Executive Summary
High-level findings and risk assessment for sunshinesupportingservices.com
This assessment identified 17 findings across email authentication, DNS infrastructure, web security, and compliance alignment for sunshinesupportingservices.com. The domain has critical email security gaps — no DKIM authentication and no DMARC record — while the SPF record includes secureserver.net with hardfail but does not include Microsoft 365 (spf.protection.outlook.com), despite MX routing to Outlook — meaning legitimate outbound emails from M365 will fail SPF checks. The domain is clean on all DNSBL blacklists. The website benefits from GoDaddy's managed infrastructure providing TLS 1.3 and strong HSTS, but the Content Security Policy is limited to frame-ancestors only, and several security headers are absent.
SSS-001: Configure DKIM via Microsoft 365 Admin Center + GoDaddy CNAME records (30min-1h)
SSS-002: Add DMARC record in monitoring mode (p=none) (5min)
SSS-003: Update SPF to include spf.protection.outlook.com (5min)
| ID | Finding | Severity | Status |
|---|---|---|---|
SSS-001 | No DKIM Authentication | Critical | Open |
SSS-002 | No DMARC Record | Critical | Open |
SSS-003 | SPF Record Missing Microsoft 365 Include | High | Open |
SSS-004 | Weak Content Security Policy | High | Open |
SSS-005 | Missing X-Content-Type-Options Header | High | Open |
SSS-006 | SMTP STARTTLS Not Detected | High | Open |
SSS-007 | No CAA Records | Medium | Open |
SSS-008 | DNSSEC Not Enabled | Medium | Open |
SSS-009 | Cookie Missing HttpOnly and SameSite Attributes | Medium | Open |
SSS-010 | No MTA-STS Policy | Medium | Open |
SSS-011 | Missing Referrer-Policy Header | Low | Open |
SSS-012 | Missing Permissions-Policy Header | Low | Open |
SSS-013 | No security.txt File | Low | Open |
SSS-014 | No TLS-RPT Record | Low | Open |
SSS-015 | HSTS Preload Not Submitted | Info | Open |
SSS-016 | No DANE/TLSA Records | Info | Open |
SSS-017 | No BIMI Record | Info | Open |
Assessment Scope
What was tested, how, and what limitations apply
In Scope
- ✓ DNS records & configuration
- ✓ Email authentication (SPF, DKIM, DMARC, MTA-STS, TLS-RPT, DANE)
- ✓ HTTP security headers
- ✓ SSL/TLS configuration
- ✓ DNSBL / blacklist checking
- ✓ SMTP analysis
- ✓ OSINT & historical intelligence
- ✓ Compliance framework alignment
Out of Scope
- ✗ Application security testing
- ✗ Penetration testing
- ✗ Source code review
- ✗ Social engineering
- ✗ Internal network assessment
This assessment was performed using publicly available information only. No intrusive testing was conducted. Scan timestamp: 2026-02-23T03:00:11Z. Mode: Deep Scan.
Detailed Findings
17 findings identified, sorted by severity.
No DKIM Authentication
No DKIM records were found for any of 20 common selectors. Emails from @sunshinesupportingservices.com cannot be cryptographically verified as genuine, enabling trivial email forgery. This is especially critical with Microsoft 365 as the mail platform.
Evidence
Selectors checked: 20 (default, google, selector1, selector2, k1, dkim, s1, s2, mail, etc.) Found: 0 MX: sunshinesupportingservices-com.mail.protection.outlook.com Platform: Microsoft 365 (requires selector1/selector2 CNAME records)
Remediation
Configure DKIM via Microsoft 365 Admin Center: 1. Go to https://security.microsoft.com → Email authentication → DKIM 2. Select sunshinesupportingservices.com 3. Enable DKIM signing 4. Add these CNAME records at GoDaddy DNS: selector1._domainkey CNAME selector1-sunshinesupportingservices-com._domainkey.TENANT.onmicrosoft.com selector2._domainkey CNAME selector2-sunshinesupportingservices-com._domainkey.TENANT.onmicrosoft.com (Replace TENANT with the Microsoft 365 tenant name)
No DMARC Record
No DMARC record exists for sunshinesupportingservices.com. Without DMARC, there is no policy instructing receiving servers how to handle emails that fail SPF/DKIM checks, and no reporting mechanism for email authentication failures.
