Dr . Who Domain Posture lives at domainposture.com — audit-grade domain evidence.
additional context — IP + user-agent lookups lookups that complement a dossier — useful when investigating a finding, but not part of the dossier engine itself.
cert valid for 136 days
Why it matters: A valid current TLS certificate is the baseline for data in transit. Expiry, weak chain, or hostname mismatch break HTTPS and fail PCI 4.2.1 / SOC 2 CC6.1.
subject cn: cnn.com
issuer: GlobalSign Atlas ECCR5 OV TLS CA 2025 Q2 / GlobalSign nv-sa
valid: Apr 2 18:49:02 2026 GMT → Oct 18 18:49:01 2026 GMT
authorized: yes
sha256: 04:B1:C7:14:D2:63:C6:2E:94:17:23:7B:A3:29:4B:FF:7F:3D:86:40:D8:03:AE:CA:F3:40:15:A9:A9:06:10:C0 fetched 2026-06-04T01:27:30.103Z
B
Mostly compliant · 5 items need attention
Aggregate grade across 15 checks. Auditors typically flag any High-severity finding.
Pass 10
Warn 5
Fail 0 What an auditor would flag first medium SPF
~all softfail — receivers may still accept
SOC 2 CC6.7 ISO 27001 A.13.2.1
medium Security headers
4 security header(s) missing
SOC 2 CC6.6 ISO 27001 A.14.1.2
low DKIM
1/6 DKIM selectors valid
SOC 2 CC6.7
Need this as an artifact your auditor can verify?
Your cnn.com scan flagged 2 medium and 3 low findings. A signed pack covers the apex plus up to 100 CT-discovered subdomains, Ed25519-signed and ISO-timestamped, delivered in 10–30 minutes.
15-check summary DNS records A/AAAA records present MX 1 MX record(s) present SPF ~all softfail — receivers may still accept DMARC p=reject — strict policy DKIM 1/6 DKIM selectors valid TLS certificate cert valid for 136 days Redirect chain HTTPS served correctly Security headers 4 security header(s) missing CORS CORS allows all origins (wildcard) Web surface HTTPS surface reachable (robots ✓, sitemap ✗, title ✗) MTA-STS not applicable: no _mta-sts TXT record TLS-RPT not applicable: no TLSRPT record DNSSEC DNSSEC not configured — no DS or DNSKEY records found WHOIS domain registered until 2027-09-21 Certificate Transparency check failed: crt.sh: AbortError: This operation was aborted; certspotter: Error: certspotter http 429 1 MX record(s) present
Why it matters: MX records direct inbound mail. Misconfiguration silently breaks email delivery and lets attackers stand up parallel MX hosts for spoofing campaigns (ISO 27001 A.8.21).
pri=10 cnn-com.mail.protection.outlook.com.fetched 2026-06-04T01:27:30.134Z
~all softfail — receivers may still accept
Why it matters: SPF tells receiving servers which hosts may send mail for the domain. Without it, any sender can forge the envelope-from — the primary mechanism behind business-email-compromise (SOC 2 CC6.7).
Recommendations
Move to -all (hardfail) once your mail flow is confirmed — softfail gives no real protection v=spf1 include:cnn.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email include:mail.zendesk.com ~all
v=spf1 include:cnn.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email include:mail.zendesk.com ~all fetched 2026-06-04T01:27:30.135Z
p=reject — strict policy
Why it matters: DMARC binds SPF and DKIM into an enforceable policy (quarantine or reject) and surfaces spoofing attempts via aggregate reports. `p=none` or absent means spoofing succeeds silently (SOC 2 CC6.7).
v=DMARC1; p=reject; rua=mailto:dmarc_agg@vali.email; ruf=mailto:Njk3@ruf.vali.email
v= DMARC1
p= reject
rua= mailto:dmarc_agg@vali.email
ruf= mailto:Njk3@ruf.vali.email fetched 2026-06-04T01:27:30.135Z
CORS allows all origins (wildcard)
Why it matters: Overly permissive CORS (wildcard with credentials, or reflected origin) lets any origin read authenticated responses from this domain. OWASP A05 misconfiguration territory (NIST AC-4).
