Domain check

Running TLS, DMARC, BIMI, DNS, headers, and MTA-STS checks in parallel...

TLS / SSL

checking...

DMARC

checking...

BIMI

checking...

DNS health

checking...

Headers

checking...

MTA-STS

checking...

Subdomains

checking...

Email authentication

open standalone

DMARC check for

sony.com

Checked 5/14/2026, 10:48:24 PM · 121ms

Monitor-only (p=none). Spoofers are not blocked.

Warnings

p=none means monitor only; spoofers are not blocked. This is a starting point, not a destination.

DMARC record

v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1;

Policy (p): none
Subdomain policy (sp): inherits p=none
Enforcement % (pct): 100%
DKIM alignment (adkim): unset · defaults to r (relaxed)
SPF alignment (aspf): unset · defaults to r (relaxed)
Aggregate reports (rua): mailto:[email protected]
Failure reports (ruf): mailto:[email protected]

All tags (5)

vDMARC1DMARC version
pnonePolicy for the domain
ruamailto:[email protected]Aggregate report URIs
rufmailto:[email protected]Forensic (failure) report URIs
fo1Failure reporting options

SPF record

Found on the apex domain.

v=spf1 include:amazonses.com include:spf.protection.outlook.com include:spfa.sony.com ip4:121.100.43.221 ip4:185.136.188.108 ip4:185.136.189.108 ip4:121.100.43.225 ip4:121.100.43.226 ip4:139.60.152.0/22 ip4:148.105.8.0/21 ip4:160.33.101.112/28 ip4:160.33.194.224/28 ip4:160.33.194.232 ip4:160.33.194.233 ip4:160.33.194.234 ip4:160.33.194.235 ip4:160.33.96.128/28 ip4:185.132.182.190 ip4:185.132.183.11 ip4:185.183.30.70 ip4:198.2.128.0/18 ip4:205.201.128.0/20 ip4:208.74.204.0/22 ip4:212.100.250.11 ip4:212.100.250.16/29 ip4:37.188.101.80/28 ip4:46.19.168.0/23 ip4:5.61.115.112/28 ip4:5.61.115.80/28 ip4:5.61.115.96/28 ip4:5.61.117.112/28 ip4:5.61.117.80/28 ip4:5.61.117.96/28 ip4:52.222.62.51/32 ip4:52.222.73.120/32 ip4:52.222.73.83/32 ip4:52.222.75.85/32 ip4:54.186.193.102/32 ip4:83.138.165.68/31 ip4:91.207.212.191 ip6:2607:fd28:0102:1:1::/80 ip6:2607:fd28:0102:3:300::/80 ip4:101.231.129.3 ip4:101.231.129.4 ip4:3.93.157.0/24 ip4:3.210.190.0/24 ip4:18.208.124.128/25 ip4:54.174.52.0/24 ip4:54.174.57.0/24 ip4:54.174.59.0/24 ip4:54.174.60.0/23 ip4:54.174.63.0/24 ip4:139.180.17.0/24 ip4:141.193.184.32/27 ip4:141.193.184.64/26 ip4:141.193.184.128/25 ip4:141.193.185.32/27 ip4:141.193.185.64/26 ip4:141.193.185.128/25 ip4:143.244.80.0/20 ip4:158.247.16.0/20 ip4:108.179.144.0/20 ip4:66.159.233.15 ip4:66.159.234.91 ip4:66.159.233.14 ip4:66.159.234.90 ip4:66.159.232.89 ip4:143.55.149.237 ip4:66.159.233.25 ip4:66.159.234.101 ip4:101.231.129.43 ip4:216.139.64.0/19 ip4:211.125.130.0/24 ip6:2001:cf8:0:b0::/64 -all

Recommendations

After 30+ days of report monitoring, move to p=quarantine, then to p=reject.

AI-assisted remediation

Want a tailored fix plan in plain English?

Wiredepth Pro sends this report to our AI engine and streams back a 30-day rollout plan tailored to sony.com, with provider-specific tips when we can infer them from the data. 10 playbooks per month on Pro, 100 on MSP.

ProSee Pro plans→

DNS & domain integrity

open standalone

DNS health for

sony.com

Checked 5/14/2026, 10:48:24 PM · 429ms

Some critical hardenings missing.

Warnings

DNSSEC is not configured. Domain is exposed to DNS spoofing and cache poisoning.
No CAA records found. Any CA in the world can issue certificates for this domain.

