Resolve domain alerts

Learn how to fix common domain issues identified by Httpeace monitoring, from SSL certificates to email authentication.

SSL certificate issues

Certificate expiring soon

Problem: SSL certificate expires in less than 30 days

How to fix:

Log in to your SSL provider or hosting control panel
Renew the certificate before expiration
For Let's Encrypt, verify auto-renewal is working: certbot renew --dry-run
For commercial CAs, purchase renewal and install new certificate

Prevention:

Enable auto-renewal wherever possible
Set calendar reminders 45 days before expiration
Configure Httpeace alerts for 30, 14, and 7 day warnings

Certificate expired

Problem: SSL certificate has expired

Impact: Users see "Your connection is not private" warnings, site appears broken

How to fix:

Immediately renew and install new certificate
Verify installation: openssl s_client -connect yourdomain.com:443 -servername yourdomain.com
Clear browser cache and test
Check expiration: echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates

Invalid SSL certificate

Problem: SSL certificate has validation errors (chain issues, hostname mismatch, self-signed)

Impact: Browsers show security warnings, users can't access your site

How to fix:

Hostname mismatch: Ensure certificate is issued for your exact domain (including/excluding www)
Broken certificate chain: Install intermediate certificates from your CA
Self-signed certificate: Replace with a certificate from a trusted CA (Let's Encrypt is free)
Weak algorithms: Upgrade to 2048-bit+ key strength and avoid SHA1 signatures

Check certificate:

openssl s_client -connect yourdomain.com:443 -servername yourdomain.com | openssl x509 -text -noout

Security header issues

Missing HSTS header

Problem: No HTTP Strict Transport Security header detected

Why it matters: Without HSTS, your site is vulnerable to SSL stripping attacks

How to fix:

Add to your web server configuration:

Nginx:

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

Apache:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Cloudflare: Enable HSTS in SSL/TLS settings

Missing Content Security Policy

Problem: No CSP header found

Why it matters: CSP prevents XSS attacks and controls which resources can load

Basic fix:

add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';";

Note: CSP can break functionality if too restrictive. Start with a basic policy and refine based on your site's needs. Use browser console to debug CSP violations.

DNS configuration issues

DNS not resolving

Problem: Domain doesn't resolve to an IP address

How to fix:

Verify nameservers at your registrar match your DNS provider
Check that an A record exists for your domain
Use dig yourdomain.com or nslookup yourdomain.com to debug
Wait 24-48 hours for DNS propagation after changes

Slow DNS response

Problem: DNS queries take too long to resolve

Impact: Adds latency to every page load

How to fix:

Consider switching to a faster DNS provider (Cloudflare DNS, Amazon Route 53)
Check that nameservers are geographically distributed
Reduce TTL for frequently changing records

DNSSEC not enabled

Problem: Domain lacks DNSSEC (DNS Security Extensions)

Why it matters: Without DNSSEC, your domain is vulnerable to DNS spoofing and cache poisoning attacks

How to fix:

Check if your DNS provider supports DNSSEC
Enable DNSSEC in your DNS provider's control panel
Get the DS (Delegation Signer) records from your DNS provider
Add DS records to your domain registrar
Verify DNSSEC is working: dig +dnssec yourdomain.com

Note: Not all DNS providers support DNSSEC. Popular providers that do: Cloudflare, Route 53, Google Cloud DNS.

Domain expiration

Domain expiring soon

Problem: Domain registration expires in less than 90 days

How to fix:

Log in to your domain registrar
Renew your domain registration
Enable auto-renewal to prevent future issues
Update payment information if needed

Critical timeline:

90 days: Early warning
30 days: Urgent — renew soon
7 days: Critical — renew immediately
0 days: Domain stops working

Domain Reputation

Domain flagged for security threats

Problem: Domain flagged by Google Web Risk or other security services

Types of flags:

Malware: Site distributes malicious software
Social engineering: Phishing or deceptive content
Unwanted software: Bundles unwanted programs

Impact: Browsers block access with full-page warnings, search rankings drop, user trust destroyed

How to fix:

Immediately scan your site for malware using security tools
Remove all malicious or suspicious content
Check for compromised files, backdoors, or injected code
Update all software, plugins, and dependencies
Request review from Google Safe Browsing
Monitor closely for re-infection

Prevention:

Keep all software updated
Use security plugins and malware scanners
Implement Content Security Policy
Regular domain audits
Strong passwords and 2FA everywhere

Email authentication

Missing or invalid SPF record

Problem: No SPF record found or syntax errors

Why it matters: Without SPF, your emails may be marked as spam

How to fix:

Identify all mail servers that send email from your domain
Create SPF TXT record at your DNS provider:
- Record type: TXT
- Name: @ (or your domain)
- Value: v=spf1 include:_spf.google.com ~all (for Google Workspace)
Test with MXToolbox SPF Checker

Common SPF values:

Google Workspace: v=spf1 include:_spf.google.com ~all
Microsoft 365: v=spf1 include:spf.protection.outlook.com ~all
SendGrid: v=spf1 include:sendgrid.net ~all

Missing DKIM

Problem: DKIM signatures not found

How to fix:

Configure DKIM in your email provider (Gmail, Microsoft 365, SendGrid, etc.)
Add the DKIM public key to DNS as a TXT record
Record name is usually formatted like selector._domainkey.yourdomain.com
Test by sending an email to mail-tester.com

Missing DMARC policy

Problem: No DMARC record found

Why it matters: DMARC tells receiving servers what to do with failed SPF/DKIM checks

How to fix:

Add DMARC TXT record:

Name: _dmarc
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com

Start with p=none to monitor, then gradually enforce with p=quarantine or p=reject.

