Portal
MITRE ATT&CK Endpoint Assessment
autographman.co.uk Domain Audit
Sunshine Supporting Services Audit
CONFIDENTIAL — AGM-SEC-2026-002 — autographman.co.uk
Independent Security Assessment

Domain & Email
Security Assessment

A comprehensive security audit of autographman.co.uk covering email authentication, DNS infrastructure, web security headers, compliance alignment, and threat intelligence.

Domain
autographman.co.uk
Assessment Date
23 February 2026
Document ID
AGM-SEC-2026-002
Scan Mode
Deep Scan
Classification
CONFIDENTIAL
Security Scorecard
D
Email
C
Web
D
DNS
D
Compliance
A
OSINT
D
Overall
17 findings

Table of Contents

01 — Overview

Executive Summary

High-level findings and risk assessment for autographman.co.uk

Critical Findings Detected

This assessment identified 17 findings across email authentication, DNS infrastructure, web security, and compliance alignment for autographman.co.uk. The domain benefits from Shopify's managed infrastructure with Cloudflare CDN/WAF, TLS 1.3, and reasonable security headers (4 of 9 present). However, email security has critical gaps — no DKIM records despite using Amazon SES, SPF uses softfail instead of hardfail, and DMARC is set to quarantine without aggregate reporting. The domain expires in 90 days and should be renewed promptly. The site is clean on all DNSBL blacklists.

17
Total Findings
5
Critical + High
TLS 1.3
TLS Version
Expires 2026-05-10
Shopify
Platform
Critical
1
High
4
Medium
5
Low
4
Info
3
Quick Wins

AGM-001: Configure DKIM via Amazon SES + GoDaddy CNAME records (30min-1h)
AGM-002: Change SPF from ~all to -all (hardfail) (5min)
AGM-003: Add rua reporting to DMARC, then escalate to p=reject (5min)
AGM-010: Verify domain auto-renewal is enabled (2min)

IDFindingSeverityStatus
AGM-001No DKIM AuthenticationCriticalOpen
AGM-002SPF Uses Softfail Instead of HardfailHighOpen
AGM-003DMARC Not at Reject Policy and Missing ReportingHighOpen
AGM-004Weak Content Security PolicyHighOpen
AGM-005SMTP STARTTLS Not DetectedHighOpen
AGM-006HSTS Max-Age Too Short, No PreloadMediumOpen
AGM-007No CAA RecordsMediumOpen
AGM-008DNSSEC Not EnabledMediumOpen
AGM-009No MTA-STS PolicyMediumOpen
AGM-010Domain Expires in 90 DaysMediumOpen
AGM-011Missing Referrer-Policy HeaderLowOpen
AGM-012Missing Permissions-Policy HeaderLowOpen
AGM-013No security.txt FileLowOpen
AGM-014No TLS-RPT Record and DMARC Missing ReportingLowOpen
AGM-015OG Image Uses HTTP URLInfoOpen
AGM-016No DANE/TLSA RecordsInfoOpen
AGM-017No BIMI RecordInfoOpen
02 — Scope & Methodology

Assessment Scope

What was tested, how, and what limitations apply

In Scope

  • ✓ DNS records & configuration
  • ✓ Email authentication (SPF, DKIM, DMARC, MTA-STS, TLS-RPT, DANE)
  • ✓ HTTP security headers
  • ✓ SSL/TLS configuration
  • ✓ DNSBL / blacklist checking
  • ✓ SMTP analysis
  • ✓ OSINT & historical intelligence
  • ✓ Compliance framework alignment

Out of Scope

  • ✗ Application security testing
  • ✗ Penetration testing
  • ✗ Source code review
  • ✗ Social engineering
  • ✗ Internal network assessment
Methodology Note

This assessment was performed using publicly available information only. No intrusive testing was conducted. Scan timestamp: 2026-02-23T02:58:33Z. Mode: Deep Scan.

03 — Findings

Detailed Findings

17 findings identified, sorted by severity.

AGM-001Critical10.0/10 Critical

No DKIM Authentication

No DKIM records were found for any of 20 common selectors. Emails from @autographman.co.uk cannot be cryptographically verified as genuine, enabling trivial email forgery. This is critical for an e-commerce platform where order confirmations and shipping notifications must be trusted.

Likelihood
Impact
Evidence
Evidence
Selectors checked: 20 (default, google, selector1, selector2, k1, dkim, s1, s2, mail, amazonses, etc.)
Found: 0

MX: inbound-smtp.us-west-2.amazonaws.com (Amazon SES)
SPF includes: amazonses.com
Expected: Amazon SES DKIM CNAME records
Remediation
Remediation
Configure DKIM via Amazon SES console:
1. Go to AWS SES Console → Verified Identities → autographman.co.uk
2. Under Authentication tab → DKIM → Generate DKIM tokens
3. Add these 3 CNAME records at GoDaddy DNS:

   [token1]._domainkey.autographman.co.uk CNAME [token1].dkim.amazonses.com
   [token2]._domainkey.autographman.co.uk CNAME [token2].dkim.amazonses.com
   [token3]._domainkey.autographman.co.uk CNAME [token3].dkim.amazonses.com

SES provides the exact CNAME values when you enable DKIM.
ISM-0269CIS 9.5PSPF INFOSEC-3NIST PR.DS
AGM-002High6.4/10 High

SPF Uses Softfail Instead of Hardfail

The SPF record uses ~all (softfail) instead of -all (hardfail). Softfail means receivers may accept emails from unauthorised senders with only a warning, rather than rejecting them outright.

Likelihood
Impact
Evidence
Evidence
Current SPF: v=spf1 include:amazonses.com ~all
Qualifier: softfail

Recommended: v=spf1 include:amazonses.com -all (hardfail)
Remediation
Remediation
Update SPF record at GoDaddy DNS:

v=spf1 include:amazonses.com -all

Change ~all to -all. Ensure all legitimate sending sources are included before switching to hardfail. Currently only Amazon SES is included — verify Shopify doesn't send email directly (it typically uses your configured email provider).
ISM-0574ISM-1151CIS 9.5
AGM-003High4.8/10 High

DMARC Not at Reject Policy and Missing Reporting

DMARC is configured at p=quarantine with 100% enforcement, which is good progress, but not yet at the recommended p=reject level. More critically, no rua (aggregate reporting) address is configured, meaning you have no visibility into email authentication failures.

Likelihood
Impact
Evidence
Evidence
Current DMARC: v=DMARC1;p=quarantine;pct=100;fo=1
Policy: quarantine
Reporting (rua): NOT CONFIGURED

Missing: rua=mailto:... for aggregate reports
Remediation
Remediation
Update DMARC record at GoDaddy DNS in two phases:

Phase 1 (immediate — add reporting):
  _dmarc TXT "v=DMARC1; p=quarantine; pct=100; fo=1; rua=mailto:dmarc@autographman.co.uk"

Phase 2 (after DKIM is configured and reporting confirms alignment, ~2-4 weeks):
  _dmarc TXT "v=DMARC1; p=reject; pct=100; fo=1; rua=mailto:dmarc@autographman.co.uk"

Consider using a free DMARC reporting service like Postmark DMARC or DMARCian to parse aggregate reports.
ISM-1540ISM-1799CIS 9.5PSPF INFOSEC-3
AGM-004High3.6/10 Medium

Weak Content Security Policy

The CSP header includes useful directives (block-all-mixed-content, frame-ancestors 'none', upgrade-insecure-requests) but is missing critical directives that restrict script and resource loading: default-src, script-src, style-src, img-src, connect-src.

