Why it matters: DMARC binds SPF and DKIM into an enforceable policy (quarantine or reject) and surfaces spoofing attempts via aggregate reports. `p=none` or absent means spoofing succeeds silently (SOC 2 CC6.7).
Why it matters: MX records direct inbound mail. Misconfiguration silently breaks email delivery and lets attackers stand up parallel MX hosts for spoofing campaigns (ISO 27001 A.8.21).
Why it matters: SPF tells receiving servers which hosts may send mail for the domain. Without it, any sender can forge the envelope-from — the primary mechanism behind business-email-compromise (SOC 2 CC6.7).
Recommendations
Move to -all (hardfail) once your mail flow is confirmed — softfail gives no real protection
Why it matters: DKIM signs outbound mail so receivers can detect tampering. Missing selectors or rotated-away keys break DMARC alignment and let receivers downgrade trust (ISO 27001 A.8.24).
Recommendations
Check the missing selectors in your DNS provider and re-add any removed records
DNSSEC not configured — no DS or DNSKEY records found
Why it matters: DNSSEC cryptographically signs DNS responses, blocking cache-poisoning attacks. US federal civilian agencies are required to enable it under OMB M-22-09 (NIST SC-20).
Recommendations
Enable DNSSEC in your DNS provider's control panel and add the resulting DS record at your registrar
Why it matters: MTA-STS forces inbound SMTP to use TLS and refuse downgraded connections. Without it, an in-path attacker can strip TLS and read mail in plaintext (SOC 2 CC6.7).
Why it matters: Without authoritative A or AAAA records on the apex, the domain is unreachable. Missing baseline DNS shows up in vendor reviews as evidence of unmanaged infrastructure (SOC 2 CC6.6).
Why it matters: A valid current TLS certificate is the baseline for data in transit. Expiry, weak chain, or hostname mismatch break HTTPS and fail PCI 4.2.1 / SOC 2 CC6.1.
Why it matters: Every certificate issued for this domain is published in Certificate Transparency logs — including subdomains you may have forgotten. Unknown subdomains in CT are pre-disclosed attack surface (ISO 27001 A.8.16).
no CORS headers — cross-origin requests blocked by default
Why it matters: Overly permissive CORS (wildcard with credentials, or reflected origin) lets any origin read authenticated responses from this domain. OWASP A05 misconfiguration territory (NIST AC-4).
origin
https://domainposture.com
method
GET
preflight status
301
access-control-* headers
access-control-allow-origin
—
access-control-allow-methods
—
access-control-allow-headers
—
access-control-allow-credentials
—
access-control-max-age
—
access-control-expose-headers
—
no access-control-* headers returned — site does not advertise CORS to this origin
Why it matters: Registrar and expiry tell auditors the domain is owned, current, and not about to lapse. An expired or about-to-expire domain fails business-continuity evidence (SOC 2 A1.2).
Why it matters: Bare HTTP requests must redirect to HTTPS without dropping the user mid-chain. Plain-text fallback or open redirects fail PCI 4.2.1 and feed phishing chains (SOC 2 CC6.6).
HTTPS surface reachable (robots ✓, sitemap ✗, title ✓)
Why it matters: Public files — robots.txt, sitemap.xml, head meta — are what attackers see first during reconnaissance. Misadvertised paths, stale sitemaps, and verbose generators leak more than intended (ISO 27001 A.8.9).
robots.txt
present
# Notice: The use of robots or other automated means to access LinkedIn without
# the express permission of LinkedIn is strictly prohibited.
# See https://www.linkedin.com/legal/user-agreement.
# LinkedIn may, in its discretion, permit certain automated access to certain LinkedIn pages,
# for the limited purpose of including content in approved publicly available search engines.
# If you would like to apply for permission to crawl LinkedIn, please email whitelist-crawl@linkedin.com.
# Any and all permitted crawling of LinkedIn is subject to LinkedIn's Crawling Terms and Conditions.
# See http://www.linkedin.com/legal/crawling-terms.
User-agent: LinkedInBot
Allow: /
User-agent: Googlebot
Disallow: /addContacts*
Disallow: /addressBookExport*
Disallow: /ambry
Disallow: /analytics/
Disallow: /answers*
Disallow: /authwall
Disallow: /badges/profile/create
Disallow: /cap/
Disallow: /chat/
Disallow: /checkpoint/
Disallow: /companyDir*
Disallow: /connections*
Disallow: /csp/
Disallow: /e/
Disallow: /edurec*
Disallow: /embed/feed/update/
Disallow: /endorsements
Disallow: /feed/update/
Disallow: /find/
Disallow: /fizzy/admin
Disallow: /groups/
Disallow: /groupAnswers*
Disallow: /groupSharingMsg*
Disallow: /inviteFromProfile*
Disallow: /inviteMany*
Disallow: /jobs?runSearch*
Disallow: /jobs/view/externalApply/
Disallow: /jobs-guest/
Disallow: /api/jobPostings/jobs*
Disallow: /jsearch*
Disallow: /job-apply/
Disallow: /learning*?auth=true
Disallow: /learning*&auth=true
Disallow: /learning/articles/
Disallow: /learning/certificates/
Disallow: /learning/embed/
Disallow: /learning/events/
Disallow: /learning/instructors?
