Executive Summary
High-level findings and risk assessment for houstons.tech
This assessment of houstons.tech identified 14 findings across email authentication, web security, DNS infrastructure, and compliance alignment. The domain demonstrates strong email authentication with SPF hardfail and DMARC reject policies, but lacks DKIM signing which undermines DMARC alignment for forwarded messages. Web security is weakened by missing HSTS and Content Security Policy headers. The domain is listed on URIBL blacklist and lacks DNSSEC and CAA records. Cloudflare provides strong TLS 1.3 encryption and WAF protection at the edge, but origin server SSL misconfiguration produces HTTP 525 errors.
HST-001: Configure DKIM via Forward Email (30 min)
HST-004: Investigate and request URIBL delisting (30 min)
| ID | Finding | Severity | Status |
|---|---|---|---|
HST-001 | DKIM Records Not Found | Critical | Open |
HST-002 | HTTP Strict Transport Security (HSTS) Not Configured | High | Open |
HST-003 | Content Security Policy (CSP) Not Configured | High | Open |
HST-004 | Domain Listed on URIBL Blacklist | High | Open |
HST-005 | MTA-STS Policy Not Enforced | Medium | Open |
HST-006 | DNSSEC Not Enabled | Medium | Open |
HST-007 | CAA Records Not Configured | Medium | Open |
HST-008 | Permissions-Policy Header Missing | Medium | Open |
HST-009 | Cloudflare Origin SSL Error (HTTP 525) | Medium | Open |
HST-010 | DANE/TLSA Records Not Configured | Low | Open |
HST-011 | BIMI Record Not Configured | Low | Open |
HST-012 | security.txt Not Found | Low | Open |
HST-013 | XML Sitemap Not Configured | Info | Open |
HST-014 | HSTS Preload Not Enrolled | Info | Open |
Assessment Scope
What was tested, how, and what limitations apply
In Scope
- ✓ DNS records & configuration
- ✓ Email authentication (SPF, DKIM, DMARC, MTA-STS, TLS-RPT, DANE)
- ✓ HTTP security headers
- ✓ SSL/TLS configuration
- ✓ DNSBL / blacklist checking
- ✓ SMTP analysis
- ✓ OSINT & historical intelligence
- ✓ Compliance framework alignment
Out of Scope
- ✗ Application security testing
- ✗ Penetration testing
- ✗ Source code review
- ✗ Social engineering
- ✗ Internal network assessment
This assessment was performed using publicly available information only. No intrusive testing was conducted. Scan timestamp: 2026-03-06T00:49:39Z. Mode: Deep Scan.
Detailed Findings
14 findings identified, sorted by severity.
DKIM Records Not Found
No DKIM selectors were found after checking 21 common selectors including default, selector1, selector2, google, and others. Without DKIM, DMARC alignment relies solely on SPF, which fails when emails are forwarded. This is the single largest gap in the domain's email security posture.
Evidence
Selectors checked: 21 Found: 0 dig TXT default._domainkey.houstons.tech +short → No answer dig TXT selector1._domainkey.houstons.tech +short → No answer dig TXT fe-._domainkey.houstons.tech +short → No answer Email provider: Forward Email (mx1.forwardemail.net)
Remediation
Configure DKIM via Forward Email: 1. In Forward Email admin, navigate to Domain Settings → DKIM 2. Generate DKIM key pair 3. Add the CNAME or TXT record provided: fe-._domainkey.houstons.tech CNAME fe-._domainkey.forwardemail.net 4. Wait for DNS propagation (5-30 minutes) 5. Verify: dig TXT fe-._domainkey.houstons.tech +short
HTTP Strict Transport Security (HSTS) Not Configured
The HSTS header is not present in HTTP responses. Without HSTS, users are vulnerable to SSL stripping attacks on first visit and protocol downgrade attacks. This is particularly important as Cloudflare serves the site over HTTPS.
