The principle
Every MyDomainRisk check is an external, passive observation. We look at what a domain already shows to the public internet — its DNS records, its certificates, the headers its website sends, what public threat-intelligence sources say about it. We observe; we don't touch. That's why you can safely check any domain — your own, a supplier's, or one from a suspicious email — without permission, disruption, or legal anxiety. The scanned domain experiences nothing beyond ordinary visitor traffic.
What a scan looks at
| Certificates & encryption | Validity, expiry, protocol and cipher strength of the TLS certificates your domain presents to every visitor. |
| Email protection | The public DNS records (SPF, DKIM, DMARC, MTA-STS and related) that decide whether criminals can send mail pretending to be you, and whether mail to you travels encrypted. |
| Web security headers | The protective HTTP headers your site sends with every page. |
| Internet exposure | Services and ports already visible to public internet-wide indexes — observed, never probed. |
| Domain hygiene | Registration expiry, transfer locks, DNS configuration, and forgotten subdomains visible in public certificate-transparency logs. |
| Lookalike domains | Registered domains that imitate yours — the raw material of phishing against your customers and staff. |
| Threat intelligence | Whether your domain, infrastructure, or employee credentials appear in trusted public and commercial threat feeds. |
| Compliance surface | The externally verifiable subset of GDPR Article 32, PCI DSS, and related baselines — formatted as evidence for auditors. |
Findings are explained in plain English with practical fix steps — we publish what we found and why it matters, not the internal mechanics of how results are weighted, which stay private for the same reason a bank doesn't publish its fraud rules.
What we never do
- No software installed on your systems — ever. There are no agents.
- No credentials accepted, tested, or guessed. We never ask for passwords and never attempt a login.
- No exploitation. We observe that a door exists; we never try the handle.
- No payload delivery, fuzzing, or fake-attack traffic.
- No brute-force discovery — subdomains come from public certificate-transparency logs, not guessing.
- No intrusive crawling. We fetch the kinds of public pages any visitor or search engine already fetches.
- Nothing in a scan requires the domain owner's systems to do anything they don't already do for every visitor on the internet.
Anything deeper — and there's very little we'd ever add — would be separate, clearly labelled, opt-in, and gated behind verified proof that you own the domain. It would never be quietly added to the standard scan.
Honesty about limits
External observation can't see everything. We don't assess your internal network, your endpoints, your staff practices, or anything behind a login — and we say so rather than pretend otherwise. No verdict from any tool, ours included, is a guarantee: a clean result means nothing malicious was visible to our checks at scan time. Use results to inform judgement, not replace it.
Who's behind it
MyDomainRisk is built and operated by Huro Data Technologies Ltd., a UK company — self-sustaining on subscriptions, not venture-funded, with no advertising, no data sales, and no resale of your information. Data handling is documented in our privacy policy and GDPR commitment; security researchers can find our vulnerability disclosure policy here.
The best proof is a real scan. The checker on our homepage runs genuine checks with no account and shows you exactly the kind of findings a full scan produces — or browse a sample report first to see how a full scan reads.
Run a free check now