Likelihood
Impact
Evidence
Evidence
Content-Security-Policy: block-all-mixed-content; frame-ancestors 'none'; upgrade-insecure-requests;

Missing directives: default-src, script-src, style-src, img-src, connect-src

Note: Shopify manages CSP at the platform level — customisation may be limited
Remediation
Remediation
Shopify controls the CSP header for storefronts. Options:
1. Check Shopify's CSP configuration options in theme settings
2. Use Shopify's Content Security Policy app if available
3. The current CSP is better than many — frame-ancestors 'none' prevents clickjacking entirely
4. For full CSP control, consider a reverse proxy (Cloudflare Workers) to inject additional directives

Note: Shopify's architecture makes strict CSP challenging due to third-party scripts for analytics, payment processing, and app integrations.
ISM-1485ISM-0659OWASP A05:2021CIS 3.10
AGM-005High3.2/10 Medium

SMTP STARTTLS Not Detected

The SMTP connection to the MX server (Amazon SES) did not indicate STARTTLS support during the scan. Without STARTTLS, inbound email is unencrypted in transit. Note: Amazon SES normally supports STARTTLS — this is likely a scan timing issue.

Likelihood
Impact
Evidence
Evidence
MX: inbound-smtp.us-west-2.amazonaws.com (priority 10)
Banner: 220 inbound-smtp.us-west-2.amazonaws.com ESMTP Amazon SES
STARTTLS: false
PTR: ec2-35-161-157-106.us-west-2.compute.amazonaws.com

Note: Amazon SES typically supports STARTTLS. The scan may not have received the full EHLO capabilities.
Remediation
Remediation
1. Verify STARTTLS manually: openssl s_client -starttls smtp -connect inbound-smtp.us-west-2.amazonaws.com:25
2. Amazon SES always supports TLS — if confirmed working, this is a scan limitation
3. Consider adding MTA-STS to enforce TLS for inbound email
ISM-1139PSPF INFOSEC-3
AGM-006Medium1.6/10 Low

HSTS Max-Age Too Short, No Preload

HSTS is enabled but with max-age of only ~91 days (7,889,238 seconds). The recommended minimum is 1 year (31,536,000 seconds). The includeSubDomains and preload directives are also absent, preventing HSTS preload list submission.

Likelihood
Impact
Evidence
Evidence
Strict-Transport-Security: max-age=7889238

Missing: includeSubDomains
Missing: preload directive
Current max-age: ~91 days
Recommended: max-age=63072000 (2 years)
Remediation
Remediation
This is controlled by Shopify's platform. Shopify sets HSTS for all storefronts but at a shorter max-age. Options:
1. Contact Shopify support about increasing HSTS max-age
2. Use Cloudflare's HSTS settings to override (if proxied through CF)
3. Note: Shopify's HSTS is adequate for most purposes — the shorter max-age is a minor concern
ISM-1552Cyber Essentials
AGM-007Medium3.2/10 Medium

No CAA Records

No CAA (Certificate Authority Authorization) records exist. Any certificate authority can issue certificates for this domain. Given the domain uses both Let's Encrypt and Google Trust Services certificates, CAA should restrict to these issuers.

Likelihood
Impact
Evidence
Evidence
dig CAA autographman.co.uk → No records

Current CAs in use:
  - Let's Encrypt (E7, E8) — Shopify-managed certs
  - Google Trust Services (WE1, WR1) — Cloudflare-managed certs
Remediation
Remediation
Add CAA records at GoDaddy DNS:

  autographman.co.uk. CAA 0 issue "letsencrypt.org"
  autographman.co.uk. CAA 0 issue "pki.goog"
  autographman.co.uk. CAA 0 iodef "mailto:admin@autographman.co.uk"
ISM-0659CIS 12.1
AGM-008Medium2.4/10 Medium

DNSSEC Not Enabled

DNSSEC is not configured for this domain. DNS responses can be spoofed or tampered with in transit, enabling cache poisoning and man-in-the-middle attacks.

Likelihood
Impact
Evidence
Evidence
dig DS autographman.co.uk → No DS records
DNSSEC: disabled
Registrar DNS: ns69.domaincontrol.com / ns70.domaincontrol.com (GoDaddy)
Remediation
Remediation
Enable DNSSEC via GoDaddy domain management:
1. Log into GoDaddy → My Products → DNS Management
2. Navigate to DNSSEC settings
3. Enable DNSSEC (GoDaddy handles key generation and DS record publication for .co.uk domains)

Note: .co.uk domains fully support DNSSEC via Nominet.
ISM-1706CIS 12.1
AGM-009Medium2.4/10 Medium

No MTA-STS Policy

No MTA-STS (Mail Transfer Agent Strict Transport Security) policy exists. Without MTA-STS, there is no mechanism to enforce TLS for inbound email connections, allowing downgrade attacks.

Likelihood
Impact
Evidence
Evidence
MTA-STS record: Not found
MTA-STS mode: null

MX: Amazon SES (supports TLS natively, but MTA-STS adds enforcement)
Remediation
Remediation
1. Create MTA-STS policy file hosted at https://mta-sts.autographman.co.uk/.well-known/mta-sts.txt:

   version: STSv1
   mode: enforce
   mx: inbound-smtp.us-west-2.amazonaws.com
   max_age: 604800

2. Add DNS record:
   _mta-sts TXT "v=STSv1; id=20260223"

Note: Requires hosting the policy file on a subdomain — can use Cloudflare Pages or an S3 bucket.
ISM-1139PSPF INFOSEC-3
AGM-010Medium6.0/10 High

Domain Expires in 90 Days

The domain autographman.co.uk expires on 2026-05-24, which is only 90 days away. For a trading e-commerce domain, this should be renewed well in advance to prevent accidental expiration and potential loss of the domain.

Likelihood
Impact
Evidence
Evidence
Domain: autographman.co.uk
Created: 2016-05-24
Expires: 2026-05-24T01:37:09Z
Days to expiry: 90
Registrar: GoDaddy
Auto-renew: Check GoDaddy settings
Remediation
Remediation
1. Log into GoDaddy → My Products → Domain Management
2. Verify auto-renewal is enabled for autographman.co.uk
3. Consider renewing for multiple years to avoid annual renewal risk
4. Ensure the payment method on file is current
CIS 12.1
AGM-011Low1.6/10 Low

Missing Referrer-Policy Header

No Referrer-Policy header is set. The browser's default behaviour may leak the full URL (including product pages and search queries) to external sites when users click outbound links.

Likelihood
Impact
Evidence
Evidence
Response headers scanned — Referrer-Policy: NOT PRESENT

Expected: Referrer-Policy: strict-origin-when-cross-origin
Remediation
Remediation
Shopify controls response headers at the platform level. This header may need to be added via:
1. Shopify theme liquid (meta tag): <meta name="referrer" content="strict-origin-when-cross-origin">
2. Cloudflare Transform Rules to inject the header
ISM-1485OWASP A05:2021
AGM-012Low0.8/10 Low

Missing Permissions-Policy Header

No Permissions-Policy header is set. Browser features like camera, microphone, geolocation, and payment APIs are not explicitly restricted.