Recommendations
Restrict Access-Control-Allow-Origin to specific trusted origins if this API is not fully public origin https://domainposture.com method GET preflight status 301 access-control-* headers
access-control-allow-origin *
access-control-allow-methods —
access-control-allow-headers —
access-control-allow-credentials —
access-control-max-age —
access-control-expose-headers — fetched 2026-06-04T01:27:30.142Z
not applicable: no _mta-sts TXT record
Why it matters: MTA-STS forces inbound SMTP to use TLS and refuse downgraded connections. Without it, an in-path attacker can strip TLS and read mail in plaintext (SOC 2 CC6.7).
DNSSEC not configured — no DS or DNSKEY records found
Why it matters: DNSSEC cryptographically signs DNS responses, blocking cache-poisoning attacks. US federal civilian agencies are required to enable it under OMB M-22-09 (NIST SC-20).
Recommendations
Enable DNSSEC in your DNS provider's control panel and add the resulting DS record at your registrar
enabled no
DS records —
DNSKEY records — fetched 2026-06-04T01:27:30.162Z
not applicable: no TLSRPT record
Why it matters: TLS-RPT publishes a reporting address for SMTP-TLS failures. Without it, downgrade attacks on inbound mail go unnoticed (SOC 2 CC7.2).
A/AAAA records present
Why it matters: Without authoritative A or AAAA records on the apex, the domain is unreachable. Missing baseline DNS shows up in vendor reviews as evidence of unmanaged infrastructure (SOC 2 CC6.6).
A ttl=4 151.101.195.5ttl=4 151.101.3.5ttl=4 151.101.67.5ttl=4 151.101.131.5AAAA ttl=284 2a04:4e42:600::773ttl=284 2a04:4e42:200::773ttl=284 2a04:4e42:400::773ttl=284 2a04:4e42::773NS ttl=169974 ns-1242.awsdns-27.org.ttl=169974 ns-1652.awsdns-14.co.uk.ttl=169974 ns-378.awsdns-47.com.ttl=169974 ns-587.awsdns-09.net.SOA ttl=900 ns-1652.awsdns-14.co.uk. awsdns-hostmaster.amazon.com. 1 7200 900 1209600 86400
CAA — TXT ttl=300 "126953328-4422040"ttl=300 "133461244-4422058"ttl=300 "178953534-4422001"ttl=300 "186844776-4422028"ttl=300 "228426766-4422034"ttl=300 "267933795-4422004"ttl=300 "287893558-4422013"ttl=300 "294913881-4422049"ttl=300 "299762315-4422055"ttl=300 "2baPGrmeo+RwsWdIdq/gIVSEWNb4tC9mLGQu0j4l/mduqhm06T+V9vNLXsauLyH9FwMZJSRHvj/YHGKOVWRylw=="ttl=300 "321159687-4422031"ttl=300 "349997471-4422043"ttl=300 "353665828-4422052"ttl=300 "528183251-4422019"ttl=300 "553992719-4400647"ttl=300 "598362927-4422061"ttl=300 "667921863-4422007"ttl=300 "688162515-4422037"ttl=300 "691244352-4422022"ttl=300 "714321471-4421998"ttl=300 "754516718-4422064"ttl=300 "755973593-4422016"ttl=300 "764482256-4422025"ttl=300 "782989862-4417942"ttl=300 "826218936-4422046"fetched 2026-06-04T01:27:30.133Z
ttl=300 "882269757-4422010"
ttl=300 "98f06e94-b4da-4343-86be-c6c1667205e6"
ttl=300 "MS=ms66433104"
ttl=300 "_globalsign-domain-verification=-lBuNJDFRxDkLkNbYOLBU03PlWjnPqAzBPAVUokhAw"
ttl=300 "_globalsign-domain-verification=1McxnrVkIU8RCVwwHslxDiq_r8hp3zjD_f29xgdWgF"
ttl=300 "_globalsign-domain-verification=2lybn8Z2GKCTHNehPEREKdz_jh5SahShpwOeRqCWjl"
ttl=300 "_globalsign-domain-verification=5ckEJ4VIhQ6weCdCfmfzQPVP6ED1LtCX9jw1OKX5Mv"