Evidence
Response headers checked: ✗ Strict-Transport-Security: NOT FOUND Headers present: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, X-XSS-Protection Headers missing: Strict-Transport-Security, Content-Security-Policy, Permissions-Policy
Remediation
Enable HSTS in Cloudflare: 1. Cloudflare Dashboard → SSL/TLS → Edge Certificates 2. Enable 'Always Use HTTPS' 3. Enable HSTS with settings: - max-age: 31536000 (1 year) - includeSubDomains: yes - preload: yes 4. Or add via Cloudflare Transform Rules: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content Security Policy (CSP) Not Configured
No Content-Security-Policy header is present. CSP prevents cross-site scripting (XSS), clickjacking, and other code injection attacks by specifying trusted content sources. Without CSP, the site is more vulnerable to XSS and data exfiltration attacks.
Evidence
Content-Security-Policy: NOT FOUND CSP Analysis: No policy detected Header score: C (44%, 4/9 security headers present)
Remediation
Add CSP via Cloudflare Transform Rules or origin server: Basic policy: Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self' Start with Report-Only mode: Content-Security-Policy-Report-Only: default-src 'self'; report-uri /csp-report
Domain Listed on URIBL Blacklist
The domain houstons.tech is listed on black.uribl.com, a URI-based real-time blacklist used by spam filters. This can cause emails containing houstons.tech URLs to be flagged as spam or blocked by receiving servers, impacting email deliverability.
Evidence
DNSBL Domain Checks: ✓ dbl.spamhaus.org — Not listed ✓ multi.surbl.org — Not listed ✗ black.uribl.com — LISTED Note: IP DNSBL canary check returned 'blocked' — IP blacklist results unreliable from scan location.
Remediation
1. Check listing status: https://admin.uribl.com/?section=lookup&domain=houstons.tech 2. If listed in error, submit removal request via URIBL admin panel 3. Review domain usage for any spam-associated content or links 4. Set up DNSBL monitoring (HetrixTools or UptimeRobot) to detect future listings 5. Ensure DMARC aggregate reports are reviewed for abuse patterns
MTA-STS Policy Not Enforced
An MTA-STS DNS record exists (v=STSv1; id=20260109v01) but the policy file at /.well-known/mta-sts.txt was not accessible or the mode is not set to 'enforce'. MTA-STS prevents TLS downgrade attacks on email delivery but requires both the DNS record and a valid policy file.
Evidence
MTA-STS Record: v=STSv1; id=20260109v01; MTA-STS Mode: null (policy file not accessible or mode not set) TLS-RPT: v=TLSRPTv1; rua=mailto:[email protected] (configured)
Remediation
Ensure the MTA-STS policy file is accessible: 1. Create/verify: https://mta-sts.houstons.tech/.well-known/mta-sts.txt 2. Policy file content: version: STSv1 mode: enforce mx: mx1.forwardemail.net mx: mx2.forwardemail.net max_age: 604800 3. Host on a subdomain mta-sts.houstons.tech with valid HTTPS 4. Update DNS record ID when policy changes
DNSSEC Not Enabled
DNSSEC is not enabled for the domain. Without DNSSEC, DNS responses can be spoofed via cache poisoning attacks, allowing an attacker to redirect traffic to malicious servers.
Evidence
DNSSEC: Disabled Registrar: Unknown (.tech TLD) Nameservers: eleanor.ns.cloudflare.com, watson.ns.cloudflare.com
Remediation
Enable DNSSEC via Cloudflare: 1. Cloudflare Dashboard → DNS → Settings 2. Click 'Enable DNSSEC' 3. Copy the DS record provided by Cloudflare 4. Add the DS record at your domain registrar 5. Wait 24-48h for propagation Cloudflare handles key management and signing automatically.
CAA Records Not Configured
No Certificate Authority Authorization (CAA) records are present. CAA records specify which Certificate Authorities are authorized to issue certificates for the domain, preventing unauthorized certificate issuance.
