Dr . Who Domain Posture lives at domainposture.com — audit-grade domain evidence.
additional context — IP + user-agent lookups lookups that complement a dossier — useful when investigating a finding, but not part of the dossier engine itself.
p=reject — strict policy
Why it matters: DMARC binds SPF and DKIM into an enforceable policy (quarantine or reject) and surfaces spoofing attempts via aggregate reports. `p=none` or absent means spoofing succeeds silently (SOC 2 CC6.7).
v=DMARC1; p=reject; rua=mailto:dmarc_rua@emaildefense.proofpoint.com; ruf=mailto:dmarc_ruf@emaildefense.proofpoint.com;fo=1
v= DMARC1
p= reject
rua= mailto:dmarc_rua@emaildefense.proofpoint.com
ruf= mailto:dmarc_ruf@emaildefense.proofpoint.com
fo= 1 fetched 2026-06-04T02:35:28.401Z
2 MX record(s) present
Why it matters: MX records direct inbound mail. Misconfiguration silently breaks email delivery and lets attackers stand up parallel MX hosts for spoofing campaigns (ISO 27001 A.8.21).
pri=5 mx1.intuit.iphmx.com.pri=5 mx2.intuit.iphmx.com.fetched 2026-06-04T02:35:28.403Z
-all hardfail — strict policy
Why it matters: SPF tells receiving servers which hosts may send mail for the domain. Without it, any sender can forge the envelope-from — the primary mechanism behind business-email-compromise (SOC 2 CC6.7).
v=spf1 include:_spf1.intuit.com include:_spf3.intuit.com include:mktomail.com include:_spf.salesforce.com include:_spf.centercode.com ip4:208.74.204.0/22 ip4:69.20.83.154 ip4:166.78.224.177 ip4:96.43.144.65/28 ip4:96.43.148.65/28 ip4:96.43.151.70/28 -all
v=spf1 include:_spf1.intuit.com include:_spf3.intuit.com include:mktomail.com include:_spf.salesforce.com include:_spf.centercode.com ip4:208.74.204.0/22 ip4:69.20.83.154 ip4:166.78.224.177 ip4:96.43.144.65/28 ip4:96.43.148.65/28 ip4:96.43.151.70/28 -all fetched 2026-06-04T02:35:28.414Z
2/6 DKIM selectors valid
Why it matters: DKIM signs outbound mail so receivers can detect tampering. Missing selectors or rotated-away keys break DMARC alignment and let receivers downgrade trust (ISO 27001 A.8.24).
Recommendations
Check the missing selectors in your DNS provider and re-add any removed records
default: v=DKIM1; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCh/Pj99nBYbiKNCjicZWrH+bOsAXAVSfoVoJbBI4wOC5Qc74XFExxq8hJa8NvEpksoBkW0akwvRhz9rN6ije9lSzw0GPJRw3LiOBtERQpJKP0h2G2ZaceX/qkf66Mdxf1N31gitrKyjDFb/hB+lkLiL542QTEnx9W0yOa+kSzdWQIDAQAB;
google: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAguizacGcNPMCLGol1uDA2OnCnrRBBz0Bnyb7ob0aaRAvrnzT9UU9dBXTIQf9FDzrLb/zFsOaOdmlUNlIGGlAkELCTMofTHmnio4BMXEJ3bAJSnNsQx6Yb/kYwQQSIQtxbS31Ds9MeFgPF8rMX4f0slLRqhuGIjtfIeBa6eq5PKX00PC1UyyvOe+y3EC8B0OYo5YtWTtsZBzJY4WkFaCWiciWtXuruUTf7N+x0dyC4XuAQSwWix3oyK3/6zloQzo02bITXEvzkk07ShNPbwWg2Zwnr4I59KN9AeEJgzRHbLxqqw/p275jdEylfzhSdvdXLeVqECEPLJ8AZvVm9KZedwIDAQAB
k1: —
selector1: —
selector2: —
mxvault: — fetched 2026-06-04T02:35:28.414Z
DNSSEC not configured — no DS or DNSKEY records found
Why it matters: DNSSEC cryptographically signs DNS responses, blocking cache-poisoning attacks. US federal civilian agencies are required to enable it under OMB M-22-09 (NIST SC-20).