ttl=300 "_globalsign-domain-verification=9hlGg1_xFQ9m6kVqzsG0EO121UTChwQZQCgxCRvgyn"
ttl=300 "_globalsign-domain-verification=B57sRQpmte4G4w-gavZbVNmmNsMxGp5kcL19UP2599"
ttl=300 "_globalsign-domain-verification=MK_ZKmss4D_DdzGOsssHxxBOK6hJc6LGycFvNOESdZ"
ttl=300 "_globalsign-domain-verification=S6DssfjyL_2kgK4I2Ae_1cdPfwqRRBfB9-3ZhRGMRj"
ttl=300 "_globalsign-domain-verification=yTw3T3KnyIyTB1xG2GvVhl1zWJlFp-WqmNskdVI_65"
ttl=300 "adobe-idp-site-verification=279ead95-3581-42b7-82f4-73c97f8cebfa"
ttl=300 "adobe-sign-verification=c3dc3217f76deddcb413a23e4e665fad"
ttl=300 "anthropic-domain-verification-m5mz04=SSImxXMAW2JYkFjMJuS1EmPDk"
ttl=300 "atlassian-domain-verification=joqe6L8dNi+aisGbB1XHQa0pDc53V2l0GQQRUtLEcr2997x0+rtrAA5Zw+UgQw3u"
ttl=300 "canva-site-verification=C8ADd96ykBUHF3wyVjPyXQ"
ttl=300 "cisco-ci-domain-verification=4a1c92ef69fe42f8125c3ca9ce0696dcf6cc16fa80243257de578af593d19548"
ttl=300 "d1xTs9+kADZZSz3bPphLpkMXXxBGjqn5vsQHhi2M6lo0r8AdIbm6j8LfQXPujsywVgeGSP+AXWX0vO9Iep5cUg=="
ttl=300 "facebook-domain-verification=xszi21kow2trmw3xt3ph6s631zyu3i"
ttl=300 "globalsign-domain-verification=-Q7umwx2mj164XwLa0PsoUaWe2HBhta50GjggsT98f"
ttl=300 "globalsign-domain-verification=2lI5pahhCu_jg_2RC5GEdolQmAa4K7rhP7_OA-lZBK"
ttl=300 "google-site-verification=R-Btow3Z8oU_9H1IWU4Gm4lvUQ_OVmsfxonIKhIaiPE"
ttl=300 "google-site-verification=_QivaXNjhXy-V1y_YqrycXdAWZi2mVrcwbXerX6THeY"
ttl=300 "google-site-verification=cNhH3bbaizgJp34tQo2r1NgKE0YYLIPNOOvcBVTT5Pk"
ttl=300 "google-site-verification=j2gGPSOzQ_1vx08SNjoGR7G8PfAIAThdvkPr_KdQGkc"
ttl=300 "google-site-verification=zLPPRYQh2mgpr-Yhg_8j8Z04d1okax7bGsPDmHlrfN0"
ttl=300 "lucidlink-verification=B9TYHWKAXAA93NQ61ST71E7NW8"
ttl=300 "lucidlink-verification=DJ1GSTCH2B54BHD8A1F95X9B2M"
ttl=300 "lucidlink-verification=W6M94ET3X2JD6QNS2DS0QM5E5W"
ttl=300 "lucidlink-verification=W7R9F0YBB64121MQ8R6GX4N1D0"
ttl=300 "mixpanel-domain-verify=612e2914-a7fb-4965-95d5-19acc02797df"
ttl=300 "mongodb-site-verification=mtrxHeW3jOzWtwEwnOLpeQo9NXh6Lqas"
ttl=300 "ms=ms97284866"
ttl=300 "openai-domain-verification=dv-yGIc9wI1iK7uFqtmBqEp94Xk"
ttl=300 "stripe-verification=094254c9a60a6dc0c1c2a62294b81c0c3b9363d044151a3e562ffeac0a7c4157"
ttl=300 "stripe-verification=1488a36c1dc125ea564dc5822d1414eeed68875825aaf90df27ac3131d053935"
ttl=300 "stripe-verification=42CDB310484C1CAA878F12A73EB7505EA6E7F154731CD7E4F5ABB574DE5E7725"
ttl=300 "stripe-verification=5535d8a3c7b3517ee3765df8bd66b8a5cf70a65c3437f5be5d3a8f0108b790ef"
ttl=300 "stripe-verification=e5dad290205182f6bdbd4e72697ce3cf9a965f35cb0349d538e09706345fb673"
ttl=300 "tollbit-domain-verification=3b1766c3c41ef082750984a8a43089a81344c7af85005466c1a03c6ca1fb47dd"
ttl=300 "v=spf1 include:cnn.com._nspf.vali.email include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email include:mail.zendesk.com ~all"
ttl=300 "wiz-domain-verification=f169b3087fa1100232f46d958e368d3fe5cf9fec6285c6a12b9d1693b7ca272f"HTTPS served correctly
Why it matters: Bare HTTP requests must redirect to HTTPS without dropping the user mid-chain. Plain-text fallback or open redirects fail PCI 4.2.1 and feed phishing chains (SOC 2 CC6.6).
