Resources

Domain trust, explained

Plain-English guides to the trust signals browsers, inboxes and auditors judge your domains by — what each one is, how to read your result, and how to fix it. No sign-up required.

Email authentication

SPF, DKIM & DMARC

SPF, DKIM and DMARC tell receiving mail servers that a message really came from you. Without them, anyone can send email as your domain — and inboxes increasingly reject or quarantine domains that leave them unset.

Why it matters

Weak email authentication is the most common way brands get spoofed in phishing, and a DMARC policy of p=none gives you visibility with no protection. Mailbox providers now expect enforcement.

How to read your SkyQon result

SkyQon shows each record's presence and policy, flags SPF lookups that exceed the 10-query DNS limit, and warns when DMARC is stuck at p=none or alignment is failing.

How to fix it

Publish SPF and DKIM, then move DMARC from p=none to quarantine and finally reject once your legitimate senders pass. SkyQon gives you the exact records and re-verifies after you apply them.

Common mistakes

A second SPF record (only one is allowed), a p=reject policy with no reporting address, and unprotected sub-domains — attackers happily spoof the one you forgot.

See it in the platform →
DNS & DNSSEC

Signed, tamper-evident DNS

DNS is the address book for everything your domain does. DNSSEC cryptographically signs your DNS answers so resolvers can detect tampering or cache poisoning.

Why it matters

Unsigned DNS lets an attacker forge answers and silently redirect your mail or website. CAA, MTA-STS and TLS-RPT records add further guardrails that many domains never set.

How to read your SkyQon result

SkyQon reports whether DNSSEC is enabled and valid, whether a CAA record limits who can issue certificates for you, and whether MTA-STS and TLS-RPT are present and consistent.

How to fix it

Enable DNSSEC at your DNS provider and publish the DS record at your registrar; add a CAA record naming your CA; publish MTA-STS and TLS-RPT policies. SkyQon supplies each record and can apply supported fixes for you.

Common mistakes

Signing DNS but never adding the DS record at the registrar (so nothing is actually validated), and a CAA record that accidentally locks out your own certificate authority.

See it in the platform →
Certificates & TLS

Certificates that never lapse

Your TLS certificates and cipher configuration are what a browser checks before it shows the padlock. An expired or mis-issued certificate is an instant, visible outage.

Why it matters

Certificate expiry is still one of the most common self-inflicted outages, and weak TLS versions or ciphers quietly fail audits and erode trust long before they break.

How to read your SkyQon result

SkyQon tracks every certificate's expiry, chain and key strength across your domains, scores the TLS configuration, and flags anything expiring inside your warning window.

How to fix it

Renew ahead of expiry (or automate it), remove legacy TLS 1.0/1.1 and weak ciphers, and serve the full chain. SkyQon warns up to 30 days early and can watch renewals for you.

Common mistakes

Renewing the leaf but forgetting an intermediate, monitoring only the apex while a sub-domain lapses, and internal certificates that no one owns.

See it in the platform →
NIS2 evidence

Proof, not promises

NIS2, DORA and eIDAS increasingly ask you to show that your domain trust controls actually work — not just assert them. That means dated, verifiable evidence.

Why it matters

Auditors and regulators want proof over promises. Screenshots age badly and are easy to dispute; a signed, timestamped record of your posture is not.

How to read your SkyQon result

SkyQon turns continuous monitoring into a signed evidence report mapped to the relevant control expectations, with a content hash anyone can verify independently.

How to fix it

Generate the evidence report for the period under review and hand it to your auditor; the public verifier confirms it has not been altered. SkyQon supplies the evidence — honestly framed as "aligned to", never "certified".

Common mistakes

Treating a scan screenshot as evidence, and confusing "aligned to NIS2" with "NIS2 certified" — SkyQon is deliberate about the difference.

See it in the platform →
Brand impersonation

Catch lookalikes early

Attackers register lookalike domains — swapped letters, extra hyphens, alternative TLDs — to phish your customers and staff. You usually find out after the damage.

Why it matters

A convincing lookalike with a valid certificate is all a phishing campaign needs. Certificate Transparency logs make these registrations observable early — if you are watching.