Missing MX records

Problem: No MX (Mail Exchange) records configured

Impact: Your domain cannot receive email at all — all incoming messages bounce

How to fix:

Log in to your DNS provider
Add MX records for your email provider:
- Google Workspace: See Google's MX records
- Microsoft 365: See Microsoft's MX records
- Custom mail server: Point to your mail server hostname
Wait 10-30 minutes for DNS propagation
Test with dig MX yourdomain.com

MX records misordered

Problem: MX records exist but priority order is incorrect

Impact: While email still works, delivery may be inefficient or use backup servers unintentionally

How to fix:

Review your MX records: dig MX yourdomain.com
Ensure priority numbers are correct (lower = higher priority)
- Primary mail server should have lowest priority number (often 10)
- Backup servers should have higher numbers (20, 30, etc.)
Fix ordering in your DNS control panel
Verify correct order after DNS propagation

Common priority setup:

Primary: priority 10
Secondary: priority 20
Tertiary: priority 30

SPF record has too many lookups

Problem: SPF record exceeds the 10 DNS lookup limit (RFC 7208)

Impact: SPF validation fails completely — emails marked as spam or rejected

How to fix:

Count lookups in your SPF record:
- Each include: counts as 1 lookup
- Each a or mx mechanism counts as 1 lookup
- ip4 and ip6 don't count
Consolidate includes by using IP addresses instead
Remove unused email services from SPF
Consider using SPF flattening tools
Test with MXToolbox SPF Checker

Example optimization:

Before (12 lookups): v=spf1 include:spf1.com include:spf2.com include:spf3.com ... ~all

After (3 lookups): v=spf1 ip4:1.2.3.4 ip4:5.6.7.8 include:spf1.com ~all

Privacy issues

WHOIS information publicly exposed

Problem: Personal information (name, email, address) visible in public WHOIS records

Impact: Privacy risk, spam, phishing attempts, identity theft, unwanted contact

How to fix:

Log in to your domain registrar
Enable WHOIS privacy protection (also called "Domain Privacy" or "WHOIS Guard")
This typically costs $0-15/year or may be included free
Verify protection is active: search your domain on WHOIS lookup

Most registrars offer WHOIS privacy:

Namecheap: WhoisGuard (often free)
GoDaddy: Domain Privacy
Cloudflare: Free WHOIS privacy
Google Domains: Free privacy protection

Note: Some TLDs (.us, .ca, etc.) have restrictions on WHOIS privacy due to local regulations.

Subdomain security

Subdomain takeover vulnerability

Problem: Subdomain points to an unclaimed external service (GitHub Pages, Heroku, AWS S3, etc.)

Why it matters: Attackers can claim the external service and serve malicious content on your subdomain, steal cookies, phish users, or damage your brand reputation

Common scenarios:

blog.yourdomain.com → GitHub Pages site you deleted
staging.yourdomain.com → Heroku app you deprovisioned
cdn.yourdomain.com → S3 bucket you removed
docs.yourdomain.com → Netlify site you archived

How to fix:

Choose one of these options:

Remove the DNS record (if subdomain is no longer needed):
- Log in to your DNS provider
- Delete the CNAME or A record for the vulnerable subdomain
- Wait 10-30 minutes for DNS propagation
Reclaim the service:
- For GitHub Pages: Create a repository with matching name and enable Pages
- For Heroku: Create an app with the matching name
- For S3: Create a bucket with the matching name and configure it
- For Netlify/Vercel: Deploy a site to the matching subdomain
Mark as safe (if you control the subdomain intentionally):
- Go to your domain settings in Httpeace
- Enable the "Subdomain Takeover" check
- Add the subdomain to the ignore list with a reason
- Future audits will skip this subdomain

Prevention:

Remove DNS records when decommissioning services
Document all subdomains and their purposes
Regular audit of CNAME records pointing to external services
Use Httpeace automated checks to catch new vulnerabilities

Check if fixed:

# Verify DNS record was removed
dig CNAME subdomain.yourdomain.com

# Should show "NXDOMAIN" or no CNAME if successfully removed

Performance issues

Excessive redirect chain

Problem: Too many HTTP redirects (more than 3-5)

Impact: Slow page loads, poor SEO, bad user experience, increased error risk

Common causes:

HTTP → HTTPS → www → non-www (4 redirects)
Poorly configured CDN or load balancer
Stacked redirects from multiple services
www/non-www conflicts

How to fix:

Test redirect chain: curl -I http://yourdomain.com or use Redirect Checker
Consolidate redirects:
- Choose www vs non-www and stick to one
- Set up direct HTTPS redirect (skip HTTP step when possible)
- Configure canonical URLs in your web server
Update web server configuration:

Nginx (direct HTTPS with non-www):

server {
    listen 80;
    listen 443 ssl;
    server_name www.example.com example.com;

    if ($scheme = http) {
        return 301 https://example.com$request_uri;
    }
    if ($host = www.example.com) {
        return 301 https://example.com$request_uri;
    }
}

Apache (.htaccess):

RewriteEngine On
RewriteCond %{HTTPS} off [OR]
RewriteCond %{HTTP_HOST} ^www\. [NC]
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [L,R=301]

Ideal redirect chain: Maximum 1-2 redirects

Getting help

If you're stuck resolving an issue:

Check Troubleshooting for common problems
Contact your hosting provider or DNS provider for infrastructure issues
Reach out to Support for help interpreting report results

Next steps

Invite team members

Collaborate with your team to resolve issues faster.

Read the guide

Set up Slack alerts

Get notified in real-time when new issues are detected.

Read the guide

Choose the right plan

Upgrade to get more domains, automated checks, and team collaboration.

Read the guide

Previous: Run a typosquat audit Next: Invite team members