Domain trust, explained
Plain-English guides to the trust signals browsers, inboxes and auditors judge your domains by — what each one is, how to read your result, and how to fix it. No sign-up required.
SPF, DKIM & DMARC
SPF, DKIM and DMARC tell receiving mail servers that a message really came from you. Without them, anyone can send email as your domain — and inboxes increasingly reject or quarantine domains that leave them unset.
Why it matters
Weak email authentication is the most common way brands get spoofed in phishing, and a DMARC policy of p=none gives you visibility with no protection. Mailbox providers now expect enforcement.
How to read your SkyQon result
SkyQon shows each record's presence and policy, flags SPF lookups that exceed the 10-query DNS limit, and warns when DMARC is stuck at p=none or alignment is failing.
How to fix it
Publish SPF and DKIM, then move DMARC from p=none to quarantine and finally reject once your legitimate senders pass. SkyQon gives you the exact records and re-verifies after you apply them.
Common mistakes
A second SPF record (only one is allowed), a p=reject policy with no reporting address, and unprotected sub-domains — attackers happily spoof the one you forgot.
Signed, tamper-evident DNS
DNS is the address book for everything your domain does. DNSSEC cryptographically signs your DNS answers so resolvers can detect tampering or cache poisoning.
Why it matters
Unsigned DNS lets an attacker forge answers and silently redirect your mail or website. CAA, MTA-STS and TLS-RPT records add further guardrails that many domains never set.
How to read your SkyQon result
SkyQon reports whether DNSSEC is enabled and valid, whether a CAA record limits who can issue certificates for you, and whether MTA-STS and TLS-RPT are present and consistent.
How to fix it
Enable DNSSEC at your DNS provider and publish the DS record at your registrar; add a CAA record naming your CA; publish MTA-STS and TLS-RPT policies. SkyQon supplies each record and can apply supported fixes for you.
Common mistakes
Signing DNS but never adding the DS record at the registrar (so nothing is actually validated), and a CAA record that accidentally locks out your own certificate authority.
Certificates that never lapse
Your TLS certificates and cipher configuration are what a browser checks before it shows the padlock. An expired or mis-issued certificate is an instant, visible outage.
Why it matters
Certificate expiry is still one of the most common self-inflicted outages, and weak TLS versions or ciphers quietly fail audits and erode trust long before they break.
How to read your SkyQon result
SkyQon tracks every certificate's expiry, chain and key strength across your domains, scores the TLS configuration, and flags anything expiring inside your warning window.
How to fix it
Renew ahead of expiry (or automate it), remove legacy TLS 1.0/1.1 and weak ciphers, and serve the full chain. SkyQon warns up to 30 days early and can watch renewals for you.
Common mistakes
Renewing the leaf but forgetting an intermediate, monitoring only the apex while a sub-domain lapses, and internal certificates that no one owns.
Proof, not promises
NIS2, DORA and eIDAS increasingly ask you to show that your domain trust controls actually work — not just assert them. That means dated, verifiable evidence.
Why it matters
Auditors and regulators want proof over promises. Screenshots age badly and are easy to dispute; a signed, timestamped record of your posture is not.
How to read your SkyQon result
SkyQon turns continuous monitoring into a signed evidence report mapped to the relevant control expectations, with a content hash anyone can verify independently.
How to fix it
Generate the evidence report for the period under review and hand it to your auditor; the public verifier confirms it has not been altered. SkyQon supplies the evidence — honestly framed as "aligned to", never "certified".
Common mistakes
Treating a scan screenshot as evidence, and confusing "aligned to NIS2" with "NIS2 certified" — SkyQon is deliberate about the difference.
Catch lookalikes early
Attackers register lookalike domains — swapped letters, extra hyphens, alternative TLDs — to phish your customers and staff. You usually find out after the damage.
Why it matters
A convincing lookalike with a valid certificate is all a phishing campaign needs. Certificate Transparency logs make these registrations observable early — if you are watching.
How to read your SkyQon result
SkyQon watches Certificate Transparency for certificates issued on names that resemble yours and surfaces newly-seen lookalikes so you can act before a campaign lands.
How to fix it
Triage each lookalike, request takedowns for the malicious ones, and pre-register the highest-risk variants. SkyQon's Brand Protection add-on tracks cases and abuse contacts end to end.
Common mistakes
Watching only your exact domain, ignoring alternative TLDs (.io / .co / .app), and assuming a lookalike is harmless until it is weaponised.
Start the migration clock
A future quantum computer could break the RSA and ECC encryption protecting today's traffic. "Harvest-now, decrypt-later" means data captured today can be decrypted later — so the clock has already started.
Why it matters
Regulators and standards bodies are already publishing post-quantum timelines. Knowing where classical cryptography lives in your estate is the first step, and it takes time.
How to read your SkyQon result
SkyQon scores the post-quantum readiness of your TLS and certificate stack and inventories where quantum-vulnerable algorithms are still in use.
How to fix it
Build a cryptographic inventory, prioritise long-lived secrets and external-facing services, and plan hybrid/PQC adoption as your vendors ship it. SkyQon's PQC roadmap tooling structures the transition.
Common mistakes
Treating post-quantum as a someday problem, and overlooking long-lived data that a harvest-now attacker would target first.
The EU Domain Trust checklist
A one-page checklist of the certificate, DNS, email and evidence controls we check — with the fix for each. Use it to self-assess before you run a scan.
Glossary
The acronyms behind the findings, in one line each.
- SPF
- Sender Policy Framework — lists which servers may send mail for your domain.
- DKIM
- DomainKeys Identified Mail — a cryptographic signature proving a message was not altered in transit.
- DMARC
- Tells inboxes what to do with mail that fails SPF or DKIM, and where to send reports.
- DNSSEC
- Signs your DNS records so resolvers can detect forged or tampered answers.
- CAA
- A DNS record naming the certificate authorities allowed to issue certificates for your domain.
- MTA-STS
- Forces inbound mail to your domain over authenticated, encrypted TLS.
- TLS-RPT
- Delivers reports when TLS delivery to your mail servers fails.
- CT
- Certificate Transparency — public logs of every certificate issued, used to spot lookalikes and mis-issuance.
- OV / EV
- Organisation- and Extended-Validation certificates that bind a verified legal identity to a domain.
- QWAC
- Qualified Website Authentication Certificate — an eIDAS-qualified certificate proving website identity in the EU.
- PQC
- Post-Quantum Cryptography — algorithms designed to resist attacks from quantum computers.
- OCSP
- Online Certificate Status Protocol — a live check of whether a certificate has been revoked.