Evidence
dig TXT _dmarc.sunshinesupportingservices.com → No record found Current state: SPF exists but DKIM missing — DMARC would fail alignment for all emails
Remediation
Add DMARC record at GoDaddy DNS. Start with monitoring mode, then tighten after DKIM is configured: Phase 1 (immediate — monitoring): _dmarc TXT "v=DMARC1; p=none; rua=mailto:dmarc@sunshinesupportingservices.com; fo=1" Phase 2 (after DKIM confirmed working, ~2 weeks): _dmarc TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@sunshinesupportingservices.com; fo=1" Phase 3 (after quarantine period, ~4 weeks): _dmarc TXT "v=DMARC1; p=reject; rua=mailto:dmarc@sunshinesupportingservices.com; fo=1"
SPF Record Missing Microsoft 365 Include
The SPF record includes secureserver.net (GoDaddy) with hardfail (-all), but MX points to Microsoft 365 (sunshinesupportingservices-com.mail.protection.outlook.com). Emails sent from Microsoft 365 will fail SPF checks because spf.protection.outlook.com is not included.
Evidence
Current SPF: v=spf1 include:secureserver.net -all MX: sunshinesupportingservices-com.mail.protection.outlook.com (priority 0) Missing: include:spf.protection.outlook.com
Remediation
Update SPF record at GoDaddy DNS: v=spf1 include:secureserver.net include:spf.protection.outlook.com -all This adds Microsoft 365's sending IPs while maintaining the hardfail policy.
Weak Content Security Policy
The CSP header only defines frame-ancestors, which prevents clickjacking but provides no protection against XSS, data injection, or other content-based attacks. Missing critical directives: default-src, script-src, style-src, img-src, connect-src.
Evidence
Content-Security-Policy: frame-ancestors 'self' godaddy.com *.godaddy.com dev-godaddy.com *.dev-godaddy.com test-godaddy.com *.test-godaddy.com Missing directives: default-src, script-src, style-src, img-src, connect-src Note: This is a GoDaddy Website Builder limitation — CSP is platform-managed
Remediation
GoDaddy Website Builder manages the CSP header at the platform level. Options: 1. Contact GoDaddy support to request stricter CSP directives 2. If possible, add custom headers via .htaccess or GoDaddy's header configuration 3. Consider migrating to a platform that allows full CSP control (e.g., Cloudflare Pages, Netlify) Ideal CSP for a static site: default-src 'self'; script-src 'self' img1.wsimg.com fonts.googleapis.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; img-src 'self' isteam.wsimg.com data:; font-src fonts.gstatic.com; frame-ancestors 'self'
Missing X-Content-Type-Options Header
The X-Content-Type-Options header is not set. Without this header, browsers may MIME-sniff responses, potentially treating non-executable content as executable — enabling drive-by download attacks.
Evidence
Response headers scanned — X-Content-Type-Options: NOT PRESENT Expected: X-Content-Type-Options: nosniff
Remediation
Add header via GoDaddy's configuration or contact support: X-Content-Type-Options: nosniff This is a single-value header with no configuration complexity.
SMTP STARTTLS Not Detected
The SMTP connection to the MX server did not indicate STARTTLS support during the scan. Without STARTTLS, email in transit is unencrypted and vulnerable to interception. Note: Microsoft 365 normally supports STARTTLS — this may be a scan timing issue.
Evidence
MX: sunshinesupportingservices-com.mail.protection.outlook.com Banner: 220 SY3PEPF0000A727.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready STARTTLS: false Note: Microsoft 365 typically supports STARTTLS. The scan may not have received the full EHLO response.
