Infrastructure
· 9 checks — DNS, redirects, IPv6, crawlability, URL variants, and domain intelligence rolled into one auditable list.BDNS Records4 A records, 651 ms lookupREVIEW
| A | 3.174.193.23, 3.174.193.83, 3.174.193.39, 3.174.193.113 |
| AAAA | 2600:9000:2906:b000:0:91c:a40:93a1, 2600:9000:2906:f400:0:91c:a40:93a1, 2600:9000:2906:3a00:0:91c:a40:93a1, 2600:9000:2906:200:0:91c:a40:93a1, 2600:9000:2906:2e00:0:91c:a40:93a1, 2600:9000:2906:9c00:0:91c:a40:93a1, 2600:9000:2906:8800:0:91c:a40:93a1, 2600:9000:2906:d000:0:91c:a40:93a1 |
| CNAME | www.usa.gov.external-domains-production.cloud.gov |
| NS | — |
| MX | — |
| TXT | — |
| CAA | Lookup not available with standard resolver |
A CNAME at the zone apex can break MX and NS records. Use ALIAS/ANAME or A records instead.
CNAME at the apex (example.com) breaks every other apex record (MX, TXT, NS) — DNS-protocol violation per RFC 1034.
Learn more ▾ ▴
RFC 1034 forbids CNAME alongside other records at the same name. Some DNS providers offer ALIAS / ANAME / flattened-CNAME records that work around this — use those instead. Otherwise apex-level CNAME breaks email (no MX), domain ownership verification (no TXT), and more.
Source: RFC 1034
CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.
Informational: CAA (Certification Authority Authorization) records weren't checked in this scan.
SPF helps prevent email spoofing. Add a TXT record starting with 'v=spf1'.
Without SPF, receiving servers can't validate sending IPs — your domain is easier to spoof in phishing.
Learn more ▾ ▴
SPF complements DMARC. Both should be published. SPF records list authorized sending IPs (e.g., `v=spf1 include:_spf.google.com ~all` for Google Workspace). After publishing, verify in Google Postmaster Tools or mxtoolbox.
Source: RFC 7208 (SPF)
Slow DNS adds latency to every page load. Consider a faster DNS provider.
DNS resolution is slow — anycast DNS providers (Cloudflare, Route 53) typically resolve <50ms globally.
Source: DNS performance benchmarks
BTLS Certificate Expiry & Recommendations76 days until leaf cert expires — 2 issues to addressREVIEW
Certificate validity
Recommended actions
- Add the preload directive and submit to hstspreload.org once max-age + includeSubDomains are in place
- Enable OCSP stapling on your TLS server to remove a CA roundtrip and protect user privacy
A+Redirect ChainNo redirects — direct accessPASS
https://www.usa.gov
694 ms · HTTP/1.1 FINAL
| # | URL | Status | Time | Protocol | Server |
|---|---|---|---|---|---|
| 1 | https://www.usa.gov | 200 | 694 ms | HTTP/1.1 |
A+IPv6 ReadinessIPv6 reachable (15 ms)PASS
A+Crawlabilityrobots.txt present, sitemap with 1535 URLsPASS
#
# robots.txt
#
# This file is to prevent the crawling and indexing of certain parts
# of your site by web crawlers and spiders run by sites like Yahoo!
# and Google. By telling these "robots" where not to go on your site,
# you save bandwidth and server resources.
#
# This file will be ignored unless it is at the root of your host:
# Used: http://example.com/robots.txt
# Ignored: http://example.com/site/robots.txt
#
# For more information about the robots.txt standard, see:
# http://www.robotstxt.org/robotstxt.html
User-agent: *
Crawl-delay: 10
# Sitemaps
Sitemap: https://www.usa.gov/sitemap.xml
# CSS, JS, Images
Allow: /misc/*.css$
Allow: /misc/*.css?
Allow: /misc/*.js$
Allow: /misc/*.js?
Allow: /misc/*.gif
Allow: /misc/*.jpg
Allow: /misc/*.jpeg
Allow: /misc/*.png
Allow: /modules/*.css$
Allow: /modules/*.css?
Allow: /modules/*.js$
Allow: /modules/*.js?
Allow: /modules/*.gif
Allow: /modules/*.jpg
Allow: /modules/*.jpeg
Allow: /modules/*.png
Allow: /profiles/*.css$
Allow: /profiles/*.css?
Allow: /profiles/*.js$
Allow: /profiles/*.js?
Allow: /profiles/*.gif
Allow: /profiles/*.jpg
Allow: /profiles/*.jpeg
Allow: /profiles/*.png
Allow: /themes/*.css$
Allow: /themes/*.css?
Allow: /themes/*.js$
Allow: /themes/*.js?
Allow: /themes/*.gif
Allow: /themes/*.jpg
Allow: /themes/*.jpeg
Allow: /themes/*.png
# Directories
Disallow: /includes/
Disallow: /misc/
Disallow: /modules/
Disallow: /profiles/
Disallow: /scripts/
Disallow: /themes/
# We shouldn't have these, but:
Disallow: /node
Disallow: /node/
Disallow: /es/node
Disallow: /es/node/
A+URL Variantswww/non-www, trailing slash, HTTP→HTTPSPASS
www / non-www
Preferred variant: www
HTTP → HTTPS
Consistent
A+Domain Intelligenceusa.gov — via get.gov, 27 years oldPASS
37 days
August 18, 2026
76 days
Issued by Let's Encrypt
27 years
Registered August 18, 1999
Enabled
Protects against DNS spoofing
Unknown
2600:1f18:f88:4313:6df7:f986:f915:78d6
get.gov
Expiry timeline
Recommended actions
- Renew the domain or enable auto-renewal to prevent accidental expiry