Likelihood
Impact
Evidence
Evidence
Response headers scanned — Permissions-Policy: NOT PRESENT
Remediation
Remediation
Add via Cloudflare Transform Rules:
Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(self)
ISM-1485
AGM-013Low0.8/10 Low

No security.txt File

No security.txt file exists at /.well-known/security.txt (RFC 9116). This file provides security researchers with contact information for responsible vulnerability disclosure.

Likelihood
Impact
Evidence
Evidence
GET https://autographman.co.uk/.well-known/security.txt → Not found
Remediation
Remediation
Shopify doesn't support custom files at /.well-known/ paths. Alternatives:
1. Use Shopify's custom page feature to create /pages/security
2. Add a security contact to the site footer
3. Use Cloudflare Workers to serve security.txt at the correct path
CIS 3.10
AGM-014Low0.4/10 Low

No TLS-RPT Record and DMARC Missing Reporting

No TLS-RPT record exists and DMARC has no rua (aggregate reporting) configured. You have no visibility into either email TLS failures or email authentication failures.

Likelihood
Impact
Evidence
Evidence
dig TXT _smtp._tls.autographman.co.uk → No record found
DMARC rua: NOT CONFIGURED
Remediation
Remediation
Add DNS records at GoDaddy:

  _smtp._tls TXT "v=TLSRPTv1; rua=mailto:tlsrpt@autographman.co.uk"

And update DMARC to include rua (see AGM-003).
PSPF INFOSEC-3
AGM-015Info0.4/10 Low

OG Image Uses HTTP URL

The og:image meta tag uses an HTTP URL instead of HTTPS. While og:image:secure_url is also set with HTTPS, the primary og:image tag should use HTTPS for consistency and to avoid mixed content warnings in social sharing previews.

Likelihood
Impact
Evidence
Evidence
og:image: http://autographman.co.uk/cdn/shop/files/Autographs-social-share.jpg
og:image:secure_url: https://autographman.co.uk/cdn/shop/files/Autographs-social-share.jpg
Remediation
Remediation
Update the Shopify theme to use HTTPS for the primary og:image tag. In the theme's theme.liquid or relevant section:

Change: <meta property="og:image" content="http://...">
To: <meta property="og:image" content="https://...">
ISM-1552
AGM-016Info0.4/10 Low

No DANE/TLSA Records

No DANE (DNS-based Authentication of Named Entities) TLSA records exist for the MX server. DANE provides certificate verification via DNS but requires DNSSEC.

Likelihood
Impact
Evidence
Evidence
dig TLSA _25._tcp.inbound-smtp.us-west-2.amazonaws.com → No records

Prerequisite: DNSSEC must be enabled before DANE can be effective
Remediation
Remediation
1. Enable DNSSEC first (see AGM-008)
2. DANE for Amazon SES is managed by AWS — this is informational only
ISM-1139
AGM-017Info0.4/10 Low

No BIMI Record

No BIMI record exists. BIMI allows displaying the Autograph Man brand logo in supporting email clients (Gmail, Apple Mail), improving brand recognition and trust for order confirmation emails.

Likelihood
Impact
Evidence
Evidence
dig TXT default._bimi.autographman.co.uk → No record found

Prerequisite: DMARC p=reject must be configured before BIMI will function
Remediation
Remediation
After DMARC is set to p=reject:
1. Create a square SVG logo in Tiny P/S format
2. Add DNS record:
   default._bimi TXT "v=BIMI1; l=https://autographman.co.uk/bimi/logo.svg"

For maximum impact (Gmail blue checkmark), obtain a VMC from DigiCert or Entrust.
PSPF INFOSEC-3
04 — Risk Assessment

Risk Matrix

Findings plotted by likelihood and impact

Risk Assessment Matrix — Likelihood vs Impact
Negligible
Minor
Moderate
Major
Severe
Almost Certain
AGM-001
Likely
AGM-002
Possible
AGM-004
AGM-003
AGM-010
Unlikely
AGM-006 AGM-011
AGM-008 AGM-009
AGM-005 AGM-007
Rare
AGM-014 AGM-015 AGM-016 AGM-017
AGM-012 AGM-013
05 — Compliance

Compliance & Framework Assessment

Alignment against 9 industry frameworks

IdControlStatusEvidence
ISM-0574SPF specificationpartialSPF present but uses softfail (~all) instead of hardfail (-all)
ISM-1151SPF verification (hardfail)failUsing ~all (softfail) — should be -all
ISM-0269DKIM recordsfailNo DKIM selectors found (0 of 20)
ISM-1540DMARC configurationpassDMARC present: p=quarantine, pct=100, fo=1
ISM-1799DMARC enforcementpartialp=quarantine (not reject), no rua reporting
ISM-0569Email gateway routingpassMX points to Amazon SES inbound SMTP
ISM-1552HTTPS-onlypassHSTS enabled, CSP upgrade-insecure-requests
ISM-1139TLS configurationpassTLS 1.3 with AES-256 and PFS
ISM-1369TLS forward secrecypassPFS enabled (TLS 1.3 implies PFS)
ISM-1706DNSSECfailNo DS records found
ISM-1485Security headerspartial4 of 9 scored headers present (44%)
ISM-0659Content filteringpartialNo CAA records; CSP present but incomplete; Cloudflare WAF active
ISM-1157Gateway securitypassCloudflare WAF and CDN active
ControlStatusEvidence
INFOSEC-3: Email authenticationpartialSPF softfail, DKIM absent, DMARC quarantine (no reporting)
INFOSEC-4: Web securitypartialHSTS, TLS 1.3, Cloudflare WAF, but incomplete CSP and missing headers
INFOSEC-10: Essential Eight alignmentpartial2 controls at ML3, 2 at ML1; better than average
ControlStatusEvidence
9.2: DNS filtering/securityfailNo DNSSEC, no CAA records
9.5: DMARC enforcementpartialDMARC at quarantine, not reject
3.10: TLS configurationpassTLS 1.3 with AES-256, PFS, Cloudflare CDN
12.1: DNS infrastructurepartialGoDaddy managed NS, no DNSSEC, no CAA, consistent propagation

Overall CSF Score: 40% (12/30)

GOVERN2/5IDENTIFY3/5PROTECT3/5DETECT1/5RESPOND1/5RECOVER2/5
Govern
2/5
Identify
3/5
Protect
3/5
Detect
1/5
Respond
1/5
Recover
2/5
ControlStatusEvidence
PCI DSS 4.2.1: Strong cryptographypassTLS 1.3 with AES-256
PCI DSS 6.4.1: Public-facing web app protectionspassCloudflare WAF active, CSP with frame-ancestors 'none'
PCI DSS 11.3.1: Vulnerability managementpartialShopify managed platform; no security.txt for disclosure
ControlStatusEvidence
FirewallspassCloudflare WAF active with CDN edge protection
Secure Configurationpartial4 of 7 key security headers present; missing Referrer-Policy, Permissions-Policy
Security Update ManagementpassShopify fully managed SaaS — automatic updates
Access ControlRequires Internal AssessmentCannot assess from external scan
Malware ProtectionRequires Internal AssessmentCannot assess from external scan
ControlStatusEvidence
A05:2021 Security MisconfigurationpartialGood header coverage (4/9); weak CSP; missing Referrer-Policy, Permissions-Policy
A02:2021 Cryptographic FailurespassTLS 1.3, AES-256, PFS, valid certificate
A07:2021 Identification and Authentication FailuresfailNo DKIM — email authentication incomplete
ControlStatusEvidence
A.8.24: Use of cryptographypassTLS 1.3 with AES-256 and PFS
A.8.20: Network securitypartialHSTS and Cloudflare WAF; DNSSEC missing
A.5.14: Information transferpartialDMARC quarantine in place but DKIM missing, SPF softfail
06 — Email Authentication