Remediation
1. Verify STARTTLS manually: openssl s_client -starttls smtp -connect sunshinesupportingservices-com.mail.protection.outlook.com:25 2. If STARTTLS is confirmed working, this is a false positive from the scan 3. Microsoft 365 Exchange Online always supports TLS — ensure the MX record is correct 4. Consider adding MTA-STS to enforce TLS for inbound email
No CAA Records
No CAA (Certificate Authority Authorization) records exist. Any certificate authority can issue certificates for this domain, increasing the risk of unauthorized certificate issuance.
Evidence
dig CAA sunshinesupportingservices.com → No records Current CA: GoDaddy (Go Daddy Secure Certificate Authority - G2) Recommended CAA: restrict to GoDaddy only
Remediation
Add CAA records at GoDaddy DNS: sunshinesupportingservices.com. CAA 0 issue "godaddy.com" sunshinesupportingservices.com. CAA 0 iodef "mailto:admin@sunshinesupportingservices.com"
DNSSEC Not Enabled
DNSSEC is not configured for this domain. DNS responses can be spoofed or tampered with in transit, enabling cache poisoning and man-in-the-middle attacks.
Evidence
dig DS sunshinesupportingservices.com → No DS records DNSSEC: disabled Registrar DNS: ns77.domaincontrol.com / ns78.domaincontrol.com (GoDaddy)
Remediation
Enable DNSSEC via GoDaddy domain management: 1. Log into GoDaddy → My Products → DNS Management 2. Navigate to DNSSEC settings 3. Enable DNSSEC (GoDaddy handles key generation and DS record publication) Note: GoDaddy supports one-click DNSSEC for domains using their nameservers.
Cookie Missing HttpOnly and SameSite Attributes
The dps_site_id cookie is set without HttpOnly or SameSite attributes. While the Secure flag is present, missing HttpOnly allows JavaScript access (XSS risk) and missing SameSite may allow CSRF attacks.
Evidence
Set-Cookie: dps_site_id=ap-southeast-2; path=/; secure Missing: HttpOnly flag Missing: SameSite attribute Present: Secure flag ✓
Remediation
This is a GoDaddy platform cookie (DPS = Digital Publishing System). Contact GoDaddy support or: Ideal cookie: dps_site_id=ap-southeast-2; path=/; secure; HttpOnly; SameSite=Lax Note: Since this appears to be a non-sensitive site ID cookie, the risk is lower than for session cookies.
No MTA-STS Policy
No MTA-STS (Mail Transfer Agent Strict Transport Security) policy exists. Without MTA-STS, there is no mechanism to enforce TLS for inbound email connections, allowing downgrade attacks.
Evidence
MTA-STS record: Not found MTA-STS mode: null MX: Microsoft 365 (supports TLS natively, but MTA-STS adds enforcement)
Remediation
1. Create MTA-STS policy file at https://mta-sts.sunshinesupportingservices.com/.well-known/mta-sts.txt: version: STSv1 mode: enforce mx: sunshinesupportingservices-com.mail.protection.outlook.com mx: *.mail.protection.outlook.com max_age: 604800 2. Add DNS record: _mta-sts TXT "v=STSv1; id=20260223" Note: Requires hosting the policy file on a subdomain — may need separate hosting from GoDaddy Website Builder.
Missing Referrer-Policy Header
No Referrer-Policy header is set. The browser's default behaviour may leak the full URL (including query parameters) to external sites when users click outbound links.
Evidence
Response headers scanned — Referrer-Policy: NOT PRESENT Expected: Referrer-Policy: strict-origin-when-cross-origin
Remediation
Add header: Referrer-Policy: strict-origin-when-cross-origin
Missing Permissions-Policy Header
No Permissions-Policy header is set. Browser features like camera, microphone, geolocation, and payment APIs are not explicitly restricted.
Evidence
Response headers scanned — Permissions-Policy: NOT PRESENT
Remediation
Add header: Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()
No security.txt File
No security.txt file exists at /.well-known/security.txt (RFC 9116). This file provides security researchers with contact information for responsible vulnerability disclosure.
