Domain check

Running TLS, DMARC, BIMI, DNS, headers, and MTA-STS checks in parallel...

TLS / SSL

checking...

DMARC

checking...

BIMI

checking...

DNS health

checking...

Headers

checking...

MTA-STS

checking...

Subdomains

checking...

DNS & domain integrity

open standalone

DNS health for

sephora.com

Checked 5/14/2026, 10:49:12 PM · 586ms

Some critical hardenings missing.

Warnings

DNSSEC is not configured. Domain is exposed to DNS spoofing and cache poisoning.
No CAA records found. Any CA in the world can issue certificates for this domain.

Domain registration

1957d to expiry

Registrar: Network Solutions, LLC
Registered: Sep 24, 1996
Expires: Sep 23, 2031
Status: client transfer prohibited

DNSSEC

not enabled

DS record: absent
AD bit: unset
Resolver: 1.1.1.1 (Cloudflare)

CAA records (0)

No CAA records published. Any CA can issue certs for this domain.

Nameservers (4)

ns2.p201.dns.oraclecloud.net
ns4.p201.dns.oraclecloud.net
ns1.p201.dns.oraclecloud.net
ns3.p201.dns.oraclecloud.net

Mail servers (MX)

mxb-0024c501.gslb.pphosted.compriority 10
mxa-0024c501.gslb.pphosted.compriority 10

Blacklist status

clean across 6

checked IP: 91.207.212.79 (MX mxb-0024c501.gslb.pphosted.com), 185.132.182.97 (MX mxa-0024c501.gslb.pphosted.com)

✓ SpamCop
✓ Barracuda
✓ UCEPROTECT-1
✓ PSBL
✓ Mailspike
✓ 0spam

Threat-intel reputation

clean

Domain intel on sephora.com

✓ Malware / phishing intel: clean

Domain is not on any malware-distribution feed we track.

✓ Active threat intel: clean

No active C2 / botnet IOCs against this domain.

Registered 1996-09-24 - established

Established domains rarely host phishing infrastructure.

Recommendations

Enable DNSSEC in your registrar and have your DNS provider sign the zone.
Publish CAA records to restrict cert issuance, e.g. `0 issue "letsencrypt.org"`.

Auto-fix: lock down certificate issuance with CAA

for sephora.com

Let's Encrypt is the most common free CA. If you also use a paid CA (Sectigo, DigiCert, etc.), add additional `0 issue "<ca-host>"` records for each.

Type: CAA
Name: @
Value: 0 issue "letsencrypt.org"
TTL: Auto

Authorise wildcard cert issuance. Drop this record if you never need wildcard certs.

Type: CAA
Name: @
Value: 0 issuewild "letsencrypt.org"
TTL: Auto

Where to send incident reports if a CA detects an unauthorised issuance attempt. Point at a real mailbox.

Type: CAA
Name: @
Value: 0 iodef "mailto:[email protected]"
TTL: Auto

DNS → Records → Add record. Pick the type, paste Name and Content as shown below.
Set Proxy status to "DNS only" (grey cloud) for TXT / CAA records. TTL: Auto.

AI-assisted remediation

Want a tailored fix plan in plain English?

Wiredepth Pro sends this report to our AI engine and streams back a 30-day rollout plan tailored to sephora.com, with provider-specific tips when we can infer them from the data. 10 playbooks per month on Pro, 100 on MSP.

ProSee Pro plans→

Security headers

open standalone

Security headers for

sephora.com

https://www.sephora.com/ · status 403 · checked 5/14/2026, 10:49:12 PM · 323ms

followed 1 redirect: 301 sephora.com/ → 403 www.sephora.com/ → 403

Severe gaps in defensive headers.

Warnings

No Content-Security-Policy. The biggest single XSS mitigation is missing.
No X-Frame-Options or CSP frame-ancestors. Site can be embedded in a malicious iframe.

Strict-Transport-Security

weak

max-age: 31536000
includeSubDomains: no
preload: no

max-age=31536000

includeSubDomains not set.

Content-Security-Policy

missing

Content-Security-Policy header is not set.

X-Frame-Options

missing

X-Frame-Options header is not set.

X-Content-Type-Options

missing

X-Content-Type-Options header is not set.

Referrer-Policy

missing

Referrer-Policy header is not set.

Permissions-Policy

missing

Permissions-Policy header is not set.

Cross-Origin-Opener-Policy

missing

Cross-Origin-Opener-Policy header is not set.

Cross-Origin-Embedder-Policy

missing

Cross-Origin-Embedder-Policy header is not set.

Cross-Origin-Resource-Policy

missing

Cross-Origin-Resource-Policy header is not set.

Server disclosure

Server: AkamaiGHost
X-Powered-By: (not exposed)

Recommendations

Add includeSubDomains to HSTS so subdomains are also forced to HTTPS.
Once includeSubDomains and a long max-age are stable, submit to the HSTS preload list at hstspreload.org.
Start with a tight CSP, e.g. default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'. Iterate from there.
Add X-Frame-Options: DENY (or use CSP frame-ancestors).
Add X-Content-Type-Options: nosniff to stop MIME-sniffing-based attacks.
Add Referrer-Policy: strict-origin-when-cross-origin to limit referrer leaks.
Add Permissions-Policy to disable browser features you do not need (camera, microphone, geolocation, etc.).