Evidence
CAA Records: None found Current certificate issuer: Google Trust Services CDN: Cloudflare (uses Google Trust Services for edge certificates)
Remediation
Add CAA records in Cloudflare DNS: 1. Cloudflare Dashboard → DNS → Records 2. Add CAA records: houstons.tech CAA 0 issue "letsencrypt.org" houstons.tech CAA 0 issue "pki.goog" houstons.tech CAA 0 issuewild ";" houstons.tech CAA 0 iodef "mailto:[email protected]" Note: Include pki.goog for Cloudflare's Google Trust Services certificates.
Permissions-Policy Header Missing
The Permissions-Policy header is not set. This header controls which browser features (camera, microphone, geolocation, etc.) can be used by the page, reducing the attack surface from compromised scripts.
Evidence
Permissions-Policy: NOT FOUND Present headers: X-Frame-Options (SAMEORIGIN), X-Content-Type-Options (nosniff), Referrer-Policy (same-origin), X-XSS-Protection (1; mode=block)
Remediation
Add via Cloudflare Transform Rules: Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=(), usb=(), magnetometer=(), gyroscope=(), accelerometer=() This disables all sensitive browser APIs unless explicitly needed.
Cloudflare Origin SSL Error (HTTP 525)
The HTTP response returned status code 525 (SSL Handshake Failed), indicating a TLS handshake failure between Cloudflare and the origin server. While visitors see HTTPS via Cloudflare's edge certificate, the backend SSL is misconfigured. This could result in intermittent errors or Cloudflare serving error pages.
Evidence
HTTP Status: 525 (SSL Handshake Failed) Cloudflare Ray: 9d7d5ca9a813329e-BNE Edge Certificate: TLS 1.3 via Google Trust Services Server Timing: cfEdge;dur=92,cfOrigin;dur=0 (origin returned immediately with error)
Remediation
Fix origin SSL configuration: 1. Cloudflare Dashboard → SSL/TLS → Overview 2. Set encryption mode to 'Full' (not 'Full (strict)') if origin has self-signed cert 3. Or install a Cloudflare Origin CA certificate on the origin server 4. Or set to 'Flexible' if origin doesn't support SSL (less secure) 5. Verify: curl -vk https://origin-ip --resolve houstons.tech:443:origin-ip
DANE/TLSA Records Not Configured
No DANE TLSA records were found. DANE (DNS-based Authentication of Named Entities) provides an additional layer of certificate validation for email transport when used with DNSSEC.
Evidence
TLSA Records: None found Note: DANE requires DNSSEC to be enabled first (currently disabled).
Remediation
After enabling DNSSEC (HST-006): 1. Generate TLSA record for MX servers 2. Add: _25._tcp.mx1.forwardemail.net TLSA 3 1 1 <hash> 3. Note: Forward Email manages their own DANE; check if they publish TLSA records 4. DANE is informational — focus on DNSSEC first
BIMI Record Not Configured
No BIMI (Brand Indicators for Message Identification) record exists. BIMI displays your brand logo next to authenticated emails in supporting clients (Gmail, Apple Mail). Requires DMARC reject policy (already in place) and a Verified Mark Certificate (VMC).
Evidence
BIMI Record: Not found _bimi.houstons.tech TXT → No answer DMARC Policy: reject (prerequisite met)
Remediation
1. Design a square SVG logo (Tiny 1.2 profile) 2. Obtain a VMC from DigiCert or Entrust (~$1,500/year) 3. Host the SVG and VMC at public HTTPS URLs 4. Add DNS record: _bimi.houstons.tech TXT "v=BIMI1; l=https://houstons.tech/bimi/logo.svg; a=https://houstons.tech/bimi/cert.pem" 5. Alternative: Some providers accept BIMI without VMC for testing
security.txt Not Found
No security.txt file was found at /.well-known/security.txt. This RFC 9116 standard file provides security researchers with contact information for responsible disclosure of vulnerabilities.
