Domain Security Glossary: What Your Report Card Terms Mean

Understanding your domain security report card

Run your domain through the free report card, then use this page to understand what each rated item means and why it matters.

What the terms on your domain security report card mean

The Domain Security Report Card scores your domain across three areas: email authentication, advanced email protection, and website security. Each area is made up of individual records and settings, and the report shows a pass, a recommendation, or a fail for every one. Knowing what those records do helps you decide what to fix first.

This glossary walks through each rated item in the same order the report card lists them. You do not need a technical background to follow along. Every entry explains what the term is, what it protects, and what happens when it is missing.

Want your own grade before you read on? Run your domain through the free Domain Security Report Card and keep the results next to this page.

Not sure which results to fix first?
Wolferdawg IT Consulting can review your report card, prioritize the fixes, and put the right records in place for small businesses across Lawton, Duncan, and Southwest Oklahoma.

Schedule 15 Minutes

Email authentication (50% of grade)

These four records prove your outgoing email is really from you. They carry the most weight on the report card because they stop the spoofing and phishing that targets your customers.

DMARC policy

DMARC, short for Domain-based Message Authentication, Reporting and Conformance, is the policy that sits on top of SPF and DKIM. It tells receiving mail servers what to do when a message claiming to be from your domain fails those checks, whether to allow it, send it to spam, or reject it outright. A strong DMARC policy stops most email spoofing and phishing that uses your business name, and it sends you reports so you can see who is trying to send mail as you.

SPF record

SPF, short for Sender Policy Framework, is a DNS record that lists every mail server allowed to send email for your domain. When another server receives a message from you, it checks this list to confirm the sender is approved. If the server is not on the list, the message looks suspicious and is more likely to be rejected or filtered to spam.

DKIM signing

DKIM, short for DomainKeys Identified Mail, adds a hidden cryptographic signature to every email your domain sends. The receiving server uses a public key published in your DNS to confirm the message really came from you and was not changed along the way. Where SPF checks the sending server, DKIM verifies the message itself, so the two work together.

MX records

MX records, short for Mail Exchange records, point to the servers that receive email for your domain. When someone sends you a message, their server looks up your MX records to know where to deliver it. Without correct MX records, inbound email has nowhere to go and never reaches your inbox.

Advanced email protection (15% of grade)

These settings sit a layer below the core records. They protect the path your email travels and the integrity of your domain itself.

DNSSEC

DNSSEC, short for Domain Name System Security Extensions, adds a digital signature to your DNS records. That signature lets other systems confirm the answers they get about your domain are genuine and have not been tampered with. Without DNSSEC, an attacker can poison DNS responses and quietly redirect your visitors or your email to a server they control.

MTA-STS

MTA-STS, short for Mail Transfer Agent Strict Transport Security, tells other mail servers that they must use an encrypted connection when they send email to your domain. It also tells them to refuse delivery if a secure connection cannot be made. This closes a gap that attackers can use to intercept or downgrade email in transit before it reaches you.

TLS reporting

TLS reporting, often called TLS-RPT, asks other mail servers to send you a summary whenever they cannot deliver email to your domain over an encrypted connection. Those reports arrive as a simple daily record. They give you early warning of encryption failures or interception attempts that you would otherwise never see.

Website security (35% of grade)

These items protect the connection between your website and the people who visit it. They keep data private in transit and stop attackers from impersonating your site.

HTTPS enforcement

HTTPS encrypts the connection between your website and the people visiting it, so passwords, form entries, and page content cannot be read in transit. Enforcing HTTPS means every visitor who types your plain web address is automatically redirected to the secure version. This protects your visitors and signals to search engines that your site is trustworthy.

TLS certificate

A TLS certificate is the digital credential that proves your website is genuinely yours and not an imposter. It is what turns on the padlock in the browser and allows the encrypted HTTPS connection to work. Certificates expire on a set date, so they need to renew on time to avoid browser warnings that scare visitors away.

HSTS

HSTS, short for HTTP Strict Transport Security, tells browsers to only ever connect to your website over a secure HTTPS connection. Once a browser sees this instruction, it refuses to load the insecure version even if someone tries to force it. This protects visitors from a common trick where an attacker downgrades the connection to intercept it.

Security headers

Security headers are small instructions your web server sends to a visitor's browser that control how your pages are allowed to behave. They block common web attacks such as clickjacking, content injection, and leaking where your visitors came from. A report that flags missing headers like Referrer-Policy means a few of these protections are not yet switched on, and adding them strengthens your site against everyday attacks.