We’ve been doing IT and cybersecurity long enough to know that most small businesses have no idea whether their website and email are properly secured. Not because they don’t care - because nobody ever showed them how to check.
So we built a tool that does it for you. Go to security.darkhorseit.com, enter your domain name, and in about 30 seconds you’ll get a full breakdown of your website and email security posture - explained in plain English.
It’s free. No account required. No sales pitch hiding behind a login wall.
What the scanner checks
The scanner runs a series of automated tests against your domain. Here’s what it looks at and why each one matters.
SSL/TLS certificate
SSL is what puts the padlock in your browser’s address bar. It encrypts the connection between your visitors and your website so nobody can intercept the data in transit.
The scanner checks whether your SSL certificate exists, whether it’s expired or about to expire, whether your site properly redirects from HTTP to HTTPS, and whether HSTS (a header that forces secure connections) is enabled.
Why it matters: An expired or missing SSL certificate triggers scary browser warnings that will turn visitors away. Google also uses HTTPS as a ranking factor. If your certificate lapses, you lose both trust and traffic.
Email authentication: SPF, DKIM, and DMARC
These three protocols work together to prove that emails from your domain are actually coming from you.
SPF lists which mail servers are allowed to send email on your behalf. Without it, anyone can send emails that look like they come from your domain.
DKIM adds a cryptographic signature to your outgoing emails, proving they haven’t been tampered with in transit.
DMARC ties SPF and DKIM together and tells receiving mail servers what to do when an email fails those checks - let it through, send it to spam, or reject it entirely.
Why it matters: Without proper email authentication, attackers can send emails that appear to come from your domain. That’s how phishing works. Your clients get an email that looks like it’s from you, asking them to click a link or send money. Proper SPF, DKIM, and DMARC configuration makes this significantly harder.
Security headers
Security headers are instructions your web server sends to browsers telling them how to behave. They prevent specific categories of attacks.
The scanner checks for headers like Content-Security-Policy (prevents unauthorized scripts), X-Frame-Options (prevents your site from being embedded in malicious pages), Strict-Transport-Security (forces HTTPS), and several others.
Why it matters: Missing security headers leave your site vulnerable to cross-site scripting, clickjacking, and other attacks that exploit browser behavior. Adding them is straightforward once you know which ones are missing.
Blacklist status
The scanner checks whether your domain or mail server IP appears on known spam blacklists.
Why it matters: If you’re on a blacklist, your emails may go straight to spam or not get delivered at all. This can happen without your knowledge - and it can persist for weeks or months if nobody checks.
How to use it
- Go to security.darkhorseit.com
- Type in your domain name (e.g., yourbusiness.com)
- Click scan
- Wait about 30 seconds
- Review your results
Each check gets a clear pass/fail/warning status with an explanation of what it means and what to do about it. You don’t need a cybersecurity background to understand the results.
What your score means
The scanner gives you an overall score based on how many checks you pass. Think of it like a health checkup for your domain.
A high score means your basics are covered - your SSL is current, your email authentication is configured, and your security headers are in place. A low score means there are gaps that could be exploited.
Most businesses we see score somewhere in the middle. The most common issues are missing DMARC policies, weak or absent security headers, and SPF records that are technically present but misconfigured.
Common issues we find
After scanning hundreds of domains, certain patterns come up again and again.
No DMARC policy at all. This is the most common issue. Without DMARC, there’s no enforcement when someone spoofs your domain. Anyone can send email pretending to be you.
DMARC set to p=none. This is monitoring mode - it logs failures but doesn’t actually block anything. It’s a fine starting point, but too many businesses set it to “none” and never move to enforcement.
Missing security headers. Most small business websites are missing at least two or three important headers. Content-Security-Policy is the most commonly absent.
SPF record with too many DNS lookups. SPF has a limit of 10 DNS lookups. Businesses that use multiple email services (Google Workspace plus Mailchimp plus a CRM plus a helpdesk) often exceed this limit without realizing it, which effectively breaks their SPF.
SSL certificates about to expire. If your certificate isn’t set to auto-renew, it’s a ticking clock. The scanner will flag certificates approaching expiration so you can act before your site goes down.
How DarkHorse IT can help
If your scan turns up issues, you have two options. You can fix them yourself - the scanner gives you enough information to research each issue and implement the fix. Or you can bring in someone who does this every day.
DarkHorse IT helps businesses in the Fargo-Moorhead area and beyond get their security fundamentals right. Email authentication, security headers, SSL management, and ongoing monitoring are all part of what we do. If your scan shows red, we can get it to green.
The tool is open source
We believe in transparency when it comes to security tooling. The scanner’s source code is publicly available at github.com/yubajefffries/oss-security-scan. You can audit the audit. See exactly what the tool checks, how it checks it, and verify that it doesn’t collect or store any data it shouldn’t.
If you’re a developer or IT professional who wants to contribute, pull requests are welcome.
Go scan your domain
Seriously - it takes 30 seconds. Go to security.darkhorseit.com, type in your domain, and see where you stand. If everything’s green, great. If not, now you know - and knowing is the first step to fixing it.
If you want help interpreting your results or fixing what’s broken, reach out to DarkHorse IT. We talk about this stuff every Thursday morning at 7:40am on KFGO and on Facebook.