Evidence
/.well-known/security.txt: Not accessible Note: HTTP 525 may prevent access to .well-known resources.
Remediation
Create /.well-known/security.txt: Contact: mailto:[email protected] Expires: 2027-03-06T00:00:00.000Z Preferred-Languages: en Canonical: https://houstons.tech/.well-known/security.txt Policy: https://houstons.tech/security-policy Host via Cloudflare Workers or origin server.
XML Sitemap Not Configured
No sitemap.xml was found. While not a security finding, sitemaps help search engines index the site and can reveal the site structure. The robots.txt also indicates no sitemap directive.
Evidence
Sitemap: Not accessible Sitemap URL count: 0 Robots.txt: Cloudflare managed content signals present AI crawler blocks: ClaudeBot, GPTBot, CCBot, Bytespider, Google-Extended, etc.
Remediation
If the site has public pages, create a sitemap.xml and reference it in robots.txt: Sitemap: https://houstons.tech/sitemap.xml
HSTS Preload Not Enrolled
The domain is not on the HSTS preload list maintained by Chromium. HSTS preload protects against first-visit attacks by hardcoding HTTPS enforcement in the browser before any connection is made.
Evidence
HSTS Preload: Not enrolled Note: HSTS header must be present first (see HST-002).
Remediation
After configuring HSTS (HST-002) with preload directive: 1. Verify all subdomains support HTTPS 2. Submit at https://hstspreload.org/ 3. Requirements: max-age ≥ 31536000, includeSubDomains, preload directive
Risk Matrix
Findings plotted by likelihood and impact
Compliance & Framework Assessment
Alignment against 9 industry frameworks
| Id | Control | Status | Evidence |
|---|---|---|---|
ISM-0574 | SPF specification | pass | v=spf1 include:spf.forwardemail.net -all |
ISM-1151 | SPF hardfail verification | pass | SPF qualifier: hardfail (-all) |
ISM-0269 | DKIM records | fail | 0 of 21 selectors found |
ISM-1540 | DMARC configuration | pass | v=DMARC1; p=reject; pct=100 |
ISM-1799 | DMARC enforcement | pass | Policy: reject |
ISM-0569 | Email gateway routing | pass | MX: mx1/mx2.forwardemail.net |
ISM-1589 | MTA-STS enforcement | partial | DNS record exists, policy file not accessible |
ISM-1590 | TLS-RPT reporting | pass | v=TLSRPTv1; rua=mailto:[email protected] |
ISM-1026 | SMTP STARTTLS | pass | STARTTLS supported on MX |
ISM-1552 | HTTPS enforcement | pass | Cloudflare edge HTTPS, but origin 525 error |
ISM-1139 | TLS version compliance | pass | TLSv1.3 |
ISM-1369 | Perfect forward secrecy | pass | PFS enabled |
ISM-1372 | Strong cipher suites | pass | TLS_AES_256_GCM_SHA384 |
ISM-1448 | Certificate validity | pass | 72 days remaining, expires May 17 2026 |
ISM-1553 | Certificate authority trust | pass | Google Trust Services |
ISM-1485 | Security headers | partial | 4/9 present: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, X-XSS-Protection |
ISM-1486 | HSTS configuration | fail | HSTS header not present |
ISM-1488 | Content Security Policy | fail | CSP not configured |
ISM-1489 | Clickjacking protection | pass | X-Frame-Options: SAMEORIGIN |
ISM-1706 | DNSSEC | fail | DNSSEC disabled |
ISM-1707 | CAA records | fail | No CAA records found |
ISM-1373 | HSTS preload | fail | Not on preload list |
ISM-1554 | TLS downgrade prevention | pass | TLS 1.0/1.1 not accepted |
ISM-1579 | Domain reputation | fail | Listed on black.uribl.com |
