Practical Security Guides For Your Team

Your domain has a DMARC record, but it's set to 'monitor only' mode — meaning it watches for suspicious emails but takes no action to stop them. Think of it like a smoke detector that logs every fire but never sounds the alarm. Anyone can send emails that appear to come from your domain, and those messages will land in recipients' inboxes unchallenged.

Your website already uses a secure connection (HTTPS), which is great. But there's a setting that tells browsers how long to remember to always use that secure connection — and yours is set too low. Think of it like a reminder that expires too quickly: if a user's browser forgets before their next visit, there's a brief window where they could be exposed to a connection that isn't fully protected.

Your web server is missing a simple one-line instruction that tells browsers how to handle the files it sends. Without it, some browsers may try to 'guess' what type of file they've received — and in certain situations, that guess could cause a harmless-looking file to be treated as executable code. Think of it like a label on a package: without it, the delivery driver has to guess what's inside.

Your website is missing a small but important instruction it should send to browsers — one that tells them to always use a secure, encrypted connection. Without it, browsers may occasionally connect over an unencrypted channel, and there is no browser-level safeguard to prevent that from happening. Think of it like a lock on your front door: your HTTPS certificate is the lock, but this header is the sign that tells visitors to always use the locked entrance.