Why it matters: MX records direct inbound mail. Misconfiguration silently breaks email delivery and lets attackers stand up parallel MX hosts for spoofing campaigns (ISO 27001 A.8.21).
Why it matters: SPF tells receiving servers which hosts may send mail for the domain. Without it, any sender can forge the envelope-from — the primary mechanism behind business-email-compromise (SOC 2 CC6.7).
Recommendations
Move to -all (hardfail) once your mail flow is confirmed — softfail gives no real protection
Why it matters: DMARC binds SPF and DKIM into an enforceable policy (quarantine or reject) and surfaces spoofing attempts via aggregate reports. `p=none` or absent means spoofing succeeds silently (SOC 2 CC6.7).
Why it matters: DKIM signs outbound mail so receivers can detect tampering. Missing selectors or rotated-away keys break DMARC alignment and let receivers downgrade trust (ISO 27001 A.8.24).
Recommendations
Check the missing selectors in your DNS provider and re-add any removed records
DNSSEC not configured — no DS or DNSKEY records found
Why it matters: DNSSEC cryptographically signs DNS responses, blocking cache-poisoning attacks. US federal civilian agencies are required to enable it under OMB M-22-09 (NIST SC-20).
Recommendations
Enable DNSSEC in your DNS provider's control panel and add the resulting DS record at your registrar
Why it matters: MTA-STS forces inbound SMTP to use TLS and refuse downgraded connections. Without it, an in-path attacker can strip TLS and read mail in plaintext (SOC 2 CC6.7).
Why it matters: Without authoritative A or AAAA records on the apex, the domain is unreachable. Missing baseline DNS shows up in vendor reviews as evidence of unmanaged infrastructure (SOC 2 CC6.6).
Why it matters: A valid current TLS certificate is the baseline for data in transit. Expiry, weak chain, or hostname mismatch break HTTPS and fail PCI 4.2.1 / SOC 2 CC6.1.
subject cn:
ebay.com
issuer:
Sectigo Public Server Authentication CA OV R40 / Sectigo Limited
valid:
May 20 00:00:00 2026 GMT → Dec 4 23:59:59 2026 GMT
no CORS headers — cross-origin requests blocked by default
Why it matters: Overly permissive CORS (wildcard with credentials, or reflected origin) lets any origin read authenticated responses from this domain. OWASP A05 misconfiguration territory (NIST AC-4).
origin
https://domainposture.com
method
GET
preflight status
301
access-control-* headers
access-control-allow-origin
—
access-control-allow-methods
—
access-control-allow-headers
—
access-control-allow-credentials
—
access-control-max-age
—
access-control-expose-headers
—
no access-control-* headers returned — site does not advertise CORS to this origin
Why it matters: Registrar and expiry tell auditors the domain is owned, current, and not about to lapse. An expired or about-to-expire domain fails business-continuity evidence (SOC 2 A1.2).
Why it matters: Bare HTTP requests must redirect to HTTPS without dropping the user mid-chain. Plain-text fallback or open redirects fail PCI 4.2.1 and feed phishing chains (SOC 2 CC6.6).
HTTPS surface reachable (robots ✓, sitemap ✗, title ✓)
Why it matters: Public files — robots.txt, sitemap.xml, head meta — are what attackers see first during reconnaissance. Misadvertised paths, stale sitemaps, and verbose generators leak more than intended (ISO 27001 A.8.9).
