Infrastructure
· 9 checks — DNS, redirects, IPv6, crawlability, URL variants, and domain intelligence rolled into one auditable list.DRedirect ChainAction2 redirect(s), 1216 ms totalFIX
https://www.segment.com
531 ms · HTTP/1.1
https://segment.com/
511 ms · HTTP/1.1
https://www.twilio.com/en-us/segment
173 ms · HTTP/1.1 FINAL
| # | URL | Status | Time | Protocol | Server |
|---|---|---|---|---|---|
| 1 | https://www.segment.com | 301 | 531 ms | HTTP/1.1 | nginx |
| 2 | https://segment.com/ | 302 | 511 ms | HTTP/1.1 | nginx |
| 3 | https://www.twilio.com/en-us/segment | 200 | 173 ms | HTTP/1.1 |
See the visual redirect chain in the HTTP Probe tab →
Each redirect adds latency. Try to minimize the chain to 1 hop.
Redirect chain — each hop adds latency; combine into one redirect where possible.
Source: Google Search Central / web.dev
If permanent, use 301 instead.
302 (Found) is for genuinely temporary redirects — if this redirect is permanent, switch to 301 to preserve SEO equity.
Learn more ▾ ▴
Search engines treat 302 as temporary, keeping the original URL indexed and not transferring full link equity to the destination. Use 301 (Moved Permanently) for permanent redirects (HTTP→HTTPS, www-vs-non-www, URL restructures).
Source: Google Search Central
DCDN & DeliveryActionNo CDN detectedFIX
Consider using a CDN to improve global delivery speed and reduce origin load.
CIPv6 ReadinessActionNo IPv6 supportREVIEW
IPv6 support is increasingly important for global accessibility. About 40% of internet users have IPv6 connectivity.
No AAAA records — same impact as 'no IPv6 (AAAA) records'; IPv6-preferring clients pay extra latency falling back to IPv4.
Source: Google IPv6 stats
BTLS Certificate Expiry & Recommendations191 days until leaf cert expires — 3 issues to addressREVIEW
Certificate validity
Recommended actions
- Enable HSTS: Strict-Transport-Security: max-age=31536000; includeSubDomains
- Enable DNSSEC on your domain for DNS spoofing protection
- Enable OCSP stapling on your TLS server to remove a CA roundtrip and protect user privacy
ADNS Records3 A records, 117 ms lookupPASS
| A | 100.22.97.185, 52.24.71.54, 34.216.129.148 |
| AAAA | — |
| CNAME | segment.com |
| NS | ns-677.awsdns-20.net, ns-386.awsdns-48.com, ns-1681.awsdns-18.co.uk, ns-1205.awsdns-22.org |
| MX | 10 mxa-0023de01.gslb.pphosted.com |
| TXT | airtable-verification=cefc1f211f96a7ff87b65b078aee41ef postman-domain-verification=c905e7bd410da4bbcb2c4e0e96b2b9d0f6657debb31e89940b26... bugcrowd-verification=8bc91ead4bf9979f7de216191cf0e5d4 google-site-verification=zfo7ZoeOCTYZwn-jHOF5cruYlF4gPRN3Xkj7siYq9qw atlassian-domain-verification=SC6fTWOj+nV9XC0dqcPNn6R+trRmss2Xl3spdpJuXh8wiwPPCe... lucidchart-verification=aaXCRY7AWJr7Kk4WfHlH gradle-verification=TMN4JP1P3UU40CCUOISLDHFIJGRM5 hubspot-dns-verification=hubspot-f5fe79ltusWe google-site-verification=7mX1TXXSAxbOuAwPJsk7mmsmvSjVRds99CUaq_54-AQ google-site-verification=PVuLPjqqhb3D1ZmWF_b0a68RvlwES1ouYYQFBDAcYPU hubspot-developer-verification=MGM0MWQwNTYtM2MyOS00YTM5LTk5NTEtNjRhNmNhNmFhZGI1 docusign=135f3801-2dc6-4e71-acc1-12a337ea3dfb atlassian-domain-verification=W7l5tMItTm4lNEq8QOucCxLdAbqWNuMG6fHGtkVrN1HsVvbh7E... google-site-verification=pJBgQqPzyDub2n2wHk-5fQmcknlgf3gGwsFPoVNs4L8 google-site-verification=uyiHYCSsIa9TUR55Bby5YdIyZjDDiYQfRYH7giX5xns drift-domain-verification=d5594829f85cebeb24146ac3b2ddf5560ae7f29b4a9c392c090276... status-page-domain-verification=934c3wdf14l9 d7eba8c3-57b1-4dd6-b410-1e9efb1f28e7 google-site-verification=HpCnR5YyS21Rat8qk8rmeSWbtSq3Ft6VD-lag8TWiyE SPF v=spf1 include:%{i}._ip.%{h}._ehlo.%{d}._spf.vali.email ~all MS=ms45041807 zapier-domain-verification-challenge=a2c5e2d0-bbe8-4d8c-ba54-95fdcb561986 d735d671-6fd6-4a9c-b02f-b1de48d84680 |
| CAA | Lookup not available with standard resolver |
A CNAME at the zone apex can break MX and NS records. Use ALIAS/ANAME or A records instead.