Evidence
GET https://sunshinesupportingservices.com/.well-known/security.txt → Not found GET https://sunshinesupportingservices.com/security.txt → Not found
Remediation
Create /.well-known/security.txt with content: Contact: mailto:security@sunshinesupportingservices.com Expires: 2027-02-23T00:00:00.000Z Preferred-Languages: en Note: GoDaddy Website Builder may not support custom file paths — check platform capabilities.
No TLS-RPT Record
No TLS-RPT (TLS Reporting) record exists. Without TLS-RPT, you won't receive reports about email TLS connection failures from receiving servers.
Evidence
dig TXT _smtp._tls.sunshinesupportingservices.com → No record found
Remediation
Add DNS record: _smtp._tls TXT "v=TLSRPTv1; rua=mailto:tlsrpt@sunshinesupportingservices.com"
HSTS Preload Not Submitted
HSTS is configured with preload directive in the header, but the domain does not appear on the HSTS preload list. The preload directive has no effect until the domain is submitted to hstspreload.org.
Evidence
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload HSTS Preload List: NOT LISTED Note: The HSTS configuration is excellent (2-year max-age, includeSubDomains, preload directive present)
Remediation
Submit to HSTS preload list: 1. Visit https://hstspreload.org/ 2. Enter sunshinesupportingservices.com 3. Confirm the requirements are met (they are) 4. Submit for inclusion Note: Preload is permanent and difficult to reverse. Ensure all subdomains support HTTPS before submitting.
No DANE/TLSA Records
No DANE (DNS-based Authentication of Named Entities) TLSA records exist. DANE provides an additional layer of TLS certificate verification via DNS but requires DNSSEC to be enabled first.
Evidence
dig TLSA _25._tcp.sunshinesupportingservices-com.mail.protection.outlook.com → No records Prerequisite: DNSSEC must be enabled before DANE can be effective
Remediation
1. Enable DNSSEC first (see SSS-008) 2. Then add TLSA records for the MX server Note: DANE adoption is low and Microsoft 365 manages their own TLS certificates. This is informational only.
No BIMI Record
No BIMI (Brand Indicators for Message Identification) record exists. BIMI allows displaying a verified brand logo in email clients that support it (Gmail, Apple Mail).
Evidence
dig TXT default._bimi.sunshinesupportingservices.com → No record found Prerequisite: DMARC p=reject must be configured before BIMI will function
Remediation
After DMARC is set to p=reject: 1. Create a square SVG logo in Tiny P/S format 2. Optionally obtain a VMC (Verified Mark Certificate) from DigiCert or Entrust 3. Add DNS record: default._bimi TXT "v=BIMI1; l=https://sunshinesupportingservices.com/bimi/logo.svg"
Risk Matrix
Findings plotted by likelihood and impact
Compliance & Framework Assessment
Alignment against 9 industry frameworks
| Id | Control | Status | Evidence |
|---|---|---|---|
ISM-0574 | SPF specification | partial | SPF present with hardfail but missing M365 include |
ISM-1151 | SPF verification (hardfail) | pass | Using -all (hardfail) |
ISM-0269 | DKIM records | fail | No DKIM selectors found (0 of 20) |
ISM-1540 | DMARC configuration | fail | No DMARC record exists |
ISM-1799 | DMARC enforcement | fail | No DMARC record — no policy to enforce |
ISM-0569 | Email gateway routing | pass | MX points to Microsoft 365 (Exchange Online Protection) |
ISM-1552 | HTTPS-only | pass | HSTS with 2-year max-age, includeSubDomains, preload directive |
ISM-1139 | TLS configuration | pass | TLS 1.3 with PFS |
ISM-1369 | TLS forward secrecy | pass | PFS enabled (TLS 1.3 implies PFS) |
ISM-1706 | DNSSEC | fail | No DS records found |