Recommendations
Enable DNSSEC in your DNS provider's control panel and add the resulting DS record at your registrar
enabled no
DS records —
DNSKEY records — fetched 2026-06-04T02:35:28.415Z
not applicable: no _mta-sts TXT record
Why it matters: MTA-STS forces inbound SMTP to use TLS and refuse downgraded connections. Without it, an in-path attacker can strip TLS and read mail in plaintext (SOC 2 CC6.7).
not applicable: no TLSRPT record
Why it matters: TLS-RPT publishes a reporting address for SMTP-TLS failures. Without it, downgrade attacks on inbound mail go unnoticed (SOC 2 CC7.2).
A/AAAA records present
Why it matters: Without authoritative A or AAAA records on the apex, the domain is unreachable. Missing baseline DNS shows up in vendor reviews as evidence of unmanaged infrastructure (SOC 2 CC6.6).
AAAA — NS ttl=710 a11-64.akam.net.ttl=710 a18-64.akam.net.ttl=710 dns4.p01.nsone.net.ttl=710 dns2.p01.nsone.net.ttl=710 a24-67.akam.net.ttl=710 a7-66.akam.net.ttl=710 dns3.p01.nsone.net.ttl=710 dns1.p01.nsone.net.ttl=710 a1-182.akam.net.ttl=710 a6-66.akam.net.SOA ttl=300 dns1.p08.nsone.net. nadmin.intuit.com. 1657129353 1800 1800 604800 1800CAA ttl=300 \# 56 00 05 69 6f 64 65 66 6d 61 69 6c 74 6f 3a 54 65 63 68 2d 50 49 4e 65 74 77 6f 72 6b 53 65 72 76 69 63 65 4f 70 65 72 61 74 69 6f 6e 73 40 69 6e 74 75 69 74 2e 63 6f 6dttl=300 \# 21 00 05 69 73 73 75 65 67 6c 6f 62 61 6c 73 69 67 6e 2e 63 6f 6dttl=300 \# 18 00 05 69 73 73 75 65 73 65 63 74 69 67 6f 2e 63 6f 6dttl=300 \# 19 00 05 69 73 73 75 65 64 69 67 69 63 65 72 74 2e 63 6f 6dttl=300 \# 19 00 05 69 73 73 75 65 63 6f 6d 6f 64 6f 63 61 2e 63 6f 6dttl=300 \# 17 00 05 69 73 73 75 65 61 6d 61 7a 6f 6e 2e 63 6f 6dttl=300 \# 15 00 05 69 73 73 75 65 70 6b 69 2e 67 6f 6f 67ttl=300 \# 22 00 05 69 73 73 75 65 6c 65 74 73 65 6e 63 72 79 70 74 2e 6f 72 67TXT ttl=300 "google-site-verification=57OB7Pv6cVHR-_qsjfae0SgYs0zQQXWFz4l1OKwz4xs"ttl=300 "v=spf1 include:_spf1.intuit.com include:_spf3.intuit.com include:mktomail.com include:_spf.salesforce.com include:_spf.centercode.com ip4:208.74.204.0/22 ip4:69.20.83.154 ip4:166.78.224.177 ip4:96.43.144.65/28 ip4:96.43.148.65/28 ip4:96.43.151.70/28 -all"ttl=300 "2Jvjv7DKLzv8IEgiMlABzDNOJma4RwuKxGbPz1+B3XuWknDlLuCpCiGvm/lP6gayRejG9vZoAFminrxB1eBrtw=="ttl=300 "MS=ms29250286"ttl=300 "FuseServer=http://ldms.intuit.com/RTC/plnaplandesk02/my.fuse"ttl=300 "google-site-verification=6jSGiCG2yPgdnVaqep59rqIWS0U2bw-x_CBQcoXl38s"ttl=300 "Dynatrace-site-verification=ccb51bbb-9c7f-4a4c-88fa-fb695b70ec8e__9705shrklpaecughttebhkkifv"ttl=300 "google-site-verification=0491IkqwUBxUsGlmvumJsWGOaoWB3gxbXWlAsrgw1BY"ttl=300 "google-site-verification=oUUAhE078O4_RvIGerAuNMAaOjK2HbMM1W1J_dMZXNw"ttl=300 "ahrefs-site-verification_11d46046f8a97e8fb3d897637bc3186a36fc1e6399859d9e6adc36d091edfcc9"ttl=300 "mtc=DKpkeg2ERaJ0YG7PGvT7OQKFW3NcDcRw"ttl=300 "amazonses:8mkJok2ss6dLDeJPD5eMmhjnAiHzm1citnVwLygKil4="ttl=300 "amazonses:TDaAP+2QbHXaoDk+84INtcgkahjeck5ScyqpbJ7vjn8="fetched 2026-06-04T02:35:28.404Z
ttl=300 "amazonses:19IV7X1lfLBmia9WmdxG8Gqf6dNUm6JQfdqEdacR71o="
ttl=300 "amazonses:yerUADVdnT3e3YPL50ndDHr9GwbMUNChUl6Scz9xkpo="
ttl=300 "amazonses:P1PVKAbYuRmzPHgqz1nY6BDsMTvHxqckE52MfNibj48="
ttl=300 "amazonses:2M+/ZQj/4F/eMX7u6kuCp+Z7xNKvmX1I29gB+CMQ4Q4="
ttl=300 "amazonses:N0CGLH0l4gBLTBRqtNTmUjKWSsFXxLlmfF8i41r0tx4="
ttl=300 "amazonses:c9b2vtY4Gw7UwvymdPffOnda79KbJzZe17oWNdYjp24="
ttl=300 "amazonses:Wzmb2ix9/1qG09kZRVQ0etu63eLfOhO4wmgV8Q3E/7g="
ttl=300 "amazonses:fdJArHimJUq8AWBLXlECBEyuLRENkCE196aNdksgSDo="
ttl=300 "status-page-domain-verification=19h47pvfy6hq"
ttl=300 "atlassian-domain-verification=vTIeVagHqS6bzDvWMXNqoWjLZItUdw6yM5I8271Ga6wJvuuDb3TFDKaUhUwc/dL7"
ttl=300 "amazonses:lf6Mu1JFZflbjFwmQ/Fh1DA5NzuX/iT7OWtpL4sGPtE="
ttl=300 "amazonses:LmYx8JTvbxyvFKjNvMrHC1HCkq9VfMWf0ceZuJLegH4="
ttl=300 "apple-domain-verification=J1X8H03Xg5d5WxEU"
ttl=300 "e2ma-verification=jiyfb"
ttl=300 "docker-verification=31922d88-e730-4388-8260-fb224586baf7"
ttl=300 "slack-domain-verification=N4nKARUHQd3OAI1X4VJEm8GZ2sBXPr99kxWzFZBf"
ttl=300 "google-site-verification=86h36G1Dj3CvVyEIejZYEcigd1WNgZ-uUPUZ-K6NpPY"
ttl=300 "loom-site-verification=e8ec59b7cfbe40aca0cfb28ec33ba8c7"
ttl=300 "atlassian-domain-verification=rOuxrbpoM8X0dyjve2lLYnnHEXBtmxbGzk17YgboFB62K3dXo2gnekijahD5DdOg"
ttl=300 "onetrust-domain-verification=bd35763888334b18866da9b67eb32edb"
