How do our tests work?

After you enter the name of a website or email address - a domain name - .auCheck looks up information from public records.

The tests that .auCheck performs do not penetrate your systems or websites. We simply check the information that your website or email returns anyway.

What are these public records?

The internet infrastructure is full of records that allow devices to communicate and validate their authenticity. Making sure that records are correct, up-to-date and checked before sending data makes the internet a safer place.

Public records that .auCheck consults include:

  • CNAME: to check the true domain name behind an alias (email or website) domain.
  • DKIM: to check whether your email provides a digital signature to outgoing messages that guarantees a sender as the owner of an email message (RFC 6376, dated September 2011; with updates in RFC 8301 and RFC 8463)
  • A and AAAA: to check which IPv6 and IPv6 IP addresses correspond to your domain name
  • DMARC: to check what email authentication policies your mail server uses
  • CAA: to check which certificate authorities are authorised to issue certificates for your domain
  • MX: for mail servers to determine where to deliver email for a domain
  • NS: to check which DNS servers are authoritative for a domain or subdomain
  • HTTPS redirection record: to check whether an insecure HTTP connection is redirected properly to a secure connection
  • SPF: to check whether your email specifies which servers are authorised to send emails on your behalf (RFC7208)

Consult these instructions if you need to set up and create your own records.

What are the limitations of .auCheck’s tests?

Since we rely on checking these public records, .auCheck can’t check everything. We don’t penetrate your systems, website or email servers (it would be illegal!). We also don’t send emails to your server to check delivery status.

This means that security features that may sit behind your website, email account or content management system may not be picked up. And that’s fine as long as you’re certain that these security features exist and are installed correctly.

Should you fail an .auCheck test, just ask your service providers to look into it and confirm their security settings.

What’s next?

After .auCheck finishes its tests, you are directed to the results page. The results show your current status and provides a number of items you should check - or get someone to check for you. You can click through the technical details for each subtest if you’re interested.

The test report includes all available details, including the returns from the public records that we found. You can share a permalink to the test result with your service provider.

For more information see "Explanation of test report". You can use the test report to start a conversation with your service provider(s) and make improvements to your website or email security settings.