Infrastructure

· 9 checks — DNS, redirects, IPv6, crawlability, URL variants, and domain intelligence rolled into one auditable list.

SCORE

GRADE

FIX

REVIEW

PASS

INFO

Probed from Madrid, Spain

200 OK

Checks

5 PASS 3 REVIEW

DNS Records

2 A records, 37 ms lookup

REVIEW

2 A records, 37 ms lookup

Resolves to 2 IPv4 address(es)

Got: 64.239.109.193, 64.239.123.193

No IPv6 (AAAA) records

CNAME record at zone apex

A CNAME at the zone apex can break MX and NS records. Use ALIAS/ANAME or A records instead.

Got: 4c5eb4c8f66d5c16.vercel-dns-013.com

No NS records found

No MX records — email not configured via DNS

CAA records not checked

CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.

No SPF record found in TXT records

SPF helps prevent email spoofing. Add a TXT record starting with 'v=spf1'.

DNS resolution time: 37 ms

Got: 37 ms

A	64.239.109.193, 64.239.123.193
AAAA	—
CNAME	4c5eb4c8f66d5c16.vercel-dns-013.com
NS	—
MX	—
TXT	—
CAA	Lookup not available with standard resolver

Resolved in 37 ms

A CNAME at the zone apex can break MX and NS records. Use ALIAS/ANAME or A records instead.

Why this matters

CNAME at the apex (example.com) breaks every other apex record (MX, TXT, NS) — DNS-protocol violation per RFC 1034.

Learn more ▾

RFC 1034 forbids CNAME alongside other records at the same name. Some DNS providers offer ALIAS / ANAME / flattened-CNAME records that work around this — use those instead. Otherwise apex-level CNAME breaks email (no MX), domain ownership verification (no TXT), and more.

Source: RFC 1034

CAA record lookup requires a specialized DNS resolver. This check will be available in a future update.

Why this matters

Informational: CAA (Certification Authority Authorization) records weren't checked in this scan.

SPF helps prevent email spoofing. Add a TXT record starting with 'v=spf1'.

Why this matters

Without SPF, receiving servers can't validate sending IPs — your domain is easier to spoof in phishing.

Learn more ▾

SPF complements DMARC. Both should be published. SPF records list authorized sending IPs (e.g., `v=spf1 include:_spf.google.com ~all` for Google Workspace). After publishing, verify in Google Postmaster Tools or mxtoolbox.

Source: RFC 7208 (SPF)

IPv6 Readiness

Action

No IPv6 support

REVIEW

No IPv6 support

No IPv6 (AAAA) records found

IPv6 support is increasingly important for global accessibility. About 40% of internet users have IPv6 connectivity.

No IPv6 Support

About 40% of internet users have IPv6. Consider adding AAAA records.

IPv6 support is increasingly important for global accessibility. About 40% of internet users have IPv6 connectivity.

Why this matters

No AAAA records — same impact as 'no IPv6 (AAAA) records'; IPv6-preferring clients pay extra latency falling back to IPv4.

Source: Google IPv6 stats

TLS Certificate Expiry & Recommendations

31 days until leaf cert expires — 4 issues to address

REVIEW

Certificate validity

days left

0d 30d 60d 90d+

Recommended actions

Add includeSubDomains to the HSTS directive
Add the preload directive and submit to hstspreload.org once max-age + includeSubDomains are in place
Enable DNSSEC on your domain for DNS spoofing protection
Enable OCSP stapling on your TLS server to remove a CA roundtrip and protect user privacy

A+

Redirect Chain

No redirects — direct access

PASS

No redirects — direct access

Got: https://www.sanity.io

https://www.sanity.io

99 ms · HTTP/1.1 FINAL

#	URL	Status	Time	Protocol	Server
1	https://www.sanity.io	200	99 ms	HTTP/1.1	Vercel

A+

Crawlability

robots.txt present, sitemap with 7 URLs

PASS

robots.txt present, sitemap with 7 URLs

robots.txt is present

Got: 240 bytes

sitemap.xml is present

sitemap.xml is valid XML

sitemap.xml contains 7 entries

Sitemap index with 7 child sitemaps

robots.txt references sitemap

robots.txt 200 OK

Size 240 B Sitemaps referenced 1 User-agents * Blocking No — crawling allowed

User-Agent: *