ttl=300 "canva-site-verification=-ybKtxLA-Q48JNkPu_x2cw"
ttl=300 "google-site-verification=Kx9Ccwv-kcbu-mRQR2o6tQZa6eyzbZ9BNn8ZEg6cG9A"
ttl=300 "mandrill_verify.R5Rlq3R7ZCjroThxpE6PAA"
ttl=300 "spycloud-domain-verification=12b140a9-eb70-4fe0-a013-dd3005ea567e"
ttl=300 "onetrust-domain-verification=66aeac75673c471a980db82b86f9eeba"
ttl=300 "asv=f83757187d8d33eb5ff968239717fe3f"
ttl=300 "wrike-verification=NjI2NjA2ODpiOTU0ZjkyN2NkZWZkMzRhZmU0ZTY3YjE5N2JiYTM1MTJhMTAzZDU1OGE3ZTE4MDM1ZGU2OWQ0MTZmMTNkNTYx"
ttl=300 "_cy8ta91cyb557hjwa0zzb7f4a25ijiv"
ttl=300 "_7qgag1q2oscwegd7yrbyo6l3sz8juoq"
ttl=300 "onetrust-domain-verification=c302aaee255d41acb63b4424ff187e28"
ttl=300 "apple-domain-verification=DRkOA-jV7s46M5QtZSqQMAjJFls4HJze0-7AL7euIx4"
ttl=300 "airtable-verification=86fb7b781a7a028e6851e6f1c328ea4a"
ttl=300 "atlassian-domain-verification=wsosa3770H6DDKvWEafZK0uIQFeLQhfSxeQCSe/Tokjiydf3RRBUaSjc/pjNIJA0"
ttl=300 "perplexity-ai-domain-verification-10dkmy=LmxVXvF11aHzUiEWfaq0ZOZAg"
ttl=300 "1password-site-verification=5UKPLRNMZZAUVI5FNMMBFMEI24"
ttl=300 "anthropic-domain-verification-gc48zc=KKsQK4U6W4TnuAz4pQBl3rCrM"
ttl=300 "Whimsical=f6ff61eacdf014127171aa7cd57682462bc7475f"
ttl=300 "a3d06db1f8c85b2837b4603a51834425"
ttl=300 "hubspot-developer-verification=MTY3ZGUwOTYtMWI5Yy00YWFmLThhNDAtMDU1NDQxOWUyZjNi"
ttl=300 "_mj65bqchgqyttxk8b48cfd6cau6o58k"
ttl=300 "_edmhg7u9opnhxcbpxsrv4p06jg631n0"
ttl=300 "anthropic-domain-verification-9yecw3=zWNHDJvtSxki5wXNP7NovzAN9"
ttl=300 "stripe-verification=C70AAA8AAAF58504476D4808B6CC5CC86CDEEC336B2AEC863AEA9068D64C32D5"
ttl=300 "notion-domain-verification=4EZdwZqW6SOgVfMtAT2hismzGHSZUtNMBDqhz6o39zM"
ttl=300 "google-site-verification=mMwntd_nd-1ob-DiklSES8rbNn6PM0o3vYJ570S5_ko"
ttl=300 "zero-click-domain-verification-ydw88q=88iBydOQZKa9oAoYMd1sEOZgq"
ttl=300 "liveramp-site-verification=b6ti4HW1zzq8uJD-389EPAoiwDC0NX7b4HiiMWEXFAc"
ttl=300 "hpe-greenlake-domain-verification=67713231356c58626a71374a6270766439324b6d7a6f32375371373369344b77"cert valid for 155 days
Why it matters: A valid current TLS certificate is the baseline for data in transit. Expiry, weak chain, or hostname mismatch break HTTPS and fail PCI 4.2.1 / SOC 2 CC6.1.
