Dr . Who Domain Posture lives at domainposture.com — audit-grade domain evidence.
additional context — IP + user-agent lookups lookups that complement a dossier — useful when investigating a finding, but not part of the dossier engine itself.
cert expires in 71 days
Why it matters: A valid current TLS certificate is the baseline for data in transit. Expiry, weak chain, or hostname mismatch break HTTPS and fail PCI 4.2.1 / SOC 2 CC6.1.
Recommendations
Schedule certificate renewal — consider enabling auto-renewal
subject cn: hubspot.com
issuer: WE1 / Google Trust Services
valid: May 16 21:56:11 2026 GMT → Aug 14 22:56:03 2026 GMT
authorized: yes
sha256: 36:64:7A:84:5B:E2:4C:B2:AC:76:83:BB:88:31:71:67:AE:1B:15:29:48:59:82:16:74:B5:23:B0:08:A2:6D:4E fetched 2026-06-04T00:19:03.005Z
A/AAAA records present
Why it matters: Without authoritative A or AAAA records on the apex, the domain is unreachable. Missing baseline DNS shows up in vendor reviews as evidence of unmanaged infrastructure (SOC 2 CC6.6).
A ttl=125 104.17.92.187ttl=125 104.17.91.187AAAA ttl=300 2606:4700::6811:5bbbttl=300 2606:4700::6811:5cbbNS ttl=77907 jerry.ns.cloudflare.com.ttl=77907 yolanda.ns.cloudflare.com.SOA ttl=1800 jerry.ns.cloudflare.com. dns.cloudflare.com. 2406017484 10000 2400 604800 1800
CAA — TXT ttl=300 ""ttl=300 "MS=ms42818833"ttl=300 "_fdv10kvw0c1o5okbdzpuy8jpqmx3sa8"ttl=300 "_y7h71d1xtbahmuluh7qbx00gpvwvakj"ttl=300 "v=spf1 redirect=_hspf.hubspot.com"ttl=300 "apple-domain-verification=yMRAjA0cp0ZxAXJO"ttl=300 "Probely=a59314eb-85a7-45be-b13b-52794692a2b2"ttl=300 "status-page-domain-verification=m19bvpv5sk0s"ttl=300 "docusign=b8eb1a73-67a0-4d84-9cb7-ff7955594935"ttl=300 "jamf-site-verification=_w9STFpd00fVWflCPBYyjw"ttl=300 "canva-site-verification=2q1KYRxYvE35Tv1_-IhwKQ"ttl=300 "elevenlabs=17AAcaYzHPb8_RC2_vYhbbaZLnH7xTDwJzyeWsbawlI"ttl=300 "openai-domain-verification=dv-G88hh2dhtm5VMPUchR7fh0l2"ttl=300 "openai-domain-verification=dv-tkdJ2BeBSodzZLfRQMyFwfp7"ttl=300 "detectify-verification=46f357acabb7675925ab09872da42f0e"ttl=300 "jetbrains-domain-verification=6wsnrpm2pm69y3g6fkvkl2q7p"ttl=300 "gamma-domain-verification-nk83x4=j2pTmz5GZXYa8LBaN0fn6LkDf"ttl=300 "cursor-domain-verification-rwk4xw=OZwu8mpJLbNba7XK1N5NgByXg"ttl=300 "facebook-domain-verification=v0z7wt3tvx72qwt80eu2sf2z7zb9yi"ttl=300 "smartsheet-site-validation=AacCig3iKBx3y4SHCYU0WdrlNTIIBX0D"ttl=300 "onetrust-domain-verification=99a8a3a51efe4a8fbd72bd2e15a76f1e"ttl=300 "pinnacle-domain-verification-zeavd3=8dL9cowZvkf90tnJid2AfYQ1x"ttl=300 "zoom-domain-verification=1bd4b6dc-56ce-4215-8de0-5543d26ced6f"ttl=300 "ecostruxure-it-verification=4069a037-ab55-4d70-9b8b-c7079f138604"ttl=300 "perplexity-ai-domain-verification-8pz9q0=aqH5i42XX8tt9M9RUNxN3p5E0"ttl=300 "yahoo-verification-key=FYzeP6zciEK4qeqdappjx5ric/+1bc0Qor1r7EncEDM="ttl=300 "google-site-verification=0msnYMjxgKXxDJXEIP6WB4AA2HVYl6Sz2Cy541f4ono"ttl=300 "google-site-verification=125dhZzE7NHja1SJMBfKB-vGsx-WIdbQlVFXzuzUINU"ttl=300 "google-site-verification=34o128itK1GOuGXGt8QI8801Nj5iRn0bfxAsfokLjOY"ttl=300 "google-site-verification=4S-EduW2OFChAhn0kW_SjNR8vrLW_kQQsWp7ZuXn6Xk"ttl=300 "google-site-verification=7O-Er1i7KamWdCyhOsZC2dhVEHqNxGWgrBkQ-CgOFXA"ttl=300 "google-site-verification=ABe5u8RlH_DrBbo_5ldvZW2glM-SCyFy-bAirhxNjic"ttl=300 "google-site-verification=J2I6jE_EJoX1m4waFuwZdKBpo7HLDNQKMfsvDUB2R4k"ttl=300 "google-site-verification=J9pq_P2VWxNeuYsXn4sCdHCCTcnYPMGEjt0EjVwA85g"ttl=300 "google-site-verification=P7ETKNIUHAbZHGHRwCOz3PZtuNT3JQsqGG-Ts73Ghrc"ttl=300 "google-site-verification=ULhWgbGcguDpe6LuicAUc0CpIkFGccp1YmucGWoeut4"ttl=300 "google-site-verification=hN2qgnvz-VyYXBoCdrN1ZU8Ye8F83DmhBJM2C0j43OE"ttl=300 "google-site-verification=kJC6kA1mklSsAWS9kJ--0uRIdsMfupq6NoM3Jf2udf4"ttl=300 "google-site-verification=rwNRWYjcqZUsYDG1huk_dIsBRCfOesjoHPT5wh4_5lg"ttl=300 "zoom-domain-verification=ZOOM_verify_11b35b16cffa4c4894dae1d52a2ba70d"ttl=300 "notion-domain-verification=rKp4ejOtXzT56pUPhDP055mlhuyk1WnV6sLXocG3yh1"ttl=300 "h1-domain-verification=Xb9onaruo7KoR9XNxCyu9vUNz7rPj4uYMiteXKXLWjYs1Sy4"ttl=300 "zapier-domain-verification-challenge=6da904b8-8498-4ea6-bc47-a7d3e3761143"ttl=300 "hubspot-developer-verification=MzVhYTQwYmUtN2UyZS00MGE4LWJlN2EtMzQ0NGQwNmQwNTg2"ttl=300 "stripe-verification=e499b7aac3e600c9cda9629ef657da9a1ea6cd57ce5e7e138cdeeff98419b3ff"ttl=300 "adobe-idp-site-verification=67b8fd17615e71f28b3fc9b31fa84e8671d0fc28c4a80c23cef37c22f26a059e"ttl=300 "atlassian-domain-verification=9kU4xvGQ0TxzwX3dE2ZFQB4GupiUht3zfn/4MpU9qfoo9Ey6PtutBpmY4qXEI5S1"ttl=300 "atlassian-domain-verification=J3f6YdOOu6/tNWzA7xI39Nqm5B5qOZ0ayDbcEHv5nntPWOkwTUQ3Fs6ha4CtCD4v"ttl=300 "atlassian-domain-verification=znAKxFvnc6Sp4Vrf/Q8BIiqYFzh8awjMd8bRRibzNLriS6CnZy/sepMsnPHgVU/P"ttl=300 "figma-domain-verification=bef84396f3e4cb85b725797741f877f11d488b4c7a9cdedae83095113760926f-1779377082"ttl=300 "DirectFedAuthUrl=https://hubspot.okta.com/app/hubspot_globalincentivessolutions_1/exk23eim59e92bAmG0h8/sso/saml"fetched 2026-06-04T00:19:03.036Z
1 MX record(s) present
Why it matters: MX records direct inbound mail. Misconfiguration silently breaks email delivery and lets attackers stand up parallel MX hosts for spoofing campaigns (ISO 27001 A.8.21).