ISM-1412 | Server info disclosure | pass | Server: cloudflare (generic, no version) |
ISM-1557 | CORS policy | pass | No CORS headers (safe default) |
ISM-1558 | Referrer policy | pass | same-origin |
ISM-1559 | Permissions policy | fail | Header not present |
| Control | Status | Evidence |
|---|---|---|
| Encrypt in transit | pass | TLS 1.3 with PFS |
| DNS filtering | partial | Cloudflare DNS, no DNSSEC |
| DMARC enforcement | pass | p=reject |
| DNS infrastructure | partial | Cloudflare, no DNSSEC/CAA |
Overall CSF Score: 43% (13/30)
| Control | Status | Evidence |
|---|---|---|
| Information transfer | partial | Email: SPF+DMARC reject, missing DKIM |
| Malware protection (CSP) | fail | CSP not configured |
| Network security | pass | Cloudflare WAF, TLS 1.3 |
| Use of cryptography | pass | TLS 1.3, PFS, AES-256-GCM |
| Application security | partial | 4/9 security headers, missing CSP/HSTS |
Email Security Deep Dive
SPF, DKIM, DMARC, MTA-STS, TLS-RPT, DANE, and BIMI analysis
| Protocol | Status | Details |
|---|---|---|
| SPF | Missing | No SPF record |
| DKIM | Not Found | |
| DMARC | Missing | No DMARC record |
| MTA-STS | Missing | No MTA-STS policy |
| TLS-RPT | Missing | No TLS-RPT record |
| DANE/TLSA | Not Found | No TLSA records |
| BIMI | Not Found | No BIMI record |
DNS & Domain Infrastructure
Nameservers, records, and DNSSEC status
| Record Type | Value |
|---|---|
| DNSSEC | Not Enabled |
DNS Quality Metrics
Nameserver diversity, propagation, and configuration health
No DNS quality data available.
HTTP Security Headers
Analysis of security-related HTTP response headers
| Header | Status | Value |
|---|---|---|
| Strict-Transport-Security | Missing | — |
| Content-Security-Policy | Missing | — |
| X-Frame-Options | Missing | — |
| X-Content-Type-Options | Missing | — |
| Referrer-Policy | Missing | — |
| Permissions-Policy | Missing | — |
| X-XSS-Protection | Missing | — |
| Cross-Origin-Opener-Policy | Missing | — |
| Cross-Origin-Resource-Policy | Missing | — |
| Cross-Origin-Embedder-Policy | Missing | — |
| Cache-Control | Missing | — |
| Server | Missing | — |
Cookie, CORS & Web Security
Cookie flags, CORS policy, mixed content, and CSP analysis
CORS Policy
Access-Control-Allow-Origin: Not set
Blacklist & Email Reputation
DNSBL and domain reputation checks
No blacklist data available.
MITM Attack Surface
Man-in-the-Middle resistance across web and email channels
Lower is better. Score based on detected vulnerabilities.
TLS Version Support
| Version | Supported | Status |
|---|---|---|
| TLSv1 | No | OK |
| TLSv1.1 | No | OK |
| TLSv1.2 | Yes | OK |
| TLSv1.3 | Yes | OK |
HSTS Preload Status
| Check | Result |
|---|---|
| Preloaded | No |
| Status | not enrolled |
HTTP → HTTPS Redirect Chain
Mixed Content
No mixed content detected
SMTP STARTTLS
| Check | Result |
|---|---|
| Connected | Yes |
| STARTTLS | Supported |
| Required (REQUIRETLS) | Opportunistic |
SMTP Analysis
Mail server banner, capabilities, and encryption
| Check | Result |
|---|---|
| Banner | N/A |
| EHLO Capabilities | N/A |
| STARTTLS | Not Supported |
| PTR Record | N/A |
OSINT & Historical Intelligence
Certificate transparency, archived snapshots, and subdomain enumeration
Typosquatting & Similar Domains
Common misspellings and confusable domain variants that could be used for phishing or brand impersonation. These should be monitored or defensively registered.
