now also checks strictness anti-mail-spoofing standards

January 9, 2018
Today the Dutch Internet Standards Platform launches an improved version of its test tool that was used to execute over 750 thousand tests in 2017. From now on the test tool does not only check if standards against mail spoofing are in place for a given domain, but also checks if these standards are configured sufficiently strict to prevent abuse of the domain.

Since the redesign of in the summer of 2017, the number of visitors increased enormously. Visitors had executed about 100 thousand tests untill July. In the second half of 2017, i.e. after the redesign, about 650 thousand tests were executed. Gerben Klein Baltink, chair of the Dutch Internet Standards Platform:

"The increase is very nice but modern internet is far from ready yet. We are happy to see a growing number of domains with a 100% score entering our Hall of Fame. At the same time there are still too many domains that do not comply with any or all of these modern Internet Standards. Therefore keep testing, learning and requiring modern internet!".

Policy checking for DMARC and SPF

This new version of checks if the syntax of your DMARC and SPF record is correct. Besides the test tool checks if these records contain a sufficiently strict policy in order to prevent abuse of your domain by phishers and spammers.

Checking validity period for HSTS now also checks for the validity period of the HSTS policy. We consider a HSTS cache validity period of at least six months to be sufficiently secure. A long period is beneficial because it also protects infrequent visitors. However if you want to stop supporting HTTPS, you will have to wait longer until the validity of the HSTS policy in all browsers that vistited your website, has expired.

Impact on test score

The DMARC/SPF policy and the HSTS validity period do not yet impact the overall percentage score. In case of a deviation an orange warning will be displayed in the test results. As of April 2018 the results of the test items will be part of the score.

Release notes:

  • New: DMARC and SPF record parsers to check the record's syntax and policy strictness;
  • New: Check if HSTS 'max-age' value is at least 6 months;
  • Various UI/webdesign fixes/improvements;
  • Bugfixes:
    • DANE test is split into 'existence' and 'validity' tests. Previously, failed requests for the TLSA record resulted in an invalid result;
    • DNSSEC-signed domains signed with algorithms that our validating resolver currently does not support are now reported as DNSSEC-signed but insecure.