ISM-1485 | Security headers | fail | 2 of 9 scored headers present (22%) |
ISM-0659 | Content filtering | fail | No CAA records; CSP limited to frame-ancestors only |
ISM-1157 | Gateway security | partial | AWS Global Accelerator detected; no explicit WAF |
| Control | Status | Evidence |
|---|---|---|
| INFOSEC-3: Email authentication | fail | SPF partial (missing M365), DKIM absent, DMARC absent |
| INFOSEC-4: Web security | partial | HSTS excellent, TLS 1.3, but weak CSP and missing headers |
| INFOSEC-10: Essential Eight alignment | fail | 2 of 5 assessable controls at ML0 |
| Control | Status | Evidence |
|---|---|---|
| 9.2: DNS filtering/security | fail | No DNSSEC, no CAA records |
| 9.5: DMARC enforcement | fail | No DMARC record exists |
| 3.10: TLS configuration | pass | TLS 1.3 with PFS, HSTS preload-ready |
| 12.1: DNS infrastructure | partial | GoDaddy managed NS, no DNSSEC, no CAA |
Overall CSF Score: 33% (10/30)
| Control | Status | Evidence |
|---|---|---|
| PCI DSS 4.2.1: Strong cryptography | pass | TLS 1.3 with AES-128 |
| PCI DSS 6.4.1: Public-facing web app protections | partial | Weak CSP; no explicit WAF detected |
| PCI DSS 11.3.1: Vulnerability management | partial | Managed platform reduces attack surface; no security.txt for disclosure |
| Control | Status | Evidence |
|---|---|---|
| Firewalls | partial | AWS Global Accelerator provides some protection; no explicit WAF |
| Secure Configuration | fail | Missing security headers (5 of 7 absent) |
| Security Update Management | pass | GoDaddy managed platform handles patching |
| Access Control | Requires Internal Assessment | Cannot assess from external scan |
| Malware Protection | Requires Internal Assessment | Cannot assess from external scan |
| Control | Status | Evidence |
|---|---|---|
| A05:2021 Security Misconfiguration | fail | Missing X-Content-Type-Options, Referrer-Policy, Permissions-Policy; weak CSP |
| A02:2021 Cryptographic Failures | pass | TLS 1.3, PFS, valid certificate |
| A07:2021 Identification and Authentication Failures | fail | No DKIM, no DMARC — email authentication failures |
| Control | Status | Evidence |
|---|---|---|
| A.8.24: Use of cryptography | pass | TLS 1.3 with AES-128 and PFS |
| A.8.20: Network security | partial | HSTS configured; DNSSEC missing |
| A.5.14: Information transfer | fail | Email authentication incomplete (no DKIM/DMARC) |
Email Security Deep Dive
SPF, DKIM, DMARC, MTA-STS, TLS-RPT, DANE, and BIMI analysis
| Protocol | Status | Details |
|---|---|---|
| SPF | Found | v=spf1 include:secureserver.net -allQualifier: hardfail |
| DKIM | Not Found | Checked 20 selectors |
| DMARC | Missing | No DMARC record |
| MTA-STS | Missing | No MTA-STS policy |
| TLS-RPT | Missing | No TLS-RPT record |
| DANE/TLSA | Not Found | No TLSA records |
| BIMI | Not Found | No BIMI record |
SPF Mechanism Analysis
include:secureserver.net-allDNS & Domain Infrastructure
Nameservers, records, and DNSSEC status
| Record Type | Value |
|---|---|
| NS | ns77.domaincontrol.com ns78.domaincontrol.com |
| MX | sunshinesupportingservices-com.mail.protection.outlook.com |
| A | 76.223.105.230 13.248.243.5 |
| AAAA | |
| SOA | ns77.domaincontrol.com dns.jomax.net 2022111700 |
| CAA | |
| DNSSEC | Not Enabled |
Infrastructure Geolocation
| IP | Location | ISP / Org |
|---|---|---|
| 76.223.105.230 | Seattle, United States | Amazon.com, Inc. |
| 13.248.243.5 | Montreal, Canada | Amazon.com, Inc. |
DNS Quality Metrics
Nameserver diversity, propagation, and configuration health
DNS Propagation Check
DNS resolution is consistent across global resolvers.