How to read your SkyQon result

SkyQon watches Certificate Transparency for certificates issued on names that resemble yours and surfaces newly-seen lookalikes so you can act before a campaign lands.

How to fix it

Triage each lookalike, request takedowns for the malicious ones, and pre-register the highest-risk variants. SkyQon's Brand Protection add-on tracks cases and abuse contacts end to end.

Common mistakes

Watching only your exact domain, ignoring alternative TLDs (.io / .co / .app), and assuming a lookalike is harmless until it is weaponised.

See it in the platform →
Post-quantum readiness

Start the migration clock

A future quantum computer could break the RSA and ECC encryption protecting today's traffic. "Harvest-now, decrypt-later" means data captured today can be decrypted later — so the clock has already started.

Why it matters

Regulators and standards bodies are already publishing post-quantum timelines. Knowing where classical cryptography lives in your estate is the first step, and it takes time.

How to read your SkyQon result

SkyQon scores the post-quantum readiness of your TLS and certificate stack and inventories where quantum-vulnerable algorithms are still in use.

How to fix it

Build a cryptographic inventory, prioritise long-lived secrets and external-facing services, and plan hybrid/PQC adoption as your vendors ship it. SkyQon's PQC roadmap tooling structures the transition.

Common mistakes

Treating post-quantum as a someday problem, and overlooking long-lived data that a harvest-now attacker would target first.

See it in the platform →
Free download

The EU Domain Trust checklist

A one-page checklist of the certificate, DNS, email and evidence controls we check — with the fix for each. Use it to self-assess before you run a scan.

Glossary

The acronyms behind the findings, in one line each.

SPF
Sender Policy Framework — lists which servers may send mail for your domain.
DKIM
DomainKeys Identified Mail — a cryptographic signature proving a message was not altered in transit.
DMARC
Tells inboxes what to do with mail that fails SPF or DKIM, and where to send reports.
DNSSEC
Signs your DNS records so resolvers can detect forged or tampered answers.
CAA
A DNS record naming the certificate authorities allowed to issue certificates for your domain.
MTA-STS
Forces inbound mail to your domain over authenticated, encrypted TLS.
TLS-RPT
Delivers reports when TLS delivery to your mail servers fails.
CT
Certificate Transparency — public logs of every certificate issued, used to spot lookalikes and mis-issuance.
OV / EV
Organisation- and Extended-Validation certificates that bind a verified legal identity to a domain.
QWAC
Qualified Website Authentication Certificate — an eIDAS-qualified certificate proving website identity in the EU.
PQC
Post-Quantum Cryptography — algorithms designed to resist attacks from quantum computers.
OCSP
Online Certificate Status Protocol — a live check of whether a certificate has been revoked.

Frequently asked questions

How often should I check my domain trust posture?
Continuously. Certificates expire on a fixed date, DNS and email records drift as teams change them, and lookalike domains appear without warning — a point-in-time scan goes stale within weeks. SkyQon monitors and alerts you, so you only act when something changes.
Is "aligned to NIS2, DORA or eIDAS" the same as being certified?
No, and we are deliberate about it. SkyQon produces evidence mapped to what those frameworks expect of your domain trust layer. The certification decision stays with your auditor; we give them verifiable evidence, not a badge.
Can SkyQon fix issues for me, or only report them?
Both. Every finding ships with the exact record or configuration to apply, and on supported providers SkyQon can apply DNS fixes and re-verify for you on Pro and above. Certificates and registrar settings still go through your own change control.
Does SkyQon need access to my systems?
No. SkyQon inspects the same public signals a browser, mailbox provider or auditor sees — externally, with nothing to install and no credentials. Internal coverage is an optional add-on for teams that want it.
What makes SkyQon different from a free one-off scanner?
A one-off scanner checks a single signal once. SkyQon watches certificates, DNS, email, exposure and post-quantum readiness together, scores them honestly (coverage versus posture) and, on plans that include evidence reports, turns the result into signed evidence — continuously.
Where does my data live?
In the European Union. We only ever read information that is already publicly observable about your domains, and we are built and operated to EU data-protection requirements.

Ready to see your own posture?