final status: 200 · 2 hops
[301] https://cnn.com/[200] https://www.cnn.com/fetched 2026-06-04T01:27:30.192Z
domain registered until 2027-09-21
Why it matters: Registrar and expiry tell auditors the domain is owned, current, and not about to lapse. An expired or about-to-expire domain fails business-continuity evidence (SOC 2 A1.2).
registrar Nom-iq Ltd. dba COM LAUDE
created 1993-09-22T04:00:00Z
expires 2027-09-21T04:00:00Z
statuses clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited, clientTransferProhibited https://icann.org/epp#clientTransferProhibited, clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited, serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited, serverTransferProhibited https://icann.org/epp#serverTransferProhibited, serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited fetched 2026-06-04T01:27:30.329Z
1/6 DKIM selectors valid
Why it matters: DKIM signs outbound mail so receivers can detect tampering. Missing selectors or rotated-away keys break DMARC alignment and let receivers downgrade trust (ISO 27001 A.8.24).
Recommendations
Check the missing selectors in your DNS provider and re-add any removed records
default: —
google: —
k1: —
selector1: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsZc1FOMkCaNoC09qvvioKK+kWxS6jryfj6cm9XM/tUOFLANNhYR/x+UegUkG9Dmnr50vQw51Pc+I6zYwfxMC/AAQNblgbLkRm6+hyowhrkF3YJUtCOK8Z1XFpqC3Ra86ajMiphbHGRlkJpvvPdqqYbHayfeMbWg0Hd3FsigRfGZKAllvVO3Y8IK5Ivi6PlNf7Yr66BVPEPB99gJXqnRH8+IWmOIOwIVwrYQcDAYxmhM1tp7ULCC+1d7a9IS9X+BzxExHINvJRU5p9RBArAZPrD8/tZ91jkOF+Rf65wsGs+nKtVr6HTtjizIH2YGRiBTzBhWKGMpAgge1Xue4VQoXCQIDAQAB;
selector2: —
mxvault: — fetched 2026-06-04T01:27:30.364Z
check failed: crt.sh: Error: crt.sh http 429; certspotter: Error: certspotter http 429
Why it matters: Every certificate issued for this domain is published in Certificate Transparency logs — including subdomains you may have forgotten. Unknown subdomains in CT are pre-disclosed attack surface (ISO 27001 A.8.16).
crt.sh: Error: crt.sh http 429; certspotter: Error: certspotter http 429
HTTPS surface reachable (robots ✓, sitemap ✗, title ✗)
Why it matters: Public files — robots.txt, sitemap.xml, head meta — are what attackers see first during reconnaissance. Misadvertised paths, stale sitemaps, and verbose generators leak more than intended (ISO 27001 A.8.9).