Domain registration

52d to expiry

Registrar: CSC Corporate Domains, Inc.
Registered: Jul 7, 1989
Expires: Jul 6, 2026
Status: client transfer prohibited, server delete prohibited, server transfer prohibited, server update prohibited

DNSSEC

not enabled

DS record: absent
AD bit: unset
Resolver: 1.1.1.1 (Cloudflare)

CAA records (0)

No CAA records published. Any CA can issue certs for this domain.

Nameservers (2)

pdns2.cscdns.net
pdns1.cscdns.net

Mail servers (MX)

mxb-001d1709.gslb.pphosted.compriority 10
mxa-001d1709.gslb.pphosted.compriority 10

Blacklist status

clean across 6

checked IP: 143.55.149.237 (MX mxb-001d1709.gslb.pphosted.com), 66.159.232.89 (MX mxa-001d1709.gslb.pphosted.com)

✓ SpamCop
✓ Barracuda
✓ UCEPROTECT-1
✓ PSBL
✓ Mailspike
✓ 0spam

Threat-intel reputation

clean

Domain intel on sony.com

✓ Malware / phishing intel: clean

Domain is not on any malware-distribution feed we track.

✓ Active threat intel: clean

No active C2 / botnet IOCs against this domain.

Registered 1989-07-07 - established

Established domains rarely host phishing infrastructure.

Recommendations

Enable DNSSEC in your registrar and have your DNS provider sign the zone.
Publish CAA records to restrict cert issuance, e.g. `0 issue "letsencrypt.org"`.

Auto-fix: lock down certificate issuance with CAA

for sony.com

Let's Encrypt is the most common free CA. If you also use a paid CA (Sectigo, DigiCert, etc.), add additional `0 issue "<ca-host>"` records for each.

Type: CAA
Name: @
Value: 0 issue "letsencrypt.org"
TTL: Auto

Authorise wildcard cert issuance. Drop this record if you never need wildcard certs.

Type: CAA
Name: @
Value: 0 issuewild "letsencrypt.org"
TTL: Auto

Where to send incident reports if a CA detects an unauthorised issuance attempt. Point at a real mailbox.

Type: CAA
Name: @
Value: 0 iodef "mailto:[email protected]"
TTL: Auto

DNS → Records → Add record. Pick the type, paste Name and Content as shown below.
Set Proxy status to "DNS only" (grey cloud) for TXT / CAA records. TTL: Auto.

AI-assisted remediation

Want a tailored fix plan in plain English?

ProSee Pro plans→

Security headers

open standalone

Security headers for

sony.com

https://www.sony.com/ · status 403 · checked 5/14/2026, 10:48:24 PM · 158ms

followed 1 redirect: 301 sony.com/ → 403 www.sony.com/ → 403

Severe gaps in defensive headers.

Warnings

No HSTS header AND not on the HSTS preload list. Browsers will not enforce HTTPS on first visit.
No Content-Security-Policy. The biggest single XSS mitigation is missing.
No X-Frame-Options or CSP frame-ancestors. Site can be embedded in a malicious iframe.

Strict-Transport-Security

missing

Strict-Transport-Security header is not set, and the domain is not on the HSTS preload list.

Content-Security-Policy

missing

Content-Security-Policy header is not set.

X-Frame-Options

missing

X-Frame-Options header is not set.

X-Content-Type-Options

missing

X-Content-Type-Options header is not set.

Referrer-Policy

missing

Referrer-Policy header is not set.

Permissions-Policy

missing

Permissions-Policy header is not set.

Cross-Origin-Opener-Policy

missing

Cross-Origin-Opener-Policy header is not set.

Cross-Origin-Embedder-Policy

missing

Cross-Origin-Embedder-Policy header is not set.

Cross-Origin-Resource-Policy

missing

Cross-Origin-Resource-Policy header is not set.

Server disclosure

Server: (not exposed)
X-Powered-By: (not exposed)

Recommendations

Add Strict-Transport-Security: max-age=31536000; includeSubDomains; preload, then submit to hstspreload.org.
Start with a tight CSP, e.g. default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'. Iterate from there.
Add X-Frame-Options: DENY (or use CSP frame-ancestors).
Add X-Content-Type-Options: nosniff to stop MIME-sniffing-based attacks.
Add Referrer-Policy: strict-origin-when-cross-origin to limit referrer leaks.
Add Permissions-Policy to disable browser features you do not need (camera, microphone, geolocation, etc.).

Auto-fix: copy these headers into your server config

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
# After 30+ days at this max-age with includeSubDomains, submit at hstspreload.org.
add_header Content-Security-Policy "default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'" always;
# Tight starting policy. Iterate by inspecting CSP-Report-Only violations on a staging branch first.
add_header X-Frame-Options DENY always;
# Backstop for older browsers; CSP frame-ancestors handles modern ones.
add_header X-Content-Type-Options nosniff always;
add_header Referrer-Policy strict-origin-when-cross-origin always;
add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), interest-cohort=()" always;
# Disables features you almost certainly do not need. Add features back inside the parens if your site does need them.