CNAME at the apex (example.com) breaks every other apex record (MX, TXT, NS) — DNS-protocol violation per RFC 1034.
Learn more ▾ ▴
RFC 1034 forbids CNAME alongside other records at the same name. Some DNS providers offer ALIAS / ANAME / flattened-CNAME records that work around this — use those instead. Otherwise apex-level CNAME breaks email (no MX), domain ownership verification (no TXT), and more.
Source: RFC 1034
CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.
Informational: CAA (Certification Authority Authorization) records weren't checked in this scan.
A+Crawlabilityrobots.txt present, sitemap with 4 URLsPASS
# Algolia-Crawler-Verif: 7958130DB3AFAB0B
# *
User-agent: *
Allow: /
Disallow: /storybook/*
Disallow: /cdp-week-summer-edition/
Disallow: /segment-jsl/
Disallow: /demo-request-followup/
Disallow: /pdfs/
Disallow: /learn-segment-abm-industry/
Disallow: /learn-segment-abm-personal/
Disallow: /learn-segment-demo-request/
Disallow: /learn-segment-pmm/
Disallow: /learn-segment-voc-video-feature/
Disallow: /learn-segment-content-download/
# Host
Host: https://segment.com/
# Sitemaps
Sitemap: https://segment.com/sitemap.xml
Sitemap: https://segment.com/docs/sitemap.xml
Sitemap: https://segment.com/blog/sitemap.xml
Sitemap: https://segment.com/sitemap-1.xml
A+URL Variantswww/non-www, trailing slash, HTTP→HTTPSPASS
www / non-www
Preferred variant: www
HTTP → HTTPS
Consistent
ADomain Intelligencesegment.com — via MarkMonitor Inc., 28 years, 1 months old, hosted on AWSPASS
EXPIRED
July 5, 2026
191 days
Issued by Amazon
28 years, 1 months
Registered July 6, 1998
Not enabled
Protects against DNS spoofing
AWS
ASN AS16509
52.24.71.54
MarkMonitor Inc.
Expiry timeline
Recommended actions
- Domain has EXPIRED — renew immediately to avoid total site outage
- Enable DNSSEC to protect visitors from DNS spoofing
Consider enabling auto-renewal to prevent accidental expiration.
Domain expiry approaching — renew immediately and ensure auto-renew + alerting are configured.
Source: ICANN renewal policy
DNSSEC protects against DNS spoofing attacks. While not required, enabling DNSSEC adds an additional layer of security. Contact your DNS provider to enable it.
Without DNSSEC, an attacker who can poison your DNS can hijack your domain — and SSL certs alone don't stop them.
Learn more ▾ ▴
DNSSEC adds cryptographic signatures to DNS records, preventing forged responses from poisoning resolver caches. Without it, an attacker who controls the network path can redirect your domain to a malicious server before any HTTPS handshake happens. Most modern registrars (Cloudflare, Google Domains, Route 53) enable it with one toggle.
Source: ICANN / RFC 4033