robots.txt
present Sitemap: https://www.cnn.com/sitemap/news.xml
Sitemap: https://www.cnn.com/sitemap/article/cnn-underscored.xml
Sitemap: https://www.cnn.com/sitemap/section/cnn-underscored.xml
Sitemap: https://www.cnn.com/sitemap/section/politics.xml
Sitemap: https://www.cnn.com/sitemap/article/opinions.xml
Sitemap: https://www.cnn.com/sitemap/article.xml
Sitemap: https://www.cnn.com/sitemap/section.xml
Sitemap: https://www.cnn.com/sitemap/video.xml
Sitemap: https://www.cnn.com/sitemap/gallery.xml
Sitemap: https://www.cnn.com/sitemap/markets/stocks.xml
Sitemap: https://www.cnn.com/sitemap/live-story.xml
Sitemap: https://www.cnn.com/sitemap/election-center/politics.xml
Sitemap: https://www.cnn.com/sitemap/tve.xml
User-agent: AI2Bot
User-agent: Ai2Bot-Dolma
User-agent: AliyunSecBot
User-agent: Amazonbot
User-agent: amzn-searchbot
User-agent: amzn-user
User-agent: anthropic-ai
User-agent: Applebot-Extended
User-agent: Archive.org_bot
User-agent: AwarioRssBot
User-agent: AwarioSmartBot
User-agent: Brightbot 1.0
User-agent: Bytespider
User-agent: CCBot
User-agent: ChatGPT-User
User-agent: ClaudeBot
User-agent: Claude-SearchBot
User-agent: Claude-User
User-agent: Claude-Web
User-agent: cohere-ai
User-agent: cohere-training-data-crawler
User-agent: Crawlspace
User-agent: DataForSeoBot
User-agent: Diffbot
User-agent: DuckAssistBot
User-agent: EchoboxBot
User-agent: Exabot
User-agent: FacebookBot
User-agent: FriendlyCrawler
User-agent: GPTBot
User-agent: Google-Extended
User-agent: GoogleOther
User-agent: GoogleOther-Image
User-agent: GoogleOther-Video
User-Agent: IAB-Tech-Lab
User-agent: iaskspider/2.0
User-agent: ICC-Crawler
User-agent: img2dataset
User-agent: ISSCyberRiskCrawler
User-agent: ImagesiftBot
User-agent: Kangaroo Bot
User-agent: magpie-crawler
User-agent: MistralAI-user
User-agent: MyCentralAIScraperBot
User-agent: NewsNow
User-agent: news-please
User-agent: OAI-SearchBot
User-agent: omgili
User-agent: omgilibot
User-agent: PanguBot
User-agent: Panscient
User-agent: PiplBot
User-agent: PerplexityBot
User-agent: Perplexity-User
User-agent: PetalBot
User-agent: Poseidon Research Crawler
User-agent: QuillBot
User-agent: quillbot.com
User-agent: Quora-Bot
User-agent: SBIntuitionsBot
User-agent: Scrapy
User-agent: SeekrBot
User-agent: SemrushBot-OCOB
User-agent: SemrushBot-SWA
User-agent: SeznamHomepageCrawler
User-agent: Sidetrade indexer bot
User-agent: TaraGroup Intelligence Bot
User-agent: Timpibot
User-agent: TurnitinBot
User-agent: VelenPublicWebCrawler
User-agent: ViennaTinyBot
User-agent: Webzio-Extended
User-agent: YandexAdditional
User-agent: YandexAdditionalBot
User-agent: YouBot
Disallow: /
User-agent: *
Allow: /partners/ipad/live-video.json
Disallow: /*.jsx$
Disallow: *.jsx$
Disallow: /*.jsx/
Disallow: *.jsx?
Disallow: /ads/
Disallow: /aol/
Disallow: /api/
Disallow: /beta/
Disallow: /browsers/
Disallow: /cl/
Disallow: /cnews/
Disallow: /cnn_adspaces
Disallow: /cnnbeta/
Disallow: /cnnintl_adspaces
Disallow: /development
Disallow: /editionssi
Disallow: /help/cnnx.html
Disallow: /NewsPass
Disallow: /NOKIA
Disallow: /partners/
Disallow: /pipeline/
Disallow: /pointroll/
Disallow: /POLLSERVER/
Disallow: /pr/
Disallow: /PV/
Disallow: /Quickcast/
Disallow: /quickcast/
Disallow: /QUICKNEWS/
Disallow: /search
Disallow: /subscriptions/video-docs
Disallow: /terms
Disallow: /test/
Disallow: /virtual/
Disallow: /WEB-INF/
Disallow: /web.projects/
Disallow: /webview/
User-agent: Googlebot-News
Disallow: /sponsor
social
no OpenGraph or Twitter meta tags found
fetched 2026-06-04T01:27:31.123Z