Auto-fix: copy these headers into your server config

add_header Content-Security-Policy "default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'" always;
# Tight starting policy. Iterate by inspecting CSP-Report-Only violations on a staging branch first.
add_header X-Frame-Options DENY always;
# Backstop for older browsers; CSP frame-ancestors handles modern ones.
add_header X-Content-Type-Options nosniff always;
add_header Referrer-Policy strict-origin-when-cross-origin always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()" always;
# Disables features you almost certainly do not need. Add features back inside the parens if your site does need them.

Add inside the server { ... } block (or location / for path-scoped).
Reload with `nginx -s reload` after editing. Use `always` so headers are sent on error responses too.

AI-assisted remediation

Want a tailored fix plan in plain English?

ProSee Pro plans→

Mail transport security (MTA-STS)

open standalone

MTA-STS + TLS-RPT for

sephora.com

Checked 5/14/2026, 10:49:12 PM · 49ms

No MTA-STS at all. Mail in transit is not enforced.

Warnings

No MTA-STS DNS record at _mta-sts.sephora.com. Mail receivers cannot discover your STS policy.
Could not fetch policy at https://mta-sts.sephora.com/.well-known/mta-sts.txt. The policy file is required to enforce MTA-STS.
policy: host check failed: DNS resolution failed

DNS record

missing

looked up: _mta-sts.sephora.com

Policy file

unreachable

https://mta-sts.sephora.com/.well-known/mta-sts.txt

TLS-RPT (failure reporting)

missing

No TLS-RPT record found. Without it, you do not learn when receivers fail to enforce STS against your domain.

Recommendations

Publish a TXT record at _mta-sts.sephora.com: "v=STSv1; id=$(date +%Y%m%d%H%M%S)" (or any unique id you bump when the policy changes).
Serve a plaintext policy at https://mta-sts.sephora.com/.well-known/mta-sts.txt with version, mode, mx and max_age fields. The HTTPS cert must be trusted (no self-signed).
Publish a TLS-RPT record at _smtp._tls.sephora.com: "v=TLSRPTv1; rua=mailto:[email protected]" so receivers can report STS / TLS failures back to you.

Auto-fix: copy these MTA-STS + TLS-RPT records

for sephora.com

The id is an opaque string. Bump it whenever you change the policy file, otherwise receivers will keep using the cached version.

Type: TXT
Name: _mta-sts
Value: v=STSv1; id=20260514224913
TTL: Auto

TLS-RPT lets receivers send you JSON reports when STS / DANE fails. Point the rua at a mailbox you actually monitor.

Type: TXT
Name: _smtp._tls
Value: v=TLSRPTv1; rua=mailto:[email protected]
TTL: Auto

DNS → Records → Add record. Pick the type, paste Name and Content as shown below.
Set Proxy status to "DNS only" (grey cloud) for TXT / CAA records. TTL: Auto.

Auto-fix: serve this policy file

Host the file below at https://mta-sts.sephora.com/.well-known/mta-sts.txt with a trusted TLS cert (no self-signed). Replace the mx: line(s) with each of your real mail servers. Start with mode: testing to collect TLS-RPT failure reports before raising to mode: enforce.

version: STSv1
mode: testing
mx: mail.sephora.com
max_age: 86400

Cloudflare Workers, Pages, or any static host with HTTPS can serve this. The well-known path needs a Content-Type of text/plain.

AI-assisted remediation

Want a tailored fix plan in plain English?

ProSee Pro plans→

TLS / SSL

Certificate

Check another domain

Certificate chain (3)

Protocol support

HSTS

Want a tailored fix plan in plain English?

Email authentication

DMARC record

All tags (5)

SPF record

Recommendations

Want a tailored fix plan in plain English?

BIMI (brand logo display)

BIMI DNS record

Logo (l= asset)

VMC (a= certificate)

DMARC requirement

Want a tailored fix plan in plain English?

DNS & domain integrity

Warnings

Domain registration

DNSSEC

CAA records (0)

Nameservers (4)

Mail servers (MX)

Blacklist status

Threat-intel reputation

Recommendations

Auto-fix: lock down certificate issuance with CAA

Want a tailored fix plan in plain English?

Security headers

Warnings

Strict-Transport-Security

Content-Security-Policy

X-Frame-Options

X-Content-Type-Options

Referrer-Policy

Permissions-Policy

Cross-Origin-Opener-Policy

Cross-Origin-Embedder-Policy

Cross-Origin-Resource-Policy

Server disclosure

Recommendations

Auto-fix: copy these headers into your server config

Want a tailored fix plan in plain English?

Mail transport security (MTA-STS)

Warnings

DNS record

Policy file

TLS-RPT (failure reporting)

Recommendations

Auto-fix: copy these MTA-STS + TLS-RPT records

Auto-fix: serve this policy file

Want a tailored fix plan in plain English?