Beyond email, your website also needs a few basic security settings. Here are the main ones and what they do.
Your site must be served over HTTPS (padlock), and any http:// visit must be automatically redirected to https://. Most hosts offer a free certificate (Let's Encrypt) in one click.
The Strict-Transport-Security header forces the browser to always use HTTPS, even if someone types the http address. This blocks certain interception attacks.
The Content-Security-Policy header restricts where the browser can load code from, greatly reducing the risk of malicious script injection (XSS).
X-Frame-Options: DENY prevents your site from being embedded in a trap frame. X-Content-Type-Options: nosniff stops the browser from misinterpreting your files.
These headers are added in your server or host configuration (Apache, Nginx, Cloudflare, etc.).
Enter your domain: we test your SPF, DKIM, DMARC and website, and give you the exact action plan.
Run the free check