| Resolver | Results |
|---|---|
| Google 8.8.8.8 | 13.248.243.5,76.223.105.230 |
| Cloudflare 1.1.1.1 | 13.248.243.5,76.223.105.230 |
| Quad9 9.9.9.9 | 13.248.243.5,76.223.105.230 |
| OpenDNS 208.67.222.222 | 13.248.243.5,76.223.105.230 |
TTL Values
| Record Type | TTL (seconds) |
|---|---|
| A | 3599 |
| MX | 3599 |
| NS | 3599 |
HTTP Security Headers
Analysis of security-related HTTP response headers
| Header | Status | Value |
|---|---|---|
| Strict-Transport-Security | Present | max-age=63072000; includeSubDomains; preload |
| Content-Security-Policy | Present | frame-ancestors 'self' godaddy.com *.godaddy.com dev-godaddy.com *.dev-godaddy.com test-godaddy.com *.test-godaddy.com |
| X-Frame-Options | Missing | — |
| X-Content-Type-Options | Missing | — |
| Referrer-Policy | Missing | — |
| Permissions-Policy | Missing | — |
| X-XSS-Protection | Missing | — |
| Cross-Origin-Opener-Policy | Missing | — |
| Cross-Origin-Resource-Policy | Missing | — |
| Cross-Origin-Embedder-Policy | Missing | — |
| Cache-Control | Present | max-age=30 |
| Server | Present | DPS/2.0.0+sha-fa2cab1 |
Cookie, CORS & Web Security
Cookie flags, CORS policy, mixed content, and CSP analysis
Cookies
| Cookie | Secure | HttpOnly | SameSite |
|---|---|---|---|
dps_site_id | Yes | No | None |
CORS Policy
Access-Control-Allow-Origin: Not set
CSP Analysis
{
"directives": [
"frame-ancestors 'self' godaddy.com *.godaddy.com dev-godaddy.com *.dev-godaddy.com test-godaddy.com *.test-godaddy.com"
],
"raw": "frame-ancestors 'self' godaddy.com *.godaddy.com dev-godaddy.com *.dev-godaddy.com test-godaddy.com *.test-godaddy.com",
"missingDirectives": [
"default-src",
"script-src",
"style-src",
"img-src",
"connect-src"
]
}Blacklist & Email Reputation
DNSBL and domain reputation checks
The DNS resolver is blocking DNSBL queries. Blacklist results below may be unreliable.
IP Blacklist Checks
| DNSBL | Status |
|---|---|
| zen.spamhaus.org | Clean |
| bl.spamcop.net | Clean |
| b.barracudacentral.org | Clean |
| dnsbl.sorbs.net | Clean |
| cbl.abuseat.org | Clean |
Domain Blacklist Checks
| DNSBL | Status |
|---|---|
| dbl.spamhaus.org | Clean |
| multi.uribl.com | Clean |
| multi.surbl.org | Clean |
| black.uribl.com | Clean |
SMTP Analysis
Mail server banner, capabilities, and encryption
| Check | Result |
|---|---|
| Banner | 220 ML1PEPF00011308.mail.protection.outlook.com Microsoft ESMTP MAIL Service ready at Sun, 22 Feb 2026 17:00:24 +0000 [08DE6B947CC9F7B1] |
| EHLO Capabilities | ML1PEPF00011308.mail.protection.outlook.com Hello [[scanner-ip]] |
| STARTTLS | Not Supported |
| PTR Record | mail-meupr01cu00305.inbound.protection.outlook.com |
OSINT & Historical Intelligence
Certificate transparency, archived snapshots, and subdomain enumeration
Certificate Transparency Logs
| Common Name | Issuer | Not Before |
|---|---|---|
| sunshinesupportingservices.com | C=US, ST=Arizona, L=Scottsdale, O="GoDaddy.com, Inc.", OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 | 2025-10-19T10:18:28 |
| sunshinesupportingservices.com | C=US, ST=Arizona, L=Scottsdale, O="GoDaddy.com, Inc.", OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 | 2024-10-19T06:24:26 |
| sunshinesupportingservices.com | C=US, ST=Arizona, L=Scottsdale, O="GoDaddy.com, Inc.", OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 | 2025-10-19T10:18:28 |
| sunshinesupportingservices.com | C=US, ST=Arizona, L=Scottsdale, O="GoDaddy.com, Inc.", OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 | 2024-10-19T06:24:26 |
| sunshinesupportingservices.com | C=US, ST=Arizona, L=Scottsdale, O="GoDaddy.com, Inc.", OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 | 2023-10-18T21:30:14 |
| sunshinesupportingservices.com | C=US, ST=Arizona, L=Scottsdale, O="GoDaddy.com, Inc.", OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2 | 2022-11-17T10:52:50 |
Wayback Machine History
Typosquatting & Similar Domains
Common misspellings and confusable domain variants that could be used for phishing or brand impersonation. These should be monitored or defensively registered.