Disallow: /learning/instructors$
Disallow: /learning/instructors/
Disallow: /learning/login*?redirect=
Disallow: /learning/login*&redirect=
Disallow: /learning/me?
Disallow: /learning/me$
Disallow: /learning/me/
Disallow: /learning/memberbinding?
Disallow: /learning/memberbinding$
Disallow: /learning/memberbinding/
Disallow: /learning/search?
Disallow: /learning/search$
Disallow: /learning/search/
Disallow: /learning/settings?
Disallow: /learning/settings$
Disallow: /learning/settings/
Disallow: /lite/
Disallow: /li/track
Disallow: /mbox*
Disallow: /me/
Disallow: /memberInvite*
Disallow: /messaging/
Disallow: /mob/tracking
Disallow: /mwlite/
Disallow: /msgToConns*
Disallow: /myprofile*
Disallow: /network
Disallow: /newsArticle*
Disallow: /news?viewArticle*
Disallow: /nus-trk*
Disallow: /oauth/v2/*
Disallow: /oauth2/v2/*
Disallow: /organization-guest/
Disallow: /osview/
Disallow: /otherContacts
Disallow: /pages-extensions/FollowCompany*
Disallow: /people/iweReconnectAction
Disallow: /platform-telemetry/
Disallow: /ppl/
Disallow: /profile/
Disallow: /profile/view
Disallow: /psettings/
Disallow: /reconnect*
Disallow: /redirect*
Disallow: /redir*
Disallow: /requestList*
Disallow: /salary-explorer/api
Disallow: /search*
Disallow: /secure/
Disallow: /settings/
Disallow: /shareArticle*
Disallow: /signature*
Disallow: /slink*
Disallow: /start/
Disallow: /svpRecommendations*
Disallow: /topic/
Disallow: /title/
Disallow: /uas/login
Disallow: /uas/oauth/*
Disallow: /uas/oauth2/*
Disallow: /using*
Disallow: /voyager/api
Disallow: /help/*/ask
Disallow: /help/*/ask/*
Disallow: /help/*/answers
Disallow: /help/*/answers/*
Disallow: /help/testing
Disallow: /help/testing/*
Disallow: /xdoor*
Disallow: /comm/
Disallow: /enterprise-jobs/
Allow: /business/sales/blog*
Allow: /business/learning/blog*
Allow: /psettings/guest-controls*
Allow: /psettings/guest-email-unsubscribe*
Allow: /psettings/sms-unsubscribe*
Allow: /psettings/guest-controls/retargeting-opt-out*
Allow: /settings/loid-email-unsubscribe-router*
Allow: /settings/loid-email-unsubscribe*
Allow: /help/
User-agent: Applebot
Disallow: /addContacts*
Disallow: /addressBookExport*
Disallow: /ambry
Disallow: /analytics/
Disallow: /answers*
Disallow: /authwall
Disallow: /badges/profile/create
Disallow: /cap/
Disallow: /chat/
Disallow: /checkpoint/
Disallow: /companyDir*
Disallow: /connections*
Disallow: /csp/
Disallow: /e/
Disallow: /edurec*
Disallow: /endorsements
Disallow: /find/
Disa
sitemap.xml
absent
head
title
LinkedIn: Log In or Sign Up
description
1 billion members | Manage your professional identity. Build and engage with your professional network. Access knowledge, insights and opportunities.
social
og:site_name
LinkedIn
og:title
LinkedIn: Log In or Sign Up
og:description
1 billion members | Manage your professional identity. Build and engage with your professional network. Access knowledge, insights and opportunities.
og:type
website
og:url
https://www.linkedin.com/
twitter:card
summary
twitter:site
@linkedin
twitter:title
LinkedIn: Log In or Sign Up
twitter:description
1 billion members | Manage your professional identity. Build and engage with your professional network. Access knowledge, insights and opportunities.
fetched 2026-06-04T02:34:24.802Z
B
Mostly compliant · 3 items need attention
Aggregate grade across 15 checks. Auditors typically flag any High-severity finding.
Pass
12
Warn
3
Fail
0
What an auditor would flag first
medium
SPF
~all softfail — receivers may still accept
SOC 2 CC6.7ISO 27001 A.13.2.1
low
DKIM
1/6 DKIM selectors valid
SOC 2 CC6.7
low
DNSSEC
DNSSEC not configured — no DS or DNSKEY records found
SOC 2 CC6.6ISO 27001 A.13.1.1
Need this as an artifact your auditor can verify?
Your linkedin.com scan flagged 1 medium and 2 low findings. A signed pack covers the apex plus up to 100 CT-discovered subdomains, Ed25519-signed and ISO-timestamped, delivered in 10–30 minutes.