Domain & server security checklist
Extension of the IT security checklist, focused on domain infrastructure, email authentication, and website security. Run these checks periodically — many can be automated.
8. Email Domain Security (SPF / DKIM / DMARC) 
SPF (Sender Policy Framework)
An SPF record exists for the domain required
- SPF specifies which mail servers are authorised to send email on behalf of your domain.
The SPF record does not use overly permissive qualifiers required
- Avoid
+allor?all— these allow any server to send on your behalf. Use-all(hard fail) or~all(soft fail).
DKIM (DomainKeys Identified Mail)
DKIM signing is enabled for all outgoing mail required
- DKIM adds a cryptographic signature to outgoing email so receiving servers can verify it was not tampered with.
DKIM keys are at least 2048-bit required
- 1024-bit keys are considered weak and should be rotated.
DMARC (Domain-based Message Authentication, Reporting & Conformance)
A DMARC record exists for the domain required
- DMARC tells receiving servers what to do with email that fails SPF or DKIM checks.
The DMARC policy is set to
quarantine or reject requiredp=noneprovides no protection — it only monitors. Move top=quarantineorp=rejectto actively block spoofed email.
A reporting address (
rua=) is configured recommended- Without this, you receive no reports and have no visibility into spoofing attempts or delivery issues.
9. DNS Infrastructure Security (DNSSEC / MTA-STS) 
DNSSEC (DNS Security Extensions)
DNSSEC is enabled on the domain's DNS zone required
- DNSSEC adds cryptographic signatures to DNS records, preventing attackers from redirecting traffic via DNS hijacking.
The DS record is present at the registrar required
- The chain of trust is only complete if the DS record is published at the domain registrar — not just at the DNS hosting provider.
DNSSEC is enabled for all domains managed by the organisation recommended
- Not just the primary domain — also secondary and parked domains.
MTA-STS (Mail Transfer Agent Strict Transport Security)
An MTA-STS policy is published recommended
- Publish a policy file at
https://mta-sts.[yourdomain]/.well-known/mta-sts.txtwith mode set toenforce.
TLS-RPT is configured alongside MTA-STS recommended
- The
_smtp._tlsDNS record enables reporting on email delivery failures, giving visibility into transport security issues.
10. Website & CMS Security 
General website security
The website runs entirely over HTTPS required
- No mixed content warnings. The SSL/TLS certificate is valid and not expired. Consider automating certificate renewal (e.g. Let's Encrypt).
HTTP Strict Transport Security (HSTS) is enabled required
- Prevents browsers from loading the site over plain HTTP even if the user types it manually.
Security headers are configured recommended
- At minimum:
X-Frame-Options,X-Content-Type-Options, andContent-Security-Policy. These prevent common browser-based attacks.
WordPress-specific (if applicable)
WordPress core, all plugins, and the active theme are kept up to date required
- The majority of WordPress compromises exploit known vulnerabilities in outdated plugins.
No unused plugins or themes are installed required
- Each inactive plugin is still an attack surface. Remove what is not in use.
The default
admin username is not in use required- Rename or replace it — it is the first username attackers try.
wp-login.php is protected recommended- Apply rate limiting, 2FA, or relocate the login URL to reduce brute-force exposure.
XML-RPC is disabled if not needed recommended
/xmlrpc.phpis a frequent target for brute-force and DDoS amplification attacks.
WPScan is run periodically to detect known vulnerabilities recommended
Automation note: most of the checks in this chapter can be scripted or scheduled as part of a monthly automated scan. Consider setting up alerts for expiring certificates, DMARC policy changes, and new WPScan vulnerability matches.