fetched 2026-06-04T00:19:03.036Z
SPF present but all-qualifier unrecognised
Why it matters: SPF tells receiving servers which hosts may send mail for the domain. Without it, any sender can forge the envelope-from — the primary mechanism behind business-email-compromise (SOC 2 CC6.7).
v=spf1 redirect=_hspf.hubspot.com
v=spf1 redirect=_hspf.hubspot.com fetched 2026-06-04T00:19:03.037Z
p=reject — strict policy
Why it matters: DMARC binds SPF and DKIM into an enforceable policy (quarantine or reject) and surfaces spoofing attempts via aggregate reports. `p=none` or absent means spoofing succeeds silently (SOC 2 CC6.7).
v=DMARC1;p=reject;pct=100;rua=mailto:bdlk5ayo@ag.dmarcian.com;ruf=mailto:bdlk5ayo@fr.dmarcian.com
v= DMARC1
p= reject
pct= 100
rua= mailto:bdlk5ayo@ag.dmarcian.com
ruf= mailto:bdlk5ayo@fr.dmarcian.com fetched 2026-06-04T00:19:03.037Z
1/6 DKIM selectors valid
Why it matters: DKIM signs outbound mail so receivers can detect tampering. Missing selectors or rotated-away keys break DMARC alignment and let receivers downgrade trust (ISO 27001 A.8.24).
Recommendations
Check the missing selectors in your DNS provider and re-add any removed records
default: —
google: v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQChyUpWEC3e/JocNG0sWOzbnaBDJCNS2+ONlxS8BQU+GOFcixeXJQTNXle4xSqx7sy2Q+7S1yyg/SDCcW3wRlecNzW2/ooUDF1QB8uj/nMCHoapGfPRTIjD3JXO+s3x5bZ+/GRvxLjulmZmhK+MP3j1Bs6FzRZYyvQNusfPIMi17QIDAQAB
k1: —
selector1: —
selector2: —
mxvault: — fetched 2026-06-04T00:19:03.041Z
no CORS headers — cross-origin requests blocked by default
Why it matters: Overly permissive CORS (wildcard with credentials, or reflected origin) lets any origin read authenticated responses from this domain. OWASP A05 misconfiguration territory (NIST AC-4).
origin https://domainposture.com method GET preflight status 301 access-control-* headers
access-control-allow-origin —
access-control-allow-methods —
access-control-allow-headers —
access-control-allow-credentials —
access-control-max-age —
access-control-expose-headers — no access-control-* headers returned — site does not advertise CORS to this origin
fetched 2026-06-04T00:19:03.044Z
DNSSEC enabled — DS records present and chain validated (AD flag)
Why it matters: DNSSEC cryptographically signs DNS responses, blocking cache-poisoning attacks. US federal civilian agencies are required to enable it under OMB M-22-09 (NIST SC-20).
enabled yes
DS records 2371 ECDSAP256SHA256 2 d9c8a6be7fed2573e1c3c119f0f984f181f7a0c12e84a17945f15a551fc290f1, DS ECDSAP256SHA256 2 86400 1780793650 1780184650 27677 com. zX55GRa13GOkWGoIERFoVbXpvinUAjcRpJpTCnOOYBC6psx09ib4tOA7P/EG97XGX78FXbQs40M5p20Xp8IQuA==
DNSKEY records 3 key(s) fetched 2026-06-04T00:19:03.048Z
not applicable: no _mta-sts TXT record
Why it matters: MTA-STS forces inbound SMTP to use TLS and refuse downgraded connections. Without it, an in-path attacker can strip TLS and read mail in plaintext (SOC 2 CC6.7).
