Domain Health: The Complete Check-Up for Your Domain

Domain Health: the big picture

Managing a domain requires the coordination of multiple components: DNS, email, SSL, security headers, performance. Often these aspects are managed by different teams or individuals, and problems emerge at the intersections. The Domain Health Check is designed to provide a holistic view: it simultaneously analyzes all domain components, identifies dependencies between them, and assigns a global health score that reflects the overall configuration.

Unlike specific tools that analyze a single aspect, Domain Health detects problems that only emerge from the interaction between components. For example: an SPF record that authorizes a server no longer in the MX records, an SSL certificate that does not cover a subdomain used for email, or an HSTS header declaring a max-age of 2 years but with the SSL certificate expiring in 3 months. These cross-domain inconsistencies are the most difficult to identify with separate checks.

The five areas of analysis

$ domain-health --domain example.com

[DNS]      92/100  3 NS active, SOA ok, DNSSEC absent
[EMAIL]    88/100  MX ok, SPF ok, DKIM ok, DMARC p=quarantine
[SSL]      95/100  Grade A, TLS 1.3, 41 days to expiration
[WEB]      78/100  HSTS ok, CSP partial, no Permissions-Policy
[NETWORK]  90/100  Ping 12ms, PTR ok, not blacklisted

════════════════════════════════════════
  GLOBAL SCORE:  89/100 — GOOD
════════════════════════════════════════

Priorities: Improve CSP, enable DNSSEC, DMARC to reject

The five areas analyzed: DNS verifies nameservers, essential records, consistency, and DNSSEC. Email checks MX, SPF, DKIM, DMARC, and reverse DNS of mail servers. SSL analyzes the certificate, the chain, the TLS protocol, and ciphers. Web verifies HTTP security headers, compression, caching, and TTFB. Network tests reachability, exposed ports, and blacklists. For each area, the tool provides a partial score and recommendations ordered by priority.

How to use the report for improvement

Start with critical issues (those in red): expired SSL certificate, missing SPF, server on a blacklist. Then address warnings (yellow): DMARC not set to reject, missing security headers, weak TLS ciphers. Finally, suggestions (informational): DNSSEC, BIMI, TTL optimization. For each issue, use the specific tool for in-depth analysis: SSL Check for certificate details, DNS Health Check for DNS issues, Blacklist Check for blacklists.

Run the Domain Health Check after every significant configuration change: hosting migration, email provider change, SSL certificate update, nameserver modification. And schedule it as a regular check — at least monthly for business domains, weekly for critical domains. A gradual decline in the health score is an early warning sign of problems that, if left uncorrected, can lead to downtime or email loss.

Domain Health is also an excellent tool for competitive benchmarking: analyze your competitors' domains to compare their configuration. A competitor with DMARC p=reject, active BIMI, and preloaded HSTS projects a superior image of professionalism and security. Use the report as a roadmap to match and exceed the configuration level of your industry.