194 variants generated: 11 tld variant, 10 homoglyph, 24 transposed, 90 adjacent key, 25 missing letter, 25 doubled letter, 9 hyphenation
Showing 24 of 194 variants (highest-threat first)
Technology Stack
Detected platform, CDN, WAF, and server details
| Component | Details |
|---|---|
| Server | DPS/2.0.0+sha-fa2cab1 |
| TLS Version | TLS 1.3 |
| Cipher Suite | Aes128 |
| SSL Expiry | 2026-11-17 |
| Perfect Forward Secrecy | Yes |
Hosting & Infrastructure
Hosting provider, server software, CMS detection, and certificate history
| Component | Details |
|---|---|
| Hosting Provider | AWS |
| ASN Organization | AWS Global Accelerator (GLOBAL) |
| Server Version | DPS/2.0.0 |
| CMS Detected | Starfield Technologies; Go Daddy Website Builder 8.0.0000 |
Certificate Issuer History
| Issuer | Certificates | First Seen | Last Seen |
|---|---|---|---|
| 6 | 2024-10-19T06:24:26 | 2025-10-19T10:18:28 |
WHOIS & Domain Intelligence
Domain registration, expiry, registrant contacts, and TLD-specific status analysis via RDAP
Registrant contact details are redacted by a privacy/proxy service. The domain owner's identity is not publicly visible.
Domain Profile
| Field | Value |
|---|---|
| Registrar | 146 |
| TLD | .com |
| Registered | 2021-02-18 (5y 0m ago) |
| Expires | 2027-02-18 (360 days remaining) |
| Registrant Privacy | Yes (WHOIS privacy enabled) |
| RDAP Source | https://rdap.org/domain/sunshinesupportingservices.com |
Domain Status Codes
| Status Code | Interpretation | Severity |
|---|---|---|
client delete prohibited | Registrar-set delete protection | info |
client renew prohibited | Registrar-set renewal lock | warning |
client transfer prohibited | Registrar-set transfer lock (normal) | info |
client update prohibited | Registrar-set update lock | info |
Generic top-level domain governed by ICANN. Standard EPP status codes apply. Transfer locks are set by the registrar and are normal protective measures.
RDAP Nameservers
NS78.DOMAINCONTROL.COM
SEO & Visibility
Meta tags, Open Graph, structured data, and sitemap analysis
| Check | Status | Details |
|---|---|---|
| Title Tag | Found | Sunshine Support Care (21 chars) |
| Meta Description | Missing | — |
| Canonical URL | Missing | — |
| Viewport Meta | Found | Present |
| JSON-LD Structured Data | Missing | — |
| Twitter Card | Found | summary |
| Sitemap | Found | Accessible (2 URLs) |
Open Graph Tags
| Property | Value |
|---|---|
og:image | https://img1.wsimg.com/isteam/ip/023c81f3-e27b-40f7-869d-c6051d9b339c/new%20look.png |
og:locale | en_AU |
og:title | Sunshine Support Care |
og:url | https://sunshinesupportingservices.com/ |
og:type | website |
og:site_name | Sunshine Support Care |
Social Share Previews
How this site appears when shared on social platforms.