72 variants generated: 12 tld variant, 2 homoglyph, 7 transposed, 31 adjacent key, 8 missing letter, 8 doubled letter, 4 hyphenation
Showing 24 of 72 variants (highest-threat first)
No OSINT data available (quick scan mode or data collection failed).
Technology Stack
Detected platform, CDN, WAF, and server details
| Component | Details |
|---|
Hosting & Infrastructure
Hosting provider, server software, CMS detection, and certificate history
No hosting data available.
WHOIS & Domain Intelligence
Domain registration, expiry, and registrar details
No WHOIS data available.
SEO & Visibility
Meta tags, Open Graph, structured data, and sitemap analysis
No SEO data available.
Proactive Monitoring Recommendations
Recommended monitoring and alerting setup
| Monitor | Tool | Frequency |
|---|---|---|
| DNSBL monitoring | HetrixTools or UptimeRobot | Every 6 hours |
| SSL certificate expiry | Uptime Kuma or Certbot | Daily |
| DMARC aggregate reports | Forward Email built-in or dmarcian | Weekly review |
| Security header regression | securityheaders.com | Monthly |
Recommendations & Remediation Roadmap
Prioritized actions grouped by timeline
Immediate (0-48 hours)
| Finding | Severity | Action | Effort |
|---|---|---|---|
HST-001 | Critical | Configure DKIM via Forward Email | 30 min |
HST-004 | High | Investigate and request URIBL delisting | 30 min |
Short Term (1-2 weeks)
| Finding | Severity | Action | Effort |
|---|---|---|---|
HST-002 | High | Enable HSTS via Cloudflare | 15 min |
HST-003 | High | Add CSP header via Cloudflare Transform Rules | 1 hour |
HST-005 | Medium | Configure MTA-STS policy file | 30 min |
HST-006 | Medium | Enable DNSSEC | 15 min |
HST-007 | Medium | Add CAA records | 10 min |
Medium Term (1-3 months)
| Finding | Severity | Action | Effort |
|---|---|---|---|
HST-008 | Medium | Add Permissions-Policy header | 15 min |
HST-009 | Medium | Fix origin SSL configuration | 1-2 hours |
HST-012 | Low | Create security.txt | 15 min |
HST-014 | Info | Submit for HSTS preload after HSTS is configured | 10 min |
Appendices
Raw data, glossary, and disclaimers
A. Glossary
| Term | Definition |
|---|---|
| SPF | Sender Policy Framework — restricts which servers can send email for a domain |
| DKIM | DomainKeys Identified Mail — cryptographic email authentication |
| DMARC | Domain-based Message Authentication, Reporting & Conformance |
| MTA-STS | Mail Transfer Agent Strict Transport Security — enforces TLS for email |
| TLS-RPT | TLS Reporting — receive reports about email TLS failures |
| DANE/TLSA | DNS-based Authentication of Named Entities — binds certificates to DNS |
| DNSSEC | Domain Name System Security Extensions — cryptographic DNS validation |
| CAA | Certificate Authority Authorization — restricts which CAs can issue certificates |
| BIMI | Brand Indicators for Message Identification — brand logo in email clients |
| HSTS | HTTP Strict Transport Security — forces HTTPS connections |
| CSP | Content Security Policy — controls which resources a page can load |
| DNSBL | DNS-based Blackhole List — real-time email/IP reputation service |
B. Disclaimer
This security assessment was performed using publicly available information only. No intrusive testing, penetration testing, or vulnerability exploitation was conducted.
Severity ratings use a qualitative likelihood x impact risk matrix aligned with ISO 27005. Risk scores are indicative and based on professional judgement.
This document is classified CONFIDENTIAL and is intended solely for the named recipient.
Assessment methodology references: NIST SP 800-177 Rev. 1, OWASP Secure Headers Project, PCI DSS v4.0, UK Cyber Essentials, ACSC Essential Eight, ISO 27005.