not applicable: no TLSRPT record
Why it matters: TLS-RPT publishes a reporting address for SMTP-TLS failures. Without it, downgrade attacks on inbound mail go unnoticed (SOC 2 CC7.2).
domain registered until 2027-02-06
Why it matters: Registrar and expiry tell auditors the domain is owned, current, and not about to lapse. An expired or about-to-expire domain fails business-continuity evidence (SOC 2 A1.2).
registrar MarkMonitor Inc.
created 2005-02-06T20:02:28Z
expires 2027-02-06T20:02:28Z
statuses clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited, clientTransferProhibited https://icann.org/epp#clientTransferProhibited, clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited fetched 2026-06-04T00:19:03.278Z
last-modified Wed, 03 Jun 2026 19:37:52 GMT
link <https://www.hubspot.com/hubfs/hub_generated/template_assets/1/207924262801/1779380656911/template_footer-core-critical.min.css>; rel=preload; as=style,<https://www.hubspot.com/hubfs/hub_generated/template_assets/1/207928094053/1779380660113/template_footer-core-non-critical.min.css>; rel=preload; as=style,<https://www.hubspot.com/hubfs/hub_generated/template_assets/1/80992946022/1740999027946/template_section.min.css>; rel=preload; as=style,<https://www.hubspot.com/hubfs/hub_generated/template_assets/1/194395071286/1775141354030/template_button.min.css>; rel=preload; as=style,<https://www.hubspot.com/hubfs/hub_generated/module_assets/1/80992206983/1780492950510/module_logoCarousel.min.css>; rel=preload; as=style,<https://www.hubspot.com/hubfs/hub_generated/template_assets/1/194395071318/1768385548642/template_roundButton.min.css>; rel=preload; as=style
nel {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}
report-to {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vxUO5rjAdOBd%2BCsnjnZO3HsXUa%2B%2F6UiwzNAgDyXQfqVyfveT88apjcDWaEKfvQAKfN0tDnN3BKwCQMShdSs4hH1bxxSsn%2BJmYVNyNbqG1fPSCIHEJGUCGqqeKXWKCpop6A%3D%3D"}],"group":"cf-nel","max_age":604800}
set-cookie __cf_bm=pr375tIUI2zVVKh2aqrNcxWohK0wH.z_7Pj1gmQe268-1780532343.1617-1.0.1.1-gVv_tr8F6dcHBeq8aFQMSak9U6hE79SQNDUsMcf0pBFuNXQNYewhDE2hweFh3d4gbaMVuxxGwHNLVyJlAKkmK020ny9bph94MgQsr1.nSwA4mK.CGs5HOuYpOzfpf0ul; HttpOnly; SameSite=None; Secure; Path=/; Domain=www.hubspot.com; Expires=Thu, 04 Jun 2026 00:49:03 GMT
x-hs-cache-config BrowserCache-0s-EdgeCache-0s
x-hs-cache-control s-maxage=36000, max-age=0
x-hs-cfworker-meta {"contentType":"SITE_PAGE","resolver":"PreRenderedContentResolver"}
x-hs-content-id 194001295991
x-hs-prerendered Wed, 03 Jun 2026 19:37:52 GMT HTTPS served correctly
Why it matters: Bare HTTP requests must redirect to HTTPS without dropping the user mid-chain. Plain-text fallback or open redirects fail PCI 4.2.1 and feed phishing chains (SOC 2 CC6.6).
final status: 200 · 2 hops
[301] https://hubspot.com/[200] https://www.hubspot.com/fetched 2026-06-04T00:19:03.336Z
HTTPS surface reachable (robots ✓, sitemap ✓, title ✓)
Why it matters: Public files — robots.txt, sitemap.xml, head meta — are what attackers see first during reconnaissance. Misadvertised paths, stale sitemaps, and verbose generators leak more than intended (ISO 27001 A.8.9).
