Why it matters: DMARC binds SPF and DKIM into an enforceable policy (quarantine or reject) and surfaces spoofing attempts via aggregate reports. `p=none` or absent means spoofing succeeds silently (SOC 2 CC6.7).
Why it matters: MX records direct inbound mail. Misconfiguration silently breaks email delivery and lets attackers stand up parallel MX hosts for spoofing campaigns (ISO 27001 A.8.21).
Why it matters: MTA-STS forces inbound SMTP to use TLS and refuse downgraded connections. Without it, an in-path attacker can strip TLS and read mail in plaintext (SOC 2 CC6.7).
DNSSEC not configured — no DS or DNSKEY records found
Why it matters: DNSSEC cryptographically signs DNS responses, blocking cache-poisoning attacks. US federal civilian agencies are required to enable it under OMB M-22-09 (NIST SC-20).
Recommendations
Enable DNSSEC in your DNS provider's control panel and add the resulting DS record at your registrar
Why it matters: SPF tells receiving servers which hosts may send mail for the domain. Without it, any sender can forge the envelope-from — the primary mechanism behind business-email-compromise (SOC 2 CC6.7).
Why it matters: A valid current TLS certificate is the baseline for data in transit. Expiry, weak chain, or hostname mismatch break HTTPS and fail PCI 4.2.1 / SOC 2 CC6.1.
Recommendations
Renew the certificate now — most CAs allow renewal 30 days before expiry
Why it matters: DKIM signs outbound mail so receivers can detect tampering. Missing selectors or rotated-away keys break DMARC alignment and let receivers downgrade trust (ISO 27001 A.8.24).
Recommendations
Enable DKIM signing in your mail provider and publish the provided TXT record
Common selectors: google._domainkey, selector1._domainkey (Microsoft), mail._domainkey
no DKIM record on probed selectors (default, google, k1, selector1, selector2, mxvault)
Why it matters: Without authoritative A or AAAA records on the apex, the domain is unreachable. Missing baseline DNS shows up in vendor reviews as evidence of unmanaged infrastructure (SOC 2 CC6.6).
Why it matters: Every certificate issued for this domain is published in Certificate Transparency logs — including subdomains you may have forgotten. Unknown subdomains in CT are pre-disclosed attack surface (ISO 27001 A.8.16).
no CORS headers — cross-origin requests blocked by default
Why it matters: Overly permissive CORS (wildcard with credentials, or reflected origin) lets any origin read authenticated responses from this domain. OWASP A05 misconfiguration territory (NIST AC-4).
origin
https://domainposture.com
method
GET
preflight status
301
access-control-* headers
access-control-allow-origin
—
access-control-allow-methods
—
access-control-allow-headers
—
access-control-allow-credentials
—
access-control-max-age
—
access-control-expose-headers
—
no access-control-* headers returned — site does not advertise CORS to this origin
Why it matters: Registrar and expiry tell auditors the domain is owned, current, and not about to lapse. An expired or about-to-expire domain fails business-continuity evidence (SOC 2 A1.2).
Why it matters: Bare HTTP requests must redirect to HTTPS without dropping the user mid-chain. Plain-text fallback or open redirects fail PCI 4.2.1 and feed phishing chains (SOC 2 CC6.6).
HTTPS surface reachable (robots ✓, sitemap ✗, title ✓)
Why it matters: Public files — robots.txt, sitemap.xml, head meta — are what attackers see first during reconnaissance. Misadvertised paths, stale sitemaps, and verbose generators leak more than intended (ISO 27001 A.8.9).
robots.txt
present
# Notice: Collection of data on Facebook through automated means is
# prohibited unless you have express written permission from Facebook
# and may only be conducted for the limited purpose contained in said
# permission.
# See: http://www.facebook.com/apps/site_scraping_tos_terms.php
User-agent: facebookexternalhit
Allow: *
User-agent: meta-externalads
Allow: *
User-agent: *
Disallow: /*cursor=
Disallow: /*fb_comment_id=
Disallow: /ajax/
Disallow: /tealium/
Disallow: /intern/
Disallow: /internal/
Disallow: /login/
Disallow: /oidc/callback/
Disallow: /*.php
Disallow: */search/
Disallow: *help/support/
Disallow: *help_app/
Disallow: */rma/*
Disallow: /a/fl?
Disallow: /bv/upload/
Disallow: /campaign/
Disallow: /*?cjevent=
Disallow: /*&cjevent=
Disallow: /common/referer_frame.php
Disallow: /connect/invite/
Disallow: /device-view/
Disallow: /*/device-view/
Disallow: /meta-employee-store/
Disallow: /order/
Disallow: /return/
Disallow: /s/
Disallow: /survey/
Disallow: /my/
Disallow: /rx/
User-agent: PetalBot
Disallow: /
User-agent: Scrapy
Disallow: /
User-agent: uptimerobot
Disallow: /
User-agent: viberbot
Disallow: /
User-agent: YaK
Disallow: /
User-agent: Yandex
Disallow: /
User-agent: Yeti
Disallow: /
Sitemap: https://www.meta.com/sitemap/www_meta_com_sitemap.xml.gz
Sitemap: https://www.meta.com/sitemap/www_meta_com_help_sitemap.xml.gz
Sitemap: https://www.meta.com/sitemap/www_meta_com_blog_sitemap.xml.gz
Sitemap: https://www.meta.com/sitemap/www_meta_com_experiences_sitemap.xml.gz
Sitemap: https://www.meta.com/sitemap/www_meta_com_about_sitemap.xml.gz
sitemap.xml
absent
head
title
Meta - Shop AI glasses and VR headsets
description
Shop the latest AI glasses and wearable technology from Meta. Explore Ray-Ban Meta, Oakley Meta, display glasses, and cutting-edge VR headsets.
social
og:site_name
Meta
og:description
Shop the latest AI glasses and wearable technology from Meta. Explore Ray-Ban Meta, Oakley Meta, display glasses, and cutting-edge VR headsets.
1 high-severity finding · 4 items need attention in total
Aggregate grade across 15 checks. Auditors typically flag any High-severity finding.
Pass
11
Warn
3
Fail
1
What an auditor would flag first
high
TLS certificate
cert expires in 7 day(s)
SOC 2 CC6.6ISO 27001 A.13.1.1
low
SPF
SPF present but all-qualifier unrecognised
SOC 2 CC6.7ISO 27001 A.13.2.1
low
DKIM
no DKIM selectors found — likely not configured
SOC 2 CC6.7
Need this as an artifact your auditor can verify?
Your meta.com scan flagged 1 high and 3 low findings. A signed pack covers the apex plus up to 100 CT-discovered subdomains, Ed25519-signed and ISO-timestamped, delivered in 10–30 minutes.