How to read the test report?

Do you feel our score is too harsh? Or do you simply want to know how we come to our test results? Here we explain how we arrive at our score, which norms we’re using and what a score implies.

What norm is .auCheck using to check against?

.auCheck checks whether your website and email services have enabled common internet standards. These standards are based on the Australian Government’s Information Security Manual and global good practices from the international technical community.

These standards relate to:

  • Encryption and authenticity of your website and mail servers (HTTPS, TLS, Certificate)
  • Security of the website or email server domain name (DNSSEC)
  • Security of website applications (X-FRAME, X-CONTENT, CONTENT SECURITY, REFERRAL)
  • Authenticity marks against phishing (DMARC, DKIM, SPF)
  • Adoption of Internet Protocol version 6 (IPv6)

Internet standards ≠ cybersecurity

.auCheck verifies whether website and email setting (correctly) follow the internet standards referenced above. While the .auCheck-used standards have a security component, .auCheck is not a cybersecurity check. A good score on .auCheck is a first step in building a decent cybersecurity posture.

A bad score on .auCheck does not imply you’re insecure, but it does tell you that your website and/or email is at high risk of being (severely) insecure.

If you’re looking for a cybersecurity review, please have a look at the Need advice? page.

Reading the score

A green score (‘Doing well’) means that your website, e-mail service or internet connection have enabled and correctly installed, most if not all standards that .auCheck’s is verifying.

A yellow score (‘Getting there’) means that your website, e-mail service or internet connection have enabled and correctly installed, most but not all standards .auCheck’s is verifying. This may include some settings that are important though not critical to your internet security.

An orange score (‘Some work to do’) means that your website, e-mail service or internet connection have enabled and correctly installed, some but not all standards .auCheck’s is verifying. This may include settings that are critical to your internet security.

A red score (‘Take action!’) means that your website, e-mail service or internet connection have not enabled nor correctly installed, the most elementary standards .auCheck’s is verifying. This will include settings that are critical to your internet security.

How is the score determined?

The test result presents you with two findings:

  1. An overall test result based on a weighted score across all test results based on settings that are considered ESSENTIAL or IMPORTANT.

The precise weighings and values used for the website test and mail test can be consulted here.

  1. A numbered list of items to check for each of the main test categories. The number refer to the amount of tests that resulted in a 'fail', 'warning' or 'not tested'.

Standards are dynamic and change over time

Good practice and advice from the Australian Cyber Security Centre evolve, and therefore the test norms of .auCheck will be adjusted too. Adjustments will be announced through news items on the website and can include new subtests (additional requirements), updated weightings (for instance, from recommended to essential) or new criteria (for instance, a new and better encryption version is introduced).

Additionally, in its weighting .auCheck considers current availability of certain settings in the Australian market. For instance, DNSSEC is only limitedly available. Even though that’s unfortunate, it would be unfair to demand these for websites from small businesses. But when these standards become more commonplace, our expectations that websites and email install these settings will grow too.

How is the test report structured?

.auCheck offers four checks: for websites, email domains, connection and CMS. Each check has its own list of tests related to specific standards. For the website and mail checks, the tests are grouped in clusters based on functionality.

The report presents the test results in order of priority. For instance, for both websites and email domains, we consider having good encryption and adequate authenticity marks most critical. Similarly, using IPv6 would be good to have, but we don’t consider it critical to small business operations in Australia.

In the test report you can drill down to three levels of analysis. The first level is the result presented to you, explaining the meaning, implications and recommended actions in plain non-technical terms.

At the second level, you can find each of the tests. You’ll be able to see instantly which ones you pass, and which ones fail. For each of the tests, we indicate whether .auCheck considers them critical, important, recommended or optional. We also provide an explanation of what each test does.

Finally, at the third level you can find the data we were able to retrieve. This information is most likely what we suggest you share with your service provider to further investigate and potentially upgrade.

Icons per test category

Passed : Good: passed all subtests ⇒ full score in test category
Failed : Bad: failed at least one REQUIRED subtest ⇒ no full score in test category
Recommendation : Failed at least one RECOMMENDED subtest ⇒ full score in test category
Information : Informational: failed at least one OPTIONAL subtest ⇒ full score in test category
Error : Test error: execution error for at least one subtest ⇒ no result in test category

Icons per subtest

Passed : Pass on REQUIRED, RECOMMENDED or OPTIONAL subtest ⇒ first: full score / latter two: no score impact
Failed : Bad: fail on REQUIRED subtest ⇒ null score
Recommendation : Warning: fail on RECOMMENDED subtest ⇒ no score impact
Information : Informational: fail on OPTIONAL subtest ⇒ no score impact
Error : Test error: error encountered during testing ⇒ null score
Not testable : Not tested, because already failed related parent subtest ⇒ null score