robots.txt Directives (2)
User-agent: * Disallow: /404
Site Structure & Crawl Analysis
Pages discovered via HTTP crawl compared against sitemap.xml
Site Map Diagram
Proactive Monitoring Recommendations
Recommended monitoring and alerting setup
| Monitor | Tool | Frequency |
|---|---|---|
| DNSBL monitoring | HetrixTools free tier | Every 6 hours |
| DMARC aggregate reports | Postmark DMARC / DMARCian free | Weekly review |
| SSL certificate expiry | Uptime Kuma / UptimeRobot | Daily |
| DNS record drift | DNS Spy / custom script | Weekly |
| CT log monitoring | CertSpotter / Facebook CT Monitor | Real-time |
Recommendations & Remediation Roadmap
Prioritized actions grouped by timeline
Immediate (0-48 hours)
| Finding | Severity | Action | Effort |
|---|---|---|---|
SSS-001 | Critical | Configure DKIM via Microsoft 365 Admin Center + GoDaddy CNAME records | 30min-1h |
SSS-002 | Critical | Add DMARC record in monitoring mode (p=none) | 5min |
SSS-003 | High | Update SPF to include spf.protection.outlook.com | 5min |
Short Term (1-2 weeks)
| Finding | Severity | Action | Effort |
|---|---|---|---|
SSS-007 | Medium | Add CAA records for GoDaddy | 5min |
SSS-008 | Medium | Enable DNSSEC via GoDaddy | 5min |
SSS-015 | Info | Submit to HSTS preload list | 5min |
SSS-002 | Critical | Escalate DMARC to p=quarantine after 2 weeks monitoring | 5min |
Medium Term (1-3 months)
| Finding | Severity | Action | Effort |
|---|---|---|---|
SSS-004 | High | Investigate CSP options with GoDaddy or consider platform migration | 2-4h |
SSS-005 | High | Add missing security headers if GoDaddy permits custom headers | 1-2h |
SSS-010 | Medium | Configure MTA-STS (requires subdomain hosting) | 2-4h |
SSS-002 | Critical | Escalate DMARC to p=reject after 4 weeks | 5min |
Appendices
Raw data, glossary, and disclaimers
A. robots.txt
User-agent: * Disallow: /404
B. Sitemap
https://sunshinesupportingservices.com/sitemap.xml
C. Glossary
| Term | Definition |
|---|---|
| SPF | Sender Policy Framework — restricts which servers can send email for a domain |
| DKIM | DomainKeys Identified Mail — cryptographic email authentication |
| DMARC | Domain-based Message Authentication, Reporting & Conformance |
| MTA-STS | Mail Transfer Agent Strict Transport Security — enforces TLS for email |
| TLS-RPT | TLS Reporting — receive reports about email TLS failures |
| DANE/TLSA | DNS-based Authentication of Named Entities — binds certificates to DNS |
| DNSSEC | Domain Name System Security Extensions — cryptographic DNS validation |
| CAA | Certificate Authority Authorization — restricts which CAs can issue certificates |
| BIMI | Brand Indicators for Message Identification — brand logo in email clients |
| HSTS | HTTP Strict Transport Security — forces HTTPS connections |
| CSP | Content Security Policy — controls which resources a page can load |
| DNSBL | DNS-based Blackhole List — real-time email/IP reputation service |
D. Disclaimer
This security assessment was performed using publicly available information only. No intrusive testing, penetration testing, or vulnerability exploitation was conducted.
Severity ratings use a qualitative likelihood x impact risk matrix aligned with ISO 27005. Risk scores are indicative and based on professional judgement.
This document is classified CONFIDENTIAL and is intended solely for the named recipient.
Assessment methodology references: NIST SP 800-177 Rev. 1, OWASP Secure Headers Project, PCI DSS v4.0, UK Cyber Essentials, ACSC Essential Eight, ISO 27005.