robots.txt
present User-agent: *
Disallow: /wt-assets/static-files/mktg-analytics
Disallow: /_hcms/iplookup
Disallow: /_hcms/perf
Disallow: /meetings
Disallow: /raven/static-3.4
Disallow: /react-utils/static-2.40
Disallow: /jquery-libs/static-1.47
Disallow: /styled-components/static-1.3
Disallow: /react-select-plus/static-1.18
Disallow: /ZeroClipboard/static-1.6
Disallow: /raven-hubspot/static-1.43
Disallow: /PatternValidationJS/static-1.55
Disallow: /Reagan/static-6.27
Disallow: /jasmine/static-3.48
Disallow: /react-select-plus/static-1.21
Disallow: /atom/static-1.28
Disallow: /HublyticsTrackerJS/static-3.23
Disallow: /HublyticsTrackerJS/static-3.24
Disallow: /HubStyleTokens/static-2.81
Disallow: /react-redux/static-5.3
Disallow: /react-select-plus/static-1.25
Disallow: /icons/static-2.133
Disallow: /hub-http/static-1.158
Disallow: /react-redux/static-5.4
Disallow: /MeetingsLib/static-1.1167
Disallow: /salesImages/static-1.378
Disallow: /jasmine-runner/static-1.14
Disallow: /react/static-6.15
Disallow: /jasmine/static-3.49
Disallow: /reselect/static-2.5
Disallow: /transmute/static-1.85
Disallow: /MeetingsBase/static-1.1538
Disallow: /timezone-utils/static-2.29
Disallow: /I18n/static-7.192
Disallow: /enviro/static-3.70
Disallow: /Baldric/static-1.71
Disallow: /tracking-pixels/static-1.8
Disallow: /redux-thunk/static-2.1
Disallow: /urlinator/static-1.55
Disallow: /atom/static-1.31
Disallow: /react-utils/static-2.42
Disallow: /UIComponents/static-2.882
Disallow: /MeetingsPublic/static-1.2503
Disallow: /PortalIdParser/static-1.29
Disallow: /pickadate/static-1.6
Disallow: /StyleGuideUI/static-3.98
Disallow: /MeetingsLib/static-2.226
Disallow: /usage-tracker-core/static-1.65
Disallow: /I18n/static-7.204
Disallow: /PatternValidationJS/static-1.60
Disallow: /timezone-utils/static-2.30
Disallow: /salesImages/static-1.370
Disallow: /immutable/static-1.11
Disallow: /raven-hubspot/static-1.51
Disallow: /I18n/static-7.237
Disallow: /HubStyleTokens/static-2.86
Disallow: /MeetingsLib/static-2.140
Disallow: /jasmine-runner/static-1.15
Disallow: /q/static-4.11
Disallow: /Baldric/static-1.73
Disallow: /StyleGuideUI/static-3.100
Disallow: /MeetingsPublic/static-1.2825
Disallow: /HubStyle/static-2.309
Disallow: /MeetingsBase/static-1.1835
Disallow: /classnames/static-2.3
Disallow: /jasmine/static-3.50
Disallow: /atom/static-1.30
Disallow: /PatternValidationJS/static-1.56
Disallow: /Reagan/static-6.31
Disallow: /MeetingsBase/static-1.1723
Disallow: /HubStyleTokens/static-2.87
Disallow: /redux/static-3.6
Disallow: /PortalIdParser/static-1.27
Disallow: /q/static-4.12
Disallow: /react-redux/static-5.5
Disallow: /raven-hubspot/static-1.46
Disallow: /react-dom/static-6.4
Disallow: /salesImages/static-1.367
Disallow: /transmute/static-2.8
Disallow: /ui-images/static-2.106
Disallow: /common_assets/static-2.198
Disallow: /urlinator/static-1.54
Disallow: /HubStyleTokens/static-2.93
Disallow: /tracking-pixels/static-1.10
Disallow: /usage-tracker/static-1.76
Disallow: /HubStyleTokens/static-2.88
Disallow: /UIComponents/static-2.1132
Disallow: /usage-tracker-core/static-1.72
Disallow: /timezone-utils/static-2.36
