Locked?
DNSSEC and SSL/TLS
Is the connection encrypted and authenticated? Can attackers forge DNS responses or intercept traffic?
Your domain is your front door. Is it locked?
Misconfigured DNS, weak email authentication and expired certificates are the root cause of phishing, spoofing and domain abuse. The Sokomi DNS Healthcard runs over 80 automated checks across six critical infrastructure categories to find and fix vulnerabilities before attackers do.
Three Questions. One Score.
The DNS Healthcard checks whether your digital front door is properly secured
Labelled?
SPF / DKIM / DMARC
Can recipients verify who is sending email from your domain? Are imposters blocked from spoofing it?
Up to code?
NIS2 and Compliance
Does the infrastructure meet regulatory standards? Can you demonstrate compliance with scored evidence?
$4.88M
Average cost of a phishing-related data breach
IBM 2025
3.4B
Phishing emails sent globally every single day
AAG / CISA
90%
Of all cyberattacks begin with a phishing email
CISA 2025
254
Days average to detect and contain a phishing breach
IBM 2025
Attack Vectors
What is leaving your front door open
Most attacks succeed not because defences are weak, but because the foundational infrastructure was never properly configured.
Email spoofing
Without SPF, DKIM and DMARC, anyone can send emails that appear to come from your domain. Your customers cannot tell the difference.
$2.77B in BEC losses (US, 2024)DNS hijacking
Missing DNSSEC lets attackers intercept DNS responses and redirect your traffic to copycat sites that harvest credentials and payment data.
254 days to detect on averageExpired SSL certificates
Lapsed certificates trigger browser warnings, erode trust and create openings for man-in-the-middle traffic interception.
$180 per stolen PII recordInvisible DNS attack surface
Orphaned subdomains, stale records and misconfigured entries create vectors you cannot see, but attackers can find in minutes.
$15M annual cost to large organisationsHow It Works
Four steps to Certified Domain Protection
1
Scan
Run the Healthcard across your domain portfolio. Automated diagnostics check DNS records, email authentication, DNSSEC, SSL and compliance posture.
2
Score
Receive a comprehensive health report with an overall score, detailed findings for each check and prioritised remediation recommendations.
3
Remediate
Address the gaps: deploy DMARC, enable DNSSEC, renew SSL, clean up stale records. Sokomi provides guidance and specialist support.
4
Certify
Achieve and maintain a score above 90%. Receive a Certified Domain Protection certificate. Continuous re-scans ensure your score stays current.
Under the Hood
Six categories. 80+ automated checks. One score.
Each check is scored, weighted and contributes to your overall health score. Here is what is being assessed.
DNS Record Integrity
A, AAAA, MX, NS, CNAME, TXT, SOA, PTR validation. Orphaned subdomain detection. Record conflict analysis. TTL optimisation. Zone delegation checks.
Eliminates vectors attackers find in minutes but enterprises miss for months.
Email Authentication
SPF record syntax and inclusion chain validation. DKIM selector discovery and key strength. DMARC policy enforcement. Alignment checks. BIMI readiness.
Directly prevents the number one phishing method: impersonation of trusted domains.
DNSSEC Validation
DS record presence at parent. RRSIG signature validity and expiry. Algorithm strength assessment. Key rollover readiness. Chain of trust verification from root to zone.
Stops DNS hijacking, the attack behind copycat sites and credential theft.
SSL/TLS Certificate Health
Certificate validity and expiry monitoring. Chain of trust completeness. Protocol version enforcement (TLS 1.2/1.3). Cipher suite strength. HSTS and CAA configuration.
Prevents browser warnings, service disruption and traffic interception.
Vulnerability Scanning
Open port detection. Dangling DNS entries. Subdomain takeover susceptibility. Wildcard record risks. Zone transfer exposure. Known CVE mapping.
Surfaces risks invisible to standard security tools that focus on traffic, not configuration.
Compliance Scoring
NIS2 infrastructure requirements. GDPR-relevant data handling indicators. Industry benchmark alignment. Configuration drift detection. Audit-ready evidence generation.
Provides the verifiable proof that compliance officers and regulators demand.
Initial scan
After remediation
Score above 90% = Certified Domain Protection
A consistent health score above 90% earns a Certified Domain Protection Score, verified proof that your DNS infrastructure is hardened against spoofing, phishing and domain abuse. Continuous automated re-scans detect configuration drift, keeping your score current and your certification valid.
Assessment Scope
How the DNS Healthcard compares
Most domain security tools focus on email authentication alone. The DNS Healthcard goes further, scanning your entire domain infrastructure across six critical security categories in a single assessment.
| Capability | Easy DMARC | Power DMARC | DMAR CIAN | Proof point | Akamai | Vali | Red Sift OnDMARC | Sokomi Healthcard |
|---|---|---|---|---|---|---|---|---|
| SPF / DKIM / DMARC | ✓ | ✓ | ✓ | ✓ | × | ✓ | ✓ | ✓ |
| BIMI Support | ✓ | ✓ | × | × | × | × | ✓ | ✓ |
| MTA-STS / TLS-RPT | × | ✓ | × | × | × | ✓ | ✓ | ✓ |
| DNSSEC Validation | – | – | × | – | ✓ | × | × | ✓ |
| SSL / TLS Assessment | × | × | × | × | – | × | × | ✓ |
| Vulnerability Scanning | × | × | × | × | × | × | × | ✓ |
| NIS2 Compliance Score | × | × | × | × | × | × | × | ✓ |
| Cross-infrastructure Correlation | × | × | × | × | – | × | × | ✓ |
| Single % Health Score | × | × | × | × | × | × | × | ✓ |
| 80+ Automated Checks | × | × | × | × | × | × | × | ✓ |
Who Is This For
Built for the teams that need it most
IT and Security Teams
Professionals who need continuous visibility into DNS configuration, email authentication posture and certificate health across all managed domains.
Enterprise Organisations
With large domain portfolios, regulatory obligations and brand exposure that makes them prime targets for spoofing and domain abuse.
Compliance and Risk Officers
Who need scored, auditable evidence of DNS infrastructure health for NIS2, data protection frameworks and internal governance.
SMEs and Growing Businesses
That lack dedicated DNS expertise but face the same threats. The Healthcard provides enterprise-grade diagnostics without enterprise complexity.
Brand Protection Providers
Looking to complement external monitoring with internal infrastructure diagnostics, the missing layer in the protection stack.
Managed Service Providers
Responsible for managing the digital infrastructure of multiple clients. White-label ready with API access and flexible commercial terms.
Why Now
Five reasons this cannot wait
1
Attacks are accelerating
3.8M phishing attacks recorded globally in 2025. AI-generated phishing surged 1,265%. The volume is overwhelming traditional defences.
2
Regulation is tightening
NIS2, DORA, GDPR enforcement and ASEAN data protection frameworks all demand verifiable infrastructure compliance. Promises are not enough.
3
Breach costs keep climbing
The average phishing breach now costs $4.88M. BEC losses hit $2.77B in the US alone. Prevention is orders of magnitude cheaper.
4
AI is weaponising email
AI-generated phishing has 4x higher click rates. 400% rise in successful AI scams. Proper email authentication is the only reliable defence at scale.
5
Customers demand proof
81% of consumers would switch provider for better security. Enterprises are being asked by their own clients to demonstrate infrastructure resilience.
Get your health score. Lock your front door.
A single scan runs 80+ checks and reveals your exposure. Remediation closes the gaps. Continuous monitoring keeps you certified.