malware / phishing intel: clean
Domain is not on any malware-distribution feed we track.
✓ Active threat intel: clean
No active C2 / botnet IOCs against this domain.
for gov.uk
Let's Encrypt is the most common free CA. If you also use a paid CA (Sectigo, DigiCert, etc.), add additional `0 issue "<ca-host>"` records for each.
@0 issue "letsencrypt.org"Authorise wildcard cert issuance. Drop this record if you never need wildcard certs.
@0 issuewild "letsencrypt.org"Where to send incident reports if a CA detects an unauthorised issuance attempt. Point at a real mailbox.
@0 iodef "mailto:[email protected]"AI-assisted remediation
Wiredepth Pro sends this report to our AI engine and streams back a 30-day rollout plan tailored to gov.uk, with provider-specific tips when we can infer them from the data. 10 playbooks per month on Pro, 100 on MSP.
Security headers for
https://www.gov.uk/ · status 200 · checked 5/14/2026, 10:49:12 PM · 804ms
followed 1 redirect: 301 gov.uk/ → 200 www.gov.uk/ → 200
Functional. A few headers missing or weak.
max-age=31536000; preload
default-src 'self'; base-uri 'none'; script-src 'self' www.google-analytics.com ssl.google-analytics.com stats.g.doubleclick.net www.googletagmanager.com www.region1.google-analytics.com region1.google-analytics.com www.google.co.uk analytics.google.com *.analytics.google.com www.google.com www.gstatic.com *.ytimg.com www.youtube.com www.youtube-nocookie.com 'nonce-vQLnAVSSvqGdI7p4VEgwSw=='; style-src 'self' www.gstatic.com; font-src 'self'; connect-src 'self' *.publishing.service.gov.uk www.gov.uk *.dev.gov.uk www.google-analytics.com ssl.google-analytics.com stats.g.doubleclick.net www.googletagmanager.com www.region1.google-analytics.com region1.google-analytics.com www.google.co.uk analytics.google.com *.analytics.google.com www.google.com lux.speedcurve.com; object-src 'none'; frame-src 'self' *.publishing.service.gov.uk www.gov.uk *.dev.gov.uk www.youtube.com www.youtube-nocookie.com; frame-ancestors 'self' *.publishing.service.gov.uk www.gov.uk *.dev.gov.uk; report-uri https://csp-reporter.publishing.service.gov.uk/report; img-src 'self' *.publishing.service.gov.uk www.gov.uk *.dev.gov.uk www.google-analytics.com ssl.google-analytics.com stats.g.doubleclick.net www.googletagmanager.com www.region1.google-analytics.com region1.google-analytics.com www.google.co.uk analytics.google.com *.analytics.google.com www.google.com lux.speedcurve.com assets.digital.cabinet-office.gov.uk https://img.youtube.com https://i.ytimg.com https://api.os.uk data:
SAMEORIGIN
nosniff
strict-origin-when-cross-origin
interest-cohort=()
AI-assisted remediation
Wiredepth Pro sends this report to our AI engine and streams back a 30-day rollout plan tailored to gov.uk, with provider-specific tips when we can infer them from the data. 10 playbooks per month on Pro, 100 on MSP.
MTA-STS + TLS-RPT for
Checked 5/14/2026, 10:49:12 PM · 305ms
No MTA-STS at all. Mail in transit is not enforced.
looked up: _mta-sts.gov.uk
https://mta-sts.gov.uk/.well-known/mta-sts.txt
No TLS-RPT record found. Without it, you do not learn when receivers fail to enforce STS against your domain.
for gov.uk
The id is an opaque string. Bump it whenever you change the policy file, otherwise receivers will keep using the cached version.
_mta-stsv=STSv1; id=20260514224913TLS-RPT lets receivers send you JSON reports when STS / DANE fails. Point the rua at a mailbox you actually monitor.
_smtp._tlsv=TLSRPTv1; rua=mailto:[email protected]Host the file below at https://mta-sts.gov.uk/.well-known/mta-sts.txt with a trusted TLS cert (no self-signed). Replace the mx: line(s) with each of your real mail servers. Start with mode: testing to collect TLS-RPT failure reports before raising to mode: enforce.
version: STSv1 mode: testing mx: mail.gov.uk max_age: 86400
Cloudflare Workers, Pages, or any static host with HTTPS can serve this. The well-known path needs a Content-Type of text/plain.
AI-assisted remediation
Wiredepth Pro sends this report to our AI engine and streams back a 30-day rollout plan tailored to gov.uk, with provider-specific tips when we can infer them from the data. 10 playbooks per month on Pro, 100 on MSP.