Disallow: /Reagan/static-7.4
Disallow: /ui-addon-avatars/static-1.1307
Disallow: /HubStyle/static-2.366
Disallow: /salesImages/static-1.383
Disallow: /react-utils/static-2.45
Disallow: /UIComponents/static-2.1109
Disallow: /jasmine/static-3.51
Disallow: /MeetingsBase/static-1.1796
Disallow: /MeetingsPublic/static-1.2796
Disallow: /raven-hubspot/static-1.48
Disallow: /usage-tracker/static-1.64
Disallow: /MeetingsLib/static-2.85
Disallow: /HublyticsTrackerJS/static-3.27
Disallow: /react-utils/static-2.41
Disallow: /icons/static-2.128
Disallow: /styled-components/static-1.4
Disallow: /HubStyle/static-2.348
Disallow: /I18n/static-7.210
Disallow: /I18n/static-7.270
Disallow: /transmute/static-2.6
Disallow: /Baldric/static-1.80
Disallow: /icons/static-2.122
Disallow: /I18n/static-7.233
Disallow: /ui-images/static-2.105
Disallow: /MeetingsPublic/static-1.3073
Disallow: /StyleGuideUI/static-3.109
Disallow: /Reagan/static-7.12
Disallow: /MeetingsBase/static-1.1714
Disallo sitemap.xml
present — 323 url(s)
head
title HubSpot | Software & Tools for your Business - Homepage description HubSpot social
og:description HubSpot
og:title HubSpot | Software & Tools for your Business - Homepage
twitter:card summary_large_image
twitter:description HubSpot
twitter:title HubSpot | Software & Tools for your Business - Homepage fetched 2026-06-04T00:19:03.387Z
check failed: crt.sh: AbortError: This operation was aborted; certspotter: Error: certspotter http 429
Why it matters: Every certificate issued for this domain is published in Certificate Transparency logs — including subdomains you may have forgotten. Unknown subdomains in CT are pre-disclosed attack surface (ISO 27001 A.8.16).
crt.sh: AbortError: This operation was aborted; certspotter: Error: certspotter http 429
A-
Audit-ready · 3 minor advisories
Aggregate grade across 15 checks. Auditors typically flag any High-severity finding.
Pass 12
Warn 3
Fail 0 What an auditor would flag first low SPF
SPF present but all-qualifier unrecognised
SOC 2 CC6.7 ISO 27001 A.13.2.1
low DKIM
1/6 DKIM selectors valid
SOC 2 CC6.7
low TLS certificate
cert expires in 71 days
SOC 2 CC6.6 ISO 27001 A.13.1.1
Need this as an artifact your auditor can verify?
Your hubspot.com scan flagged 3 low findings. A signed pack covers the apex plus up to 100 CT-discovered subdomains, Ed25519-signed and ISO-timestamped, delivered in 10–30 minutes.
15-check summary DNS records A/AAAA records present MX 1 MX record(s) present SPF SPF present but all-qualifier unrecognised DMARC p=reject — strict policy DKIM 1/6 DKIM selectors valid TLS certificate cert expires in 71 days Redirect chain HTTPS served correctly Security headers 1 security header(s) missing CORS no CORS headers — cross-origin requests blocked by default Web surface HTTPS surface reachable (robots ✓, sitemap ✓, title ✓) MTA-STS not applicable: no _mta-sts TXT record TLS-RPT not applicable: no TLSRPT record DNSSEC DNSSEC enabled — DS records present and chain validated (AD flag) WHOIS domain registered until 2027-02-06 Certificate Transparency check failed: crt.sh: AbortError: This operation was aborted; certspotter: Error: certspotter http 429