Add inside the server { ... } block (or location / for path-scoped).
Reload with `nginx -s reload` after editing. Use `always` so headers are sent on error responses too.

AI-assisted remediation

Want a tailored fix plan in plain English?

ProSee Pro plans→

Mail transport security (MTA-STS)

open standalone

MTA-STS + TLS-RPT for

sony.com

Checked 5/14/2026, 10:48:24 PM · 37ms

No MTA-STS at all. Mail in transit is not enforced.

Warnings

No MTA-STS DNS record at _mta-sts.sony.com. Mail receivers cannot discover your STS policy.
Could not fetch policy at https://mta-sts.sony.com/.well-known/mta-sts.txt. The policy file is required to enforce MTA-STS.
policy: host check failed: DNS resolution failed

DNS record

missing

looked up: _mta-sts.sony.com

Policy file

unreachable

https://mta-sts.sony.com/.well-known/mta-sts.txt

TLS-RPT (failure reporting)

missing

No TLS-RPT record found. Without it, you do not learn when receivers fail to enforce STS against your domain.

Recommendations

Publish a TXT record at _mta-sts.sony.com: "v=STSv1; id=$(date +%Y%m%d%H%M%S)" (or any unique id you bump when the policy changes).
Serve a plaintext policy at https://mta-sts.sony.com/.well-known/mta-sts.txt with version, mode, mx and max_age fields. The HTTPS cert must be trusted (no self-signed).
Publish a TLS-RPT record at _smtp._tls.sony.com: "v=TLSRPTv1; rua=mailto:[email protected]" so receivers can report STS / TLS failures back to you.

Auto-fix: copy these MTA-STS + TLS-RPT records

for sony.com

The id is an opaque string. Bump it whenever you change the policy file, otherwise receivers will keep using the cached version.

Type: TXT
Name: _mta-sts
Value: v=STSv1; id=20260514224824
TTL: Auto

TLS-RPT lets receivers send you JSON reports when STS / DANE fails. Point the rua at a mailbox you actually monitor.

Type: TXT
Name: _smtp._tls
Value: v=TLSRPTv1; rua=mailto:[email protected]
TTL: Auto

DNS → Records → Add record. Pick the type, paste Name and Content as shown below.
Set Proxy status to "DNS only" (grey cloud) for TXT / CAA records. TTL: Auto.

Auto-fix: serve this policy file

Host the file below at https://mta-sts.sony.com/.well-known/mta-sts.txt with a trusted TLS cert (no self-signed). Replace the mx: line(s) with each of your real mail servers. Start with mode: testing to collect TLS-RPT failure reports before raising to mode: enforce.

version: STSv1
mode: testing
mx: mail.sony.com
max_age: 86400

Cloudflare Workers, Pages, or any static host with HTTPS can serve this. The well-known path needs a Content-Type of text/plain.

AI-assisted remediation

Want a tailored fix plan in plain English?

ProSee Pro plans→

TLS / SSL

Warnings

Certificate

Check another domain

Certificate chain (4)

Protocol support

HSTS

Want a tailored fix plan in plain English?

Email authentication

Warnings

DMARC record

All tags (5)

SPF record

Recommendations

Want a tailored fix plan in plain English?

BIMI (brand logo display)

Warnings

BIMI DNS record

Logo (l= asset)

VMC (a= certificate)

DMARC requirement

Recommendations

Auto-fix: copy this BIMI record

Want a tailored fix plan in plain English?

DNS & domain integrity

Warnings

Domain registration

DNSSEC

CAA records (0)

Nameservers (2)

Mail servers (MX)

Blacklist status

Threat-intel reputation

Recommendations

Auto-fix: lock down certificate issuance with CAA

Want a tailored fix plan in plain English?

Security headers

Warnings

Strict-Transport-Security

Content-Security-Policy

X-Frame-Options

X-Content-Type-Options

Referrer-Policy

Permissions-Policy

Cross-Origin-Opener-Policy

Cross-Origin-Embedder-Policy

Cross-Origin-Resource-Policy

Server disclosure

Recommendations

Auto-fix: copy these headers into your server config

Want a tailored fix plan in plain English?

Mail transport security (MTA-STS)

Warnings

DNS record

Policy file

TLS-RPT (failure reporting)

Recommendations

Auto-fix: copy these MTA-STS + TLS-RPT records

Auto-fix: serve this policy file

Want a tailored fix plan in plain English?