subject cn: mktg.intuit.com
issuer: DigiCert Global G2 TLS RSA SHA256 2020 CA1 / DigiCert Inc
valid: Nov 4 00:00:00 2025 GMT → Nov 6 23:59:59 2026 GMT
authorized: yes
sha256: D4:09:40:B8:BA:61:BB:9E:D9:FD:2A:13:E7:E1:87:2D:5D:67:5C:CC:0F:B2:26:B9:62:B1:89:C3:A8:77:B8:24 sans mktg.intuit.com accountants.intuit.com accountantscanary.intuit.com blog.taxpro.intuit.com compliance.intuitlabs.com contactus.intuit.com edm.www.intuit.com.au education.intuit.ca gopayment.com gopayments.com help.quickbooks.intuit.com index.intuit.com intuit.co.uk intuit.com intuit.com.au intuit.fr intuitbenefits.com intuitcanary.intuit.com intuitfullservicepayroll.com intuitinnovationday.com intuitpayments.com km-ext.ebs-dam.intuit.com km-int.ebs-dam.intuit.com myproseries.com online.payroll.intuit.com payments.intuit.com payroll.intuit.com proconnect.intuit.com proconnectcanary.intuit.com profile.intuit.ca profilecanary.intuit.ca profilefrancais.intuit.ca profilefrancaiscanary.intuit.ca proseries.com qbinproduct.intuit.com qboipd.intuit.com quickbook.com.br quickbooks.co.uk quickbooks.co.za quickbooks.com quickbooks.com.au quickbooks.com.br quickbooks.fr quickbooks.in quickbooks.intuit.ca quickbooks.intuit.com quickbooks.intuit.com.au quickbooks.intuit.fr quickbooks2000.com quickbookscanary.intuit.com quickbooksenligne.ca quickbooksenligne.intuit.ca quickbooksgetconnected.co.za quickbooksonline.com quickbooksonline.intuit.com sbconnect.intuit.com scr.www.intuit.com.au search.payroll.com search.quickbooks.com search.quickbooksonline.com search2.payroll.com search2.quickbooks.com search2.quickbooksonline.com signup.quickbooks.intuit.com static.quickbooks.com support.intuit.ca taxpro.intuit.com widgets.intuit.com www.gopayment.com www.gopayments.com www.intuit-gopayment.com www.intuit.co.uk www.intuit.com www.intuit.com.au www.intuit.fr www.intuitaffiliate.com www.intuitbenefits.com www.intuitfullservicepayroll.com www.intuitinnovationday.com www.intuitlabs.com www.intuitpayments.com www.myproseries.com www.payments.intuit.com www.payroll.intuit.com www.proseries.com www.quickbook.com.br www.quickbooks.co.uk www.quickbooks.co.za www.quickbooks.com www.quickbooks.com.au www.quickbooks.com.br www.quickbooks.fr www.quickbooks.in www.quickbooks.intuit.ca www.quickbooks.intuit.com www.quickbooks.intuit.fr www.quickbooksgetconnected.co.za www.quickbooksonline.com www.quickbooksonline.intuit.com fetched 2026-06-04T02:35:28.453Z
no CORS headers — cross-origin requests blocked by default
Why it matters: Overly permissive CORS (wildcard with credentials, or reflected origin) lets any origin read authenticated responses from this domain. OWASP A05 misconfiguration territory (NIST AC-4).
origin https://domainposture.com method GET preflight status 301 access-control-* headers
access-control-allow-origin —
access-control-allow-methods —
access-control-allow-headers —
access-control-allow-credentials —
access-control-max-age —
access-control-expose-headers — no access-control-* headers returned — site does not advertise CORS to this origin
fetched 2026-06-04T02:35:28.485Z
check failed: crt.sh: Error: crt.sh http 429; certspotter: Error: certspotter http 429
Why it matters: Every certificate issued for this domain is published in Certificate Transparency logs — including subdomains you may have forgotten. Unknown subdomains in CT are pre-disclosed attack surface (ISO 27001 A.8.16).
crt.sh: Error: crt.sh http 429; certspotter: Error: certspotter http 429
HTTPS served correctly
Why it matters: Bare HTTP requests must redirect to HTTPS without dropping the user mid-chain. Plain-text fallback or open redirects fail PCI 4.2.1 and feed phishing chains (SOC 2 CC6.6).
final status: 429 · 2 hops
[301] https://intuit.com/[429] https://www.intuit.com/fetched 2026-06-04T02:35:28.618Z
domain registered until 2026-12-19
Why it matters: Registrar and expiry tell auditors the domain is owned, current, and not about to lapse. An expired or about-to-expire domain fails business-continuity evidence (SOC 2 A1.2).
registrar MarkMonitor Inc.
created 1994-02-18T05:00:00Z
expires 2026-12-19T16:25:34Z
statuses clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited, clientTransferProhibited https://icann.org/epp#clientTransferProhibited, clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited fetched 2026-06-04T02:35:28.671Z
HTTPS surface reachable (robots ✓, sitemap ✓, title ✗)
Why it matters: Public files — robots.txt, sitemap.xml, head meta — are what attackers see first during reconnaissance. Misadvertised paths, stale sitemaps, and verbose generators leak more than intended (ISO 27001 A.8.9).