robots.txt
present
## BEGIN FILE ###
#
# allow-all
# DR
#
# The use of robots or other automated means to access the eBay site
# without the express permission of eBay is strictly prohibited.
# Notwithstanding the foregoing, eBay may permit automated access to
# access certain eBay pages but solely for the limited purpose of
# including content in publicly available search engines. Any other
# use of robots or failure to obey the robots exclusion standards set
# forth at <https://www.robotstxt.org/orig.html> is strictly
# prohibited.
#
# Robots & Agent Policy
#
# Checkouts are strictly for human users.
# * Automated scraping, buy-for-me agents, LLM-driven bots, or any
# end-to-end flow that attempts to place orders without human review
# is strictly prohibited.
# * Unauthorized use of automated agents in checkout may result in
# legal action under our User Agreement: https://www.ebay.com/help/policies/member-behaviour-policies/user-agreement?id=4259
# * Approved enterprise integrations must use our official API and
# comply with our API License Agreement: https://developer.ebay.com/join/api-license-agreement
#
# v27_COM_June_2026
### DIRECTIVES ###
User-agent: *
Disallow: /*_kw
Disallow: /*?maspect
Disallow: /*modules=SEARCH_REFINEMENTS_MODEL_V2
Disallow: /*redirect=mobile
Disallow: /*redirect%3Dmobile
Disallow: /*rt%3Dnc
Disallow: /*rt=nc
Disallow: /*src=urllib
Disallow: /?SSOWebDispatcher&tg=web&ru=
Disallow: /act/
Disallow: /adchoice
Disallow: /buyer-preferences
Disallow: /motors/diy/blog/*
Disallow: /motors/fnd/*
Allow: /ads.txt
Disallow: /ads
Disallow: /adsrepository
Disallow: /afs/
Disallow: /atc/
Disallow: /adell-mutfak
Disallow: /ahu-kadin
Disallow: /antika-sanat
Disallow: /arama
Disallow: */b2ajax/all-filter
Disallow: /bebek-anne
Disallow: /bilgisayar-tablet
Disallow: /cep-telefonu-ve-aksesuar
Disallow: /delicacy
Disallow: /ev-bahce
Disallow: /giyim-aksesuar
Disallow: /muzik-plak-enstruman
Disallow: /otomobil-motor-aksesuar
Allow: /b/adidas-Yeezy-Sneakers-for-Men/15709/bn_86578781?*_trkparms=*pageci:*|parentrq:*iid:0
Allow: /b/Collectible-Sneakers/bn_7000259435?*_trkparms=*pageci:*|parentrq:*iid:0
Allow: /b/Jordan-Sneakers-for-Men/15709/bn_96541848?*_trkparms=*pageci:*|parentrq:*iid:0
Allow: /b/New-Balance-Sneakers-for-Men/15709/bn_58747?*_trkparms=*pageci:*|parentrq:*iid:0
Allow: /b/Sneakers-for-Men/15709/bn_57918?*_trkparms=*pageci:*|parentrq:*iid:0
Allow: /b/*?*_mwBanner
Allow: /b/*?iid=*&var=
Allow: /b/*?iid=*&chn=ps
Allow: /b/*?iid=*&var=*&chn=ps
Disallow: /b/*,
Disallow: /b/*?iid=*&var=*&
Disallow: /b/*?iid=*&*&chn=ps
Disallow: /b/*?iid=*&var=*&*&chn=ps
Disallow: /b/*?*_nkw
Disallow: /b/*?*&
Disallow: /pe/*
Disallow: /b/*?*|
Disallow: /b/*%EF
Disallow: /b/*LH_
Disallow: /b/*_dmd=
Disallow: /b/*_dcat=
Disallow: /b/*_pgn=
Disallow: /b/*_sacat=
Disallow: /b/*_saved
Disallow: /b/*_sid=
Disallow: /b/*_sop=
Disallow: /b/*_stpos=
Disallow: /b/*DO-NOT-BID
Disallow: /b/*udhi=
Disallow: /b/*udlo=
Disallow: /b/Test-Category
Disallow: /b/eBay-Use-Only
Disallow: /b/eBay-Test-Only
Disallow: /b/LP-Parent
Disallow: /b/LL-Child
Disallow: /b/eBay-User-Tools
Disallow: /b/Test-Auctions
Disallow: /b/Attributes
Disallow: /bfl/
Disallow: /bgmt/
Disallow: /bin/
Disallow: /blueberry/
Disallow: /bo/
Disallow: /brw/
Disallow: /c/
Disallow: /cancel/
Disallow: /chocolatechip/
Disallow: /clp/
Disallow: /clt/store/
Disallow: /cnt/
Disallow: /contact/
Disallow: /csc/
Disallow: /cta/
Disallow: /ctg/
Disallow: /ctm/
Disallow: /dsc/
Disallow: /e/*?
Disallow: /easy-shop
Disallow: /ebay/cronus/
Disallow: /ebaylive/host
Disallow: /ecaptcha/
Disallow: /edc/
Disallow: /experience/fic
Disallow: /explore
Disallow: /feed/
Disallow: /fdbk/
Disallow: /ficapp/
Disallow: /fol/
Disallow: /g/api/
Disallow: /gh/cart
Disallow: /gh/collectbehaviorinfo
Disallow: /gh/collectsysteminfo
Disallow: /gh/useracquisition
Disallow: /gh/user_profile
Disallow: /gsr/
Disallow: /gss/
Disallow: /gum/
Disallow: /gwc/
Disallow: /hcp/
Disallow: /heute/
Disallow: /ico/
Disallow: /ifh
Disallow: /ipp/
Disallow: /itc/
Disallow: /itemmodules/
Disallow: /itemnotreceived/
Disallow: /
sitemap.xml
absent
head
title
Electronics, Cars, Fashion, Collectibles & More | eBay
description
Buy & sell electronics, cars, clothes, collectibles & more on eBay, the world's online marketplace. Top brands, low prices & free shipping on many items.
Electronics, Cars, Fashion, Collectibles & More | eBay
og:description
Buy & sell electronics, cars, clothes, collectibles & more on eBay, the world's online marketplace. Top brands, low prices & free shipping on many items.
og:url
https://www.ebay.com
twitter:description
Buy & sell electronics, cars, clothes, collectibles & more on eBay, the worlds online marketplace. Top brands, low prices & free shipping on many items.
Electronics, Cars, Fashion, Collectibles & More | eBay
twitter:site
@eBay
fetched 2026-06-04T04:27:04.278Z
B
Mostly compliant · 4 items need attention
Aggregate grade across 15 checks. Auditors typically flag any High-severity finding.
Pass
11
Warn
4
Fail
0
What an auditor would flag first
medium
SPF
~all softfail — receivers may still accept
SOC 2 CC6.7ISO 27001 A.13.2.1
low
DKIM
1/6 DKIM selectors valid
SOC 2 CC6.7
low
Security headers
3 security header(s) missing
SOC 2 CC6.6ISO 27001 A.14.1.2
Need this as an artifact your auditor can verify?
Your ebay.com scan flagged 1 medium and 3 low findings. A signed pack covers the apex plus up to 100 CT-discovered subdomains, Ed25519-signed and ISO-timestamped, delivered in 10–30 minutes.
CT log cap reached (100+ subdomains) — full enumeration truncated
Why it matters: Every certificate issued for this domain is published in Certificate Transparency logs — including subdomains you may have forgotten. Unknown subdomains in CT are pre-disclosed attack surface (ISO 27001 A.8.16).