DNS / email · Check
DNSSEC not enabled — signing your zone at the registrar
Your domain has no DS records at the parent zone, so resolvers cannot cryptographically verify that DNS responses for your domain came from the authoritative nameservers you control. DNSSEC closes the door on cache-poisoning and on-path DNS spoofing attacks against your visitors.
Why it matters
Most major DNS hosts (Cloudflare, Route 53, Google Cloud DNS, Azure DNS) make DNSSEC a one-click toggle. Once you enable it on the host side, paste the published DS record at your registrar and validation comes online within a propagation window.
Real-world risk
Without DNSSEC, an attacker who can poison a recursive resolver's cache can redirect your domain's DNS responses to their own servers. Validation gives clients a cryptographic guarantee that the answer came from your authoritative nameservers.
Fix steps (in order)
- Enable DNSSEC at your DNS host: Cloudflare, Route 53, Google Cloud DNS, Azure DNS, and most modern hosts make this a single toggle.
- Copy the DS record (or the key tag, algorithm, and digest fields) the host publishes after enabling DNSSEC.
- Add the DS record at your registrar (where the domain itself was registered) so the parent zone delegates DNSSEC trust to your nameservers.
- Wait for propagation, then verify with: dig +dnssec yourdomain.com — the AD flag should be set in the response, and online checkers like dnsviz.net should show a green chain.
Topic explainer
DMARC, SPF, and DKIM explained: the email authentication trio →
A practical guide to email authentication: what SPF, DKIM, and DMARC each do, why all three are needed, and how to roll out a DMARC policy that actually blocks spoofed mail.
Verify the fix in 30 seconds
Run a Scorifya scan on the affected host after deploy. The same finding id (dns_dnssec_unsigned) clears once the externally-observable signal is in place.