robots.txt
present User-agent: Sogou Pic Spider/3.0(+http://www.sogou.com/docs/help/webmasters.htm#07)
Disallow: /
#YisouSpider China
User-agent: YisouSpider
Disallow: /
User-agent: Baiduspider
Disallow: /
User-agent: Baiduspider+
Disallow: /
User-agent: Baiduspider+(+http://www.baidu.com/search/spider.htm)
Disallow: /
User-agent: Baiduspider/2.0;+http://www.baidu.com/search/spider.html
Disallow: /
User-agent: Baiduspider/2.0
Disallow: /
User-agent: +Baiduspider
Disallow: /
User-agent: +Baiduspider/2.0
Disallow: /
User-agent: +Baiduspider/2.0;++http://www.baidu.com/search/spider.html
Disallow: /
User-agent: Mozilla/5.0(compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)
Disallow: /
User-agent: Baiduspider-image+(+http://www.baidu.com/search/spider.htm)
Disallow: /
User-agent: Mozilla/5.0 (compatible; Sosospider/2.0; +http://help.soso.com/webspider.htm)
Disallow: /
User-agent: Mozilla/5.0 (compatible; JikeSpider; +http://shoulu.jike.com/spider.html)
Disallow: /
User-agent: Twitterbot
Allow: /oicms/
User-agent: *
Disallow: /oicms/
Disallow: /ca/oicms/
Disallow: /fr-ca/oicms/
Disallow: /in/oicms/
Disallow: /content/intuit_com/
Disallow: /company/press-room/press-releases/
Disallow: /ca/company/press-room/press-releases/
Disallow: /fr-ca/company/press-room/press-releases/
Disallow: /commerce/
Disallow: /search/?search_term=*
Sitemap: https://www.intuit.com/sitemap.xml
Sitemap: https://www.intuit.com/ca/sitemap.xml
Sitemap: https://www.intuit.com/fr-ca/sitemap.xml
Sitemap: https://www.intuit.com/in/sitemap.xml
Sitemap: https://www.intuit.com/blog/sitemap.xml
Sitemap: https://www.intuit.com/enterprise/blog/sitemap.xml
# Intuit is hiring and
# looking for talented people.
#
# Learn more at:
# https://www.intuit.com/careers/
#
#
# ****** ************ ***************** ***** ***** ****** *****************
# ****** ****************** **************** ***** ***** ****** *****************
# ****** ****** ****** ****** ***** ***** ****** ******
# ****** ****** ****** ****** ***** ***** ****** ******
# ****** ****** ****** ****** ***** ***** ****** ******
# ****** ****** ****** ****** ****** ****** ****** ******
# ****** ****** ****** ****** ****************** ****** ******
# ****** ****** ****** ****** **************** ****** ******
# ****** ****** ****** ****** ************ ****** ******
sitemap.xml
present — 157 url(s)
social
no OpenGraph or Twitter meta tags found
fetched 2026-06-04T02:35:29.027Z
A-
Audit-ready · 2 minor advisories
Aggregate grade across 15 checks. Auditors typically flag any High-severity finding.
Pass 13
Warn 2
Fail 0 What an auditor would flag first low DKIM
2/6 DKIM selectors valid
SOC 2 CC6.7
low DNSSEC
DNSSEC not configured — no DS or DNSKEY records found
SOC 2 CC6.6 ISO 27001 A.13.1.1
Need this as an artifact your auditor can verify?
Your intuit.com scan flagged 2 low findings. A signed pack covers the apex plus up to 100 CT-discovered subdomains, Ed25519-signed and ISO-timestamped, delivered in 10–30 minutes.
HTTPS surface reachable (robots ✓, sitemap ✓, title ✗)
MTA-STS not applicable: no _mta-sts TXT record TLS-RPT not applicable: no TLSRPT record DNSSEC DNSSEC not configured — no DS or DNSKEY records found WHOIS domain registered until 2026-12-19