We Built a Free Email Security Audit Tool. Here's Why... and What We Found in the First 24 Hours
Free email security audit tool. Check your domain in 3 seconds. Early data: only 30% of domains have adequate protection.
Email is, and has been, the primary entry point for the vast majority of cyber attacks. Yet, for a lot of organisations, email security remains a black box: deployed once during onboarding, checked off a list, and rarely reviewed again.
Because email protocols fail silently, you may not know your controls have drifted or stopped working until something goes wrong: a spoofed email damages your brand's credibility, business correspondence lands in spam folders or gets rejected, or worse — your entire mail flow gets disrupted, and it can take hours or days to recover from the NDR storms, backscatter, SMTP retries, and DNS propagation delays.
We built the Cirrus Email Security Audit Tool as a first step to help close that visibility gap. It's free, requires no account or sign-up, and delivers an actionable analysis of your domain's email security posture in less than three seconds.
The early results are sobering. In the first 24 hours of going live, we've seen over 100 domains scanned — and only about 30% had adequate protection. Fewer than 5% scored above average. Most domains have high-impact gaps their owners didn't know existed.
👉 Check your domain now — no signup required
The Set-and-Forget Trap
It's an easy trap to fall into: email security is configured once — during onboarding, a migration, or a domain setup — and then it drops off the radar. Months pass, DNS changes accumulate, and nobody thinks to check whether the original setup is still intact.
That's "checkbox security" — and it can be dangerously fragile.
But configuration drift is real.
A marketing team adds a new newsletter platform and edits your DNS. An external contractor leaves a legacy access route open. A wildcard record is left in place. In the background, your security posture drifts away from your approved baseline.
The first step in reclaiming control is visibility. You cannot govern what you cannot see.
What We Check — and Why It Matters
Most scanners stop at "do you have these records?" We go deeper. Evaluating the operational strength of your configuration across four dimensions:
1. Spoofing Protection (DMARC)
Your primary defence against impersonation. We check whether your domain is configured to actively block fake emails sent in your name, not just report on them. A domain without this protection is a domain anyone can impersonate.
2. Email Authentication (SPF & DKIM)
We verify that your authorised senders are properly listed and that your domain has the cryptographic keys published to support email signing. These are the foundation of trust for email, and they're surprisingly easy to misconfigure — too many senders listed, overly permissive settings, or missing signing keys altogether.
3. Mail Delivery
A secure domain must also be a reliable one. We check that your domain is properly configured to send and receive email — because even the strongest security controls don't help if legitimate messages never arrive, or if your outgoing mail gets rejected by recipients.
4. Transit Security
We check the controls that enforce encrypted delivery and prevent interception — including whether your mail servers are configured to require encryption rather than allowing opportunistic connections, and whether your domain can detect delivery failures before they become a problem.
For those that fall under NIS2, DORA, or CyFun scope, these controls go from "good practice" to "regulatory requirement" — and this audit is a useful starting point for identifying gaps.
Not sure where your domain stands? Run a free scan now — it takes less than three seconds.
Actionable Remediation, Not Just Raw Data
Most security scanners dump technical records and jargon on you and call it a day. Whether you're a business owner or a technical professional, we designed our results and guidance so you can understand the problem and address it — quickly and effectively.
When you scan your domain, you get:
- An Overall Security Score: A colour-coded percentage showing your protection level — Protected, Partial Protection, or Unprotected.
- Prioritised Recommendations: Critical, medium, and low-priority fixes. Each one explains the issue, why it matters for your domain, and the exact steps to remediate it.
- A PDF Report Download: A clean, shareable summary you can hand straight to your IT team, MSP, or compliance officer.
Why We Built This
At Cirrus, we're building a platform for continuous email security governance — tools that help organisations own their security baseline, detect drift before it becomes a breach, and generate compliance evidence automatically.
This audit check is our first public milestone. It addresses a problem we kept running into: for business owners, email security is a black box — they can't see what's configured, and they don't know what they should be looking for. For MSPs and IT teams, the issue is different — when email breaks, it quickly becomes obvious something is wrong, but there's no audit trail to quickly trace what changed, why, what or who made the change — information that's crucial in preventing it from happening again.
We built it to give you immediate, objective clarity on your domain posture. No sales calls, no paywalls, no signup required. That's not a marketing gimmick — it's genuinely how we want to earn trust. We're in a discovery and pilot phase, collecting feedback and usage data to make our services better. Whether that model stays exactly the same forever, we'll decide as we go. What we can promise is that right now, it's open to everyone.
What's Next
This is version one, and we're just getting started. Some things to look out for in the near future:
- Continuous Monitoring: One-time scans are useful, but real security comes from tracking changes over time.
- Multi-Domain Scanning: For MSPs and IT teams managing dozens or hundreds of domains.
- Compliance Reporting: Automated evidence generation for frameworks like NIS2, CyFun, and DORA.
- Baseline Management: Define your approved configuration and get alerted when something drifts.
We'd love your feedback. Run a scan, download the report, and let us know what you think.