Email Security Deep Dive

SPF, DKIM, DMARC, MTA-STS, TLS-RPT, DANE, and BIMI analysis

ProtocolStatusDetails
SPFFoundv=spf1 include:amazonses.com ~all
Qualifier: softfail
DKIMNot FoundChecked 20 selectors
DMARCFoundv=DMARC1;p=quarantine;pct=100;fo=1
Policy: quarantine
MTA-STSMissingNo MTA-STS policy
TLS-RPTMissingNo TLS-RPT record
DANE/TLSANot FoundNo TLSA records
BIMINot FoundNo BIMI record

SPF Mechanism Analysis

2
Total Mechanisms
1/10
DNS Lookups
OK
1
Includes
~all
Qualifier
Softfail (permissive)
include:amazonses.com~all
07 — DNS & Domain

DNS & Domain Infrastructure

Nameservers, records, and DNSSEC status

Record TypeValue
NSns69.domaincontrol.com
ns70.domaincontrol.com
MX10 inbound-smtp.us-west-2.amazonaws.com
A23.227.38.65
AAAA2620:127:f00f:5::
SOAns69.domaincontrol.com dns.jomax.net 2024071703
CAA
DNSSECNot Enabled

Infrastructure Geolocation

IPLocationISP / Org
23.227.38.65Ottawa, CanadaCloudflare, Inc.
08 — DNS Quality

DNS Quality Metrics

Nameserver diversity, propagation, and configuration health

2
Nameservers
1
NS Providers
586d
SOA Serial Age
No
Wildcard DNS

DNS Propagation Check

Consistent

DNS resolution is consistent across global resolvers.

ResolverResults
Google
8.8.8.8
23.227.38.65
Cloudflare
1.1.1.1
23.227.38.65
Quad9
9.9.9.9
23.227.38.65
OpenDNS
208.67.222.222
23.227.38.65

TTL Values

Record TypeTTL (seconds)
A1799
MX1215
NS1215
09 — Security Headers

HTTP Security Headers

Analysis of security-related HTTP response headers

D
4/9 security headers present (44%)
HeaderStatusValue
Strict-Transport-SecurityPresentmax-age=7889238
Content-Security-PolicyPresentblock-all-mixed-content; frame-ancestors 'none'; upgrade-insecure-requests;
X-Frame-OptionsPresentDENY
X-Content-Type-OptionsPresentnosniff
Referrer-PolicyMissing
Permissions-PolicyMissing
X-XSS-ProtectionPresent1; mode=block
Cross-Origin-Opener-PolicyMissing
Cross-Origin-Resource-PolicyMissing
Cross-Origin-Embedder-PolicyMissing
Cache-ControlMissing
ServerPresentcloudflare
10 — Web Security

Cookie, CORS & Web Security

Cookie flags, CORS policy, mixed content, and CSP analysis

Cookies

CookieSecureHttpOnlySameSite
localizationYesYesLax

CORS Policy

Access-Control-Allow-Origin: Not set

CSP Analysis

Content-Security-Policy
{
  "directives": [
    "block-all-mixed-content",
    "frame-ancestors 'none'",
    "upgrade-insecure-requests"
  ],
  "raw": "block-all-mixed-content; frame-ancestors 'none'; upgrade-insecure-requests;",
  "missingDirectives": [
    "default-src",
    "script-src",
    "style-src",
    "img-src",
    "connect-src"
  ]
}
11 — Reputation

Blacklist & Email Reputation

DNSBL and domain reputation checks

DNSBL Canary Blocked

The DNS resolver is blocking DNSBL queries. Blacklist results below may be unreliable.

IP Blacklist Checks

DNSBLStatus
zen.spamhaus.orgClean
bl.spamcop.netClean
b.barracudacentral.orgClean
dnsbl.sorbs.netClean
cbl.abuseat.orgClean

Domain Blacklist Checks

DNSBLStatus
dbl.spamhaus.orgClean
multi.uribl.comClean
multi.surbl.orgClean
black.uribl.comClean
12 — SMTP

SMTP Analysis

Mail server banner, capabilities, and encryption

CheckResult
Banner220 inbound-smtp.us-west-2.amazonaws.com ESMTP Amazon SES Rf3xyL02r910lJBaYbGt
EHLO Capabilitiesinbound-smtp.us-west-2.amazonaws.com
STARTTLSNot Supported
PTR Recordec2-52-43-162-244.us-west-2.compute.amazonaws.com
13 — OSINT

OSINT & Historical Intelligence

Certificate transparency, archived snapshots, and subdomain enumeration

Certificate Transparency Logs

Common NameIssuerNot Before
autographman.co.ukC=US, O=Let's Encrypt, CN=E82026-02-09T00:32:03
autographman.co.ukC=US, O=Let's Encrypt, CN=E82026-02-09T00:32:03
www.autographman.co.ukC=US, O=Let's Encrypt, CN=E72026-02-06T17:08:02
www.autographman.co.ukC=US, O=Let's Encrypt, CN=E72026-02-06T17:08:02
autographman.co.ukC=US, O=Google Trust Services, CN=WE12026-01-27T01:12:06
autographman.co.ukC=US, O=Google Trust Services, CN=WE12026-01-27T01:12:06
autographman.co.ukC=US, O=Google Trust Services, CN=WR12026-01-27T01:11:51
www.autographman.co.ukC=US, O=Google Trust Services, CN=WE12026-01-27T00:07:26
www.autographman.co.ukC=US, O=Google Trust Services, CN=WE12026-01-27T00:07:26
www.autographman.co.ukC=US, O=Google Trust Services, CN=WR12026-01-27T00:06:33
autographman.co.ukC=US, O=Let's Encrypt, CN=E82025-12-10T19:48:33
autographman.co.ukC=US, O=Let's Encrypt, CN=E82025-12-10T19:48:33
www.autographman.co.ukC=US, O=Let's Encrypt, CN=E82025-12-09T03:19:04
www.autographman.co.ukC=US, O=Let's Encrypt, CN=E82025-12-09T03:19:04
autographman.co.ukC=US, O=Google Trust Services, CN=WE12025-11-29T00:58:51
autographman.co.ukC=US, O=Google Trust Services, CN=WE12025-11-29T00:58:51
autographman.co.ukC=US, O=Google Trust Services, CN=WR12025-11-29T00:58:35
www.autographman.co.ukC=US, O=Google Trust Services, CN=WE12025-11-28T22:11:28
www.autographman.co.ukC=US, O=Google Trust Services, CN=WE12025-11-28T22:11:28
www.autographman.co.ukC=US, O=Google Trust Services, CN=WR12025-11-28T22:11:17

Showing 20 of 50 certificates

Wayback Machine History

2
Total Snapshots
View Calendar ↗
17 Oct 2017
First Seen
View Snapshot ↗
17 Oct 2017
Last Captured
View Snapshot ↗

Typosquatting & Similar Domains

Common misspellings and confusable domain variants that could be used for phishing or brand impersonation. These should be monitored or defensively registered.

101 variants generated: 12 tld variant, 5 homoglyph, 11 transposed, 43 adjacent key, 12 missing letter, 12 doubled letter, 6 hyphenation

autographman.com TLD variant WHOIS ↗
аutographman.co.uk Homoglyph WHOIS ↗
uatographman.co.uk Transposed WHOIS ↗
sutographman.co.uk Adjacent key WHOIS ↗
utographman.co.uk Missing letter WHOIS ↗
aautographman.co.uk Doubled letter WHOIS ↗
au-tographman.co.uk Hyphenation WHOIS ↗
autographman.net TLD variant WHOIS ↗
autоgraphman.co.uk Homoglyph WHOIS ↗
atuographman.co.uk Transposed WHOIS ↗
qutographman.co.uk Adjacent key WHOIS ↗
atographman.co.uk Missing letter WHOIS ↗
auutographman.co.uk Doubled letter WHOIS ↗
aut-ographman.co.uk Hyphenation WHOIS ↗
autographman.org TLD variant WHOIS ↗
autogrаphman.co.uk Homoglyph WHOIS ↗
auotgraphman.co.uk Transposed WHOIS ↗
wutographman.co.uk Adjacent key WHOIS ↗
auographman.co.uk Missing letter WHOIS ↗
auttographman.co.uk Doubled letter WHOIS ↗
auto-graphman.co.uk Hyphenation WHOIS ↗
autographman.io TLD variant WHOIS ↗
autograрhman.co.uk Homoglyph WHOIS ↗
autgoraphman.co.uk Transposed WHOIS ↗

Showing 24 of 101 variants (highest-threat first)

Discovered Subdomains (3)

Subdomain
*.autographman.co.uk
sni.cloudflaressl.com
www.autographman.co.uk
14 — Technology

Technology Stack

Detected platform, CDN, WAF, and server details

248ms
Response Time
Fast
7ms
DNS Lookup
241ms
Server Processing
ComponentDetails
PlatformShopify
CDNCloudflare
WAFCloudflare
Servercloudflare
TLS VersionTLS 1.3
Cipher SuiteAes256
SSL Expiry2026-05-10
Perfect Forward SecrecyYes
15 — Hosting

Hosting & Infrastructure

Hosting provider, server software, CMS detection, and certificate history

ComponentDetails
Hosting ProviderCloudflare
ASN OrganizationShopify, Inc.
CMS DetectedShopify

Certificate Issuer History

IssuerCertificatesFirst SeenLast Seen
502025-09-30T20:33:512025-11-29T00:58:35
16 — WHOIS & Domain Intel

WHOIS & Domain Intelligence

Domain registration, expiry, registrant contacts, and TLD-specific status analysis via RDAP

9y 9m
Domain Age
90d
Until Expiry
4
Status Codes
9y 9m old — 98% of registration period elapsed
Registered: 2016-05-24TodayExpires: 2026-05-24

Domain Profile

FieldValue
RegistrarGODADDY
TLD.co.uk
Registered2016-05-24 (9y 9m ago)
Expires2026-05-24 (90 days remaining)
Registrant PrivacyNo (public registration)
RDAP Sourcehttps://rdap.org/domain/autographman.co.uk

Contact Information

RoleNameOrganisationCountryEmail
Registrantredacted@nominet.uk

Domain Status Codes

Status CodeInterpretationSeverity
client transfer prohibitedNominet registrar lock (standard .uk default)info
client delete prohibitedRegistrar-set delete protectioninfo
client update prohibitedRegistrar-set update lockinfo
client renew prohibitedRegistrar-set renewal lockwarning
.co.uk — Nominet Governed
Governed by Nominet UK. UK-based dispute resolution via DRS (Dispute Resolution Service). clientTransferProhibited and serverTransferProhibited are standard Nominet defaults.

RDAP Nameservers

ns69.domaincontrol.com.
ns70.domaincontrol.com.
17 — SEO & Visibility

SEO & Visibility

Meta tags, Open Graph, structured data, and sitemap analysis

CheckStatusDetails
Title TagFoundAutograph Man - The World&#39;s Autograph Marketplace &ndash; autographman (74 chars - over recommended 60)
Meta DescriptionFoundAll things Autographs. The World&#39;s leading market place for autographs of celebrity and people o... (112 chars)
Canonical URLFoundhttps://autographman.co.uk/
Viewport MetaFoundPresent
JSON-LD Structured DataFoundPresent
Twitter CardFoundsummary_large_image
SitemapFoundAccessible (4 URLs)

Open Graph Tags

PropertyValue
og:imagehttp://autographman.co.uk/cdn/shop/files/Autographs-social-share.jpg?v=1713147126
og:image:height600
og:image:secure_urlhttps://autographman.co.uk/cdn/shop/files/Autographs-social-share.jpg?v=1713147126
og:urlhttps://autographman.co.uk/
og:titleAutograph Man - The World&#39;s Autograph Marketplace
og:image:width1200
og:descriptionAll things Autographs. The World&#39;s leading market place for autographs of celebrity and people of notoriety.
og:typewebsite
og:site_nameautographman

Social Share Previews

How this site appears when shared on social platforms.

iMessage / Link Preview
Autograph Man - The World&#39;s Autograph Marketplace
autographman.co.uk
Twitter / X
Preview
Autograph Man - The World&#39;s Autograph Marketplace
All things Autographs. The World&#39;s leading market place for autographs of celebrity and people of notoriety.
autographman.co.uk
Facebook
Preview
autographman.co.uk
Autograph Man - The World&#39;s Autograph Marketplace
All things Autographs. The World&#39;s leading market place for autographs of celebrity and people of notoriety.

robots.txt Directives (162)

Parsed Directives
User-agent: *
Disallow: /a/downloads/-/*
Disallow: /admin
Disallow: /cart
Disallow: /orders
Disallow: /checkouts/
Disallow: /checkout
Disallow: /59201421390/checkouts
Disallow: /59201421390/orders
Disallow: /carts
Disallow: /account
Disallow: /collections/*sort_by*
Disallow: /*/collections/*sort_by*
Disallow: /collections/*+*
Disallow: /collections/*%2B*
Disallow: /collections/*%2b*
Disallow: /*/collections/*+*
Disallow: /*/collections/*%2B*
Disallow: /*/collections/*%2b*
Disallow: */collections/*filter*&*filter*
Disallow: /blogs/*+*
Disallow: /blogs/*%2B*
Disallow: /blogs/*%2b*
Disallow: /*/blogs/*+*
Disallow: /*/blogs/*%2B*
Disallow: /*/blogs/*%2b*
Disallow: /*?*oseid=*
Disallow: /*preview_theme_id*
Disallow: /*preview_script_id*
Disallow: /policies/
Disallow: /*/policies/
Disallow: /*/*?*ls=*&ls=*
Disallow: /*/*?*ls%3D*%3Fls%3D*
Disallow: /*/*?*ls%3d*%3fls%3d*
Disallow: /search
Disallow: /sf_private_access_tokens
Disallow: /apple-app-site-association
Disallow: /.well-known/shopify/monorail
Disallow: /cdn/wpm/*.js
Disallow: /recommendations/products
Disallow: /*/recommendations/products
Disallow: /products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Disallow: /*/products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Disallow: /collections/*/products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Disallow: /*/collections/*/products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Sitemap: https://autographman.co.uk/sitemap.xml
User-agent: adsbot-google
Disallow: /checkouts/
Disallow: /checkout
Disallow: /carts
Disallow: /orders
Disallow: /59201421390/checkouts
Disallow: /59201421390/orders
Disallow: /*?*oseid=*
Disallow: /*preview_theme_id*
Disallow: /*preview_script_id*
Disallow: /cdn/wpm/*.js
Disallow: /products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Disallow: /*/products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Disallow: /collections/*/products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Disallow: /*/collections/*/products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Disallow: /sf_private_access_tokens
User-agent: Nutch
Disallow: /
User-agent: AhrefsBot
Crawl-delay: 10
Disallow: /a/downloads/-/*
Disallow: /admin
Disallow: /cart
Disallow: /orders
Disallow: /checkouts/
Disallow: /checkout
Disallow: /59201421390/checkouts
Disallow: /59201421390/orders
Disallow: /carts
Disallow: /account
Disallow: /collections/*sort_by*
Disallow: /*/collections/*sort_by*
Disallow: /collections/*+*
Disallow: /collections/*%2B*
Disallow: /collections/*%2b*
Disallow: /*/collections/*+*
Disallow: /*/collections/*%2B*
Disallow: /*/collections/*%2b*
Disallow: */collections/*filter*&*filter*
Disallow: /blogs/*+*
Disallow: /blogs/*%2B*
Disallow: /blogs/*%2b*
Disallow: /*/blogs/*+*
Disallow: /*/blogs/*%2B*
Disallow: /*/blogs/*%2b*
Disallow: /*?*oseid=*
Disallow: /*preview_theme_id*
Disallow: /*preview_script_id*
Disallow: /policies/
Disallow: /*/policies/
Disallow: /*/*?*ls=*&ls=*
Disallow: /*/*?*ls%3D*%3Fls%3D*
Disallow: /*/*?*ls%3d*%3fls%3d*
Disallow: /search
Disallow: /sf_private_access_tokens
Disallow: /apple-app-site-association
Disallow: /.well-known/shopify/monorail
Disallow: /cdn/wpm/*.js
Disallow: /recommendations/products
Disallow: /*/recommendations/products
Disallow: /products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Disallow: /*/products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Disallow: /collections/*/products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Disallow: /*/collections/*/products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Sitemap: https://autographman.co.uk/sitemap.xml
User-agent: AhrefsSiteAudit
Crawl-delay: 10
Disallow: /a/downloads/-/*
Disallow: /admin
Disallow: /cart
Disallow: /orders
Disallow: /checkouts/
Disallow: /checkout
Disallow: /59201421390/checkouts
Disallow: /59201421390/orders
Disallow: /carts
Disallow: /account
Disallow: /collections/*sort_by*
Disallow: /*/collections/*sort_by*
Disallow: /collections/*+*
Disallow: /collections/*%2B*
Disallow: /collections/*%2b*
Disallow: /*/collections/*+*
Disallow: /*/collections/*%2B*
Disallow: /*/collections/*%2b*
Disallow: */collections/*filter*&*filter*
Disallow: /blogs/*+*
Disallow: /blogs/*%2B*
Disallow: /blogs/*%2b*
Disallow: /*/blogs/*+*
Disallow: /*/blogs/*%2B*
Disallow: /*/blogs/*%2b*
Disallow: /*?*oseid=*
Disallow: /*preview_theme_id*
Disallow: /*preview_script_id*
Disallow: /policies/
Disallow: /*/policies/
Disallow: /*/*?*ls=*&ls=*
Disallow: /*/*?*ls%3D*%3Fls%3D*
Disallow: /*/*?*ls%3d*%3fls%3d*
Disallow: /search
Disallow: /sf_private_access_tokens
Disallow: /apple-app-site-association
Disallow: /.well-known/shopify/monorail
Disallow: /cdn/wpm/*.js
Disallow: /recommendations/products
Disallow: /*/recommendations/products
Disallow: /products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Disallow: /*/products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Disallow: /collections/*/products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Disallow: /*/collections/*/products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Sitemap: https://autographman.co.uk/sitemap.xml
User-agent: MJ12bot
Crawl-delay: 10
User-agent: Pinterest
Crawl-delay: 1

⚠ Sensitive Paths Disclosed in robots.txt

These paths are publicly visible in robots.txt, revealing internal application structure to attackers.

/admin/admin/admin
18 — Site Structure

Site Structure & Crawl Analysis

Pages discovered via HTTP crawl compared against sitemap.xml

30
Pages Crawled
1426
Sitemap URLs
1%
Sitemap Coverage
1
Broken Links
In Both (Crawl + Sitemap)
Crawl Only (not in sitemap)
Sitemap Only (not crawled)
Broken (4xx/5xx/timeout)

Site Map Diagram

100% 
flowchart TD
  classDef inBoth fill:#00b89420,stroke:#00b894,color:#e8e8ed
  classDef crawlOnly fill:#fdcb6e20,stroke:#fdcb6e,color:#e8e8ed
  classDef sitemapOnly fill:#a855f720,stroke:#a855f7,color:#e8e8ed
  classDef broken fill:#ef535020,stroke:#ef5350,color:#e8e8ed
  root["Autograph Man - The World's Autogra"]:::inBoth
  subgraph sg__cart["/cart"]
    p_cart["Your Shopping Cart &ndash; autograp"]:::crawlOnly
  end
  subgraph sg__collections["/collections"]
    p_collections_film_and_television["Film and Television &ndash; autogra"]:::inBoth
    p_collections_history_science_and_politics["History, Science and Politics &ndas"]:::inBoth
    p_collections_motor_racing["Motor Racing &ndash; autographman"]:::inBoth
    sum__collections["... +18 more"]:::inBoth
  end
  subgraph sg__customer_authentication["/customer_authentication"]
    p_customer_authentication_redirect["/customer_authentication/redirect"]:::broken
  end
  subgraph sg__pages["/pages"]
    p_pages_about_us["About us &ndash; autographman"]:::inBoth
    p_pages_terms["Terms &ndash; autographman"]:::inBoth
    p_pages_ordering_information["Ordering Information &ndash; autogr"]:::inBoth
    p_pages_contact["Contact &ndash; autographman"]:::inBoth
    p_pages_advice_guide["Third Party Authentication &ndash; "]:::inBoth
  end
  subgraph sg__search["/search"]
    p_search["- autographman"]:::crawlOnly
  end
  subgraph sg_sitemap_only["Sitemap Only"]
    sm_grp__products["/products (1402)"]:::sitemapOnly
    sm__pages_terms_and_conditions["/pages/terms-and-conditions"]:::sitemapOnly
    sm__pages_partners_and_friends["/pages/partners-and-friends"]:::sitemapOnly
    sm__collections_uncategorized["/collections/uncategorized"]:::sitemapOnly
    sm__collections_private_collection["/collections/private-collection"]:::sitemapOnly
    sm_grp__blogs["/blogs (4)"]:::sitemapOnly
  end
  root --> p_cart
  root --> p_collections_film_and_television
  root --> p_collections_history_science_and_politics
  root --> p_collections_motor_racing
  root --> p_customer_authentication_redirect
  root --> p_pages_about_us
  root --> p_pages_terms
  root --> p_pages_ordering_information
  root --> p_search
  root --> p_pages_contact
  root --> p_pages_advice_guide
Mermaid diagram (enable JavaScript or view in a Mermaid-compatible renderer) flowchart TD classDef inBoth fill:#00b89420,stroke:#00b894,color:#e8e8ed classDef crawlOnly fill:#fdcb6e20,stroke:#fdcb6e,color:#e8e8ed classDef sitemapOnly fill:#a855f720,stroke:#a855f7,color:#e8e8ed classDef broken fill:#ef535020,stroke:#ef5350,color:#e8e8ed root["Autograph Man - The World's Autogra"]:::inBoth subgraph sg__cart["/cart"] p_cart["Your Shopping Cart &ndash; autograp"]:::crawlOnly end subgraph sg__collections["/collections"] p_collections_film_and_television["Film and Television &ndash; autogra"]:::inBoth p_collections_history_science_and_politics["History, Science and Politics &ndas"]:::inBoth p_collections_motor_racing["Motor Racing &ndash; autographman"]:::inBoth sum__collections["... +18 more"]:::inBoth end subgraph sg__customer_authentication["/customer_authentication"] p_customer_authentication_redirect["/customer_authentication/redirect"]:::broken end subgraph sg__pages["/pages"] p_pages_about_us["About us &ndash; autographman"]:::inBoth p_pages_terms["Terms &ndash; autographman"]:::inBoth p_pages_ordering_information["Ordering Information &ndash; autogr"]:::inBoth p_pages_contact["Contact &ndash; autographman"]:::inBoth p_pages_advice_guide["Third Party Authentication &ndash; "]:::inBoth end subgraph sg__search["/search"] p_search["- autographman"]:::crawlOnly end subgraph sg_sitemap_only["Sitemap Only"] sm_grp__products["/products (1402)"]:::sitemapOnly sm__pages_terms_and_conditions["/pages/terms-and-conditions"]:::sitemapOnly sm__pages_partners_and_friends["/pages/partners-and-friends"]:::sitemapOnly sm__collections_uncategorized["/collections/uncategorized"]:::sitemapOnly sm__collections_private_collection["/collections/private-collection"]:::sitemapOnly sm_grp__blogs["/blogs (4)"]:::sitemapOnly end root --> p_cart root --> p_collections_film_and_television root --> p_collections_history_science_and_politics root --> p_collections_motor_racing root --> p_customer_authentication_redirect root --> p_pages_about_us root --> p_pages_terms root --> p_pages_ordering_information root --> p_search root --> p_pages_contact root --> p_pages_advice_guide

Broken Links (1)

URLStatusLinked From
https://autographman.co.uk/customer_authentication/redirect?locale=en&region_country=AU403https://autographman.co.uk/

Discovered But Not in Sitemap (14)

These pages were found by crawling but are missing from sitemap.xml. Consider adding them for better SEO indexing.

/cart/customer_authentication/redirect/collections/all/search/collections/collections/film-and-television/products/james-dean/collections/film-and-television/products/sid-james/collections/film-and-television/products/sid-james-1/collections/film-and-television/products/matt-groening/collections/film-and-television/products/neal-nefti/collections/film-and-television/products/mel-gibson/collections/film-and-television/products/harrison-ford/collections/film-and-television/products/carrie-fisher-1/collections/film-and-television/products/csrrie-fisher

In Sitemap But Not Crawled (1410)

These URLs are listed in sitemap.xml but were not reachable within the crawl depth limit (2 levels). They may be orphaned pages or require deeper navigation paths.

/products/bill-pailes/products/steven-nagel/products/edgar-mitchell/products/michael-mcculley/products/winston-scott/products/charles-gemar/products/bob-cenker/products/kent-rominger/products/edgar-mitchell-1/products/vladimir-dezhurov/products/scott-parazynski/products/bjarni-tryggvason/products/anatoli-dedkov/products/bruce-e-melnick/products/robert-d-cabana/products/fred-haise/products/loren-j-shriver/products/anatoly-berezovoy/products/jake-garn/products/alexander-kaleri/products/james-adamson/products/fred-gregory/products/joseph-tanner/products/donald-mcmonagle/products/christer-fuglesang/products/vladimir-lyakhov/products/gennadi-manakov/products/anatoly-berezovoy-1/products/gennady-strekalov/products/vladimir-shatalov... and 1380 more
Crawled 30 pages in 6.7s • Max depth: 2 • Max pages: 30 • Sitemap: https://autographman.co.uk/sitemap.xml
19 — Monitoring

Proactive Monitoring Recommendations

Recommended monitoring and alerting setup

MonitorToolFrequency
DNSBL monitoringHetrixTools free tierEvery 6 hours
DMARC aggregate reportsPostmark DMARC / DMARCian freeWeekly review
SSL certificate expiryUptime Kuma / UptimeRobotDaily
Domain expiry alertingGoDaddy auto-renew + external monitorMonthly check
CT log monitoringCertSpotter / Facebook CT MonitorReal-time
20 — Roadmap

Recommendations & Remediation Roadmap

Prioritized actions grouped by timeline

Immediate (0-48 hours)

FindingSeverityActionEffort
AGM-001CriticalConfigure DKIM via Amazon SES + GoDaddy CNAME records30min-1h
AGM-002HighChange SPF from ~all to -all (hardfail)5min
AGM-003HighAdd rua reporting to DMARC, then escalate to p=reject5min
AGM-010MediumVerify domain auto-renewal is enabled2min

Short Term (1-2 weeks)

FindingSeverityActionEffort
AGM-007MediumAdd CAA records for Let's Encrypt + Google Trust Services5min
AGM-008MediumEnable DNSSEC via GoDaddy5min
AGM-015InfoFix og:image to use HTTPS in Shopify theme10min
AGM-003HighEscalate DMARC to p=reject after 2-4 weeks monitoring5min

Medium Term (1-3 months)

FindingSeverityActionEffort
AGM-004HighInvestigate CSP improvements via Cloudflare Transform Rules1-2h
AGM-009MediumConfigure MTA-STS (host policy via Cloudflare Pages or S3)1-2h
AGM-011LowAdd Referrer-Policy via Cloudflare Transform Rules or theme meta tag15min
AGM-017InfoSet up BIMI after DMARC p=reject is in place1-2h
21 — Appendices

Appendices

Raw data, glossary, and disclaimers

A. robots.txt

robots.txt
# we use Shopify as our ecommerce platform

#  ┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
#  ┃  Robots & Agent policy                                               ┃
#  ┣━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┫
#  ┃  Checkouts are for humans.                                           ┃
#  ┃  * Automated scraping, “buy-for-me” agents, or any end-to-end flow   ┃
#  ┃    that completes payment without a final human review step is not   ┃
#  ┃    permitted.                                                        ┃
#  ┃  * Legitimate integrators must use the official Checkout Kit:        ┃
#  ┃      https://www.shopify.com/checkout-kit                            ┃
#  ┃                                                                      ┃
#  ┃  Terms of Service: https://www.shopify.com/legal/terms               ┃
#  ┃  Contact: bots@shopify.com                                           ┃
#  ┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛

User-agent: *
Disallow: /a/downloads/-/*
Disallow: /admin
Disallow: /cart
Disallow: /orders
Disallow: /checkouts/
Disallow: /checkout
Disallow: /59201421390/checkouts
Disallow: /59201421390/orders
Disallow: /carts
Disallow: /account
Disallow: /collections/*sort_by*
Disallow: /*/collections/*sort_by*
Disallow: /collections/*+*
Disallow: /collections/*%2B*
Disallow: /collections/*%2b*
Disallow: /*/collections/*+*
Disallow: /*/collections/*%2B*
Disallow: /*/collections/*%2b*
Disallow: */collections/*filter*&*filter*
Disallow: /blogs/*+*
Disallow: /blogs/*%2B*
Disallow: /blogs/*%2b*
Disallow: /*/blogs/*+*
Disallow: /*/blogs/*%2B*
Disallow: /*/blogs/*%2b*
Disallow: /*?*oseid=*
Disallow: /*preview_theme_id*
Disallow: /*preview_script_id*
Disallow: /policies/
Disallow: /*/policies/
Disallow: /*/*?*ls=*&ls=*
Disallow: /*/*?*ls%3D*%3Fls%3D*
Disallow: /*/*?*ls%3d*%3fls%3d*
Disallow: /search
Disallow: /sf_private_access_tokens
Disallow: /apple-app-site-association
Disallow: /.well-known/shopify/monorail
Disallow: /cdn/wpm/*.js
Disallow: /recommendations/products
Disallow: /*/recommendations/products
Disallow: /products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Disallow: /*/products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Disallow: /collections/*/products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Disallow: /*/collections/*/products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Sitemap: https://autographman.co.uk/sitemap.xml

# Google adsbot ignores robots.txt unless specifically named!
User-agent: adsbot-google
Disallow: /checkouts/
Disallow: /checkout
Disallow: /carts
Disallow: /orders
Disallow: /59201421390/checkouts
Disallow: /59201421390/orders
Disallow: /*?*oseid=*
Disallow: /*preview_theme_id*
Disallow: /*preview_script_id*
Disallow: /cdn/wpm/*.js
Disallow: /products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Disallow: /*/products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Disallow: /collections/*/products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Disallow: /*/collections/*/products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Disallow: /sf_private_access_tokens

User-agent: Nutch
Disallow: /

User-agent: AhrefsBot
Crawl-delay: 10
Disallow: /a/downloads/-/*
Disallow: /admin
Disallow: /cart
Disallow: /orders
Disallow: /checkouts/
Disallow: /checkout
Disallow: /59201421390/checkouts
Disallow: /59201421390/orders
Disallow: /carts
Disallow: /account
Disallow: /collections/*sort_by*
Disallow: /*/collections/*sort_by*
Disallow: /collections/*+*
Disallow: /collections/*%2B*
Disallow: /collections/*%2b*
Disallow: /*/collections/*+*
Disallow: /*/collections/*%2B*
Disallow: /*/collections/*%2b*
Disallow: */collections/*filter*&*filter*
Disallow: /blogs/*+*
Disallow: /blogs/*%2B*
Disallow: /blogs/*%2b*
Disallow: /*/blogs/*+*
Disallow: /*/blogs/*%2B*
Disallow: /*/blogs/*%2b*
Disallow: /*?*oseid=*
Disallow: /*preview_theme_id*
Disallow: /*preview_script_id*
Disallow: /policies/
Disallow: /*/policies/
Disallow: /*/*?*ls=*&ls=*
Disallow: /*/*?*ls%3D*%3Fls%3D*
Disallow: /*/*?*ls%3d*%3fls%3d*
Disallow: /search
Disallow: /sf_private_access_tokens
Disallow: /apple-app-site-association
Disallow: /.well-known/shopify/monorail
Disallow: /cdn/wpm/*.js
Disallow: /recommendations/products
Disallow: /*/recommendations/products
Disallow: /products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Disallow: /*/products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Disallow: /collections/*/products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Disallow: /*/collections/*/products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Sitemap: https://autographman.co.uk/sitemap.xml

User-agent: AhrefsSiteAudit
Crawl-delay: 10
Disallow: /a/downloads/-/*
Disallow: /admin
Disallow: /cart
Disallow: /orders
Disallow: /checkouts/
Disallow: /checkout
Disallow: /59201421390/checkouts
Disallow: /59201421390/orders
Disallow: /carts
Disallow: /account
Disallow: /collections/*sort_by*
Disallow: /*/collections/*sort_by*
Disallow: /collections/*+*
Disallow: /collections/*%2B*
Disallow: /collections/*%2b*
Disallow: /*/collections/*+*
Disallow: /*/collections/*%2B*
Disallow: /*/collections/*%2b*
Disallow: */collections/*filter*&*filter*
Disallow: /blogs/*+*
Disallow: /blogs/*%2B*
Disallow: /blogs/*%2b*
Disallow: /*/blogs/*+*
Disallow: /*/blogs/*%2B*
Disallow: /*/blogs/*%2b*
Disallow: /*?*oseid=*
Disallow: /*preview_theme_id*
Disallow: /*preview_script_id*
Disallow: /policies/
Disallow: /*/policies/
Disallow: /*/*?*ls=*&ls=*
Disallow: /*/*?*ls%3D*%3Fls%3D*
Disallow: /*/*?*ls%3d*%3fls%3d*
Disallow: /search
Disallow: /sf_private_access_tokens
Disallow: /apple-app-site-association
Disallow: /.well-known/shopify/monorail
Disallow: /cdn/wpm/*.js
Disallow: /recommendations/products
Disallow: /*/recommendations/products
Disallow: /products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Disallow: /*/products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Disallow: /collections/*/products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Disallow: /*/collections/*/products/*-[a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9][a-f0-9]-remote
Sitemap: https://autographman.co.uk/sitemap.xml

User-agent: MJ12bot
Crawl-delay: 10

User-agent: Pinterest
Crawl-delay: 1

B. Sitemap

Sitemap
https://autographman.co.uk/sitemap.xml

C. Glossary

TermDefinition
SPFSender Policy Framework — restricts which servers can send email for a domain
DKIMDomainKeys Identified Mail — cryptographic email authentication
DMARCDomain-based Message Authentication, Reporting & Conformance
MTA-STSMail Transfer Agent Strict Transport Security — enforces TLS for email
TLS-RPTTLS Reporting — receive reports about email TLS failures
DANE/TLSADNS-based Authentication of Named Entities — binds certificates to DNS
DNSSECDomain Name System Security Extensions — cryptographic DNS validation
CAACertificate Authority Authorization — restricts which CAs can issue certificates
BIMIBrand Indicators for Message Identification — brand logo in email clients
HSTSHTTP Strict Transport Security — forces HTTPS connections
CSPContent Security Policy — controls which resources a page can load
DNSBLDNS-based Blackhole List — real-time email/IP reputation service

D. Disclaimer

This security assessment was performed using publicly available information only. No intrusive testing, penetration testing, or vulnerability exploitation was conducted.

Severity ratings use a qualitative likelihood x impact risk matrix aligned with ISO 27005. Risk scores are indicative and based on professional judgement.

This document is classified CONFIDENTIAL and is intended solely for the named recipient.

Assessment methodology references: NIST SP 800-177 Rev. 1, OWASP Secure Headers Project, PCI DSS v4.0, UK Cyber Essentials, ACSC Essential Eight, ISO 27005.

Domain & Email Security Assessment — autographman.co.uk

Document ID: AGM-SEC-2026-002 • 23 February 2026

Methodology: NIST SP 800-177, OWASP Secure Headers, PCI DSS v4.0, UK Cyber Essentials, ACSC Essential Eight

This document is classified CONFIDENTIAL and intended for the named recipient only.
Assessment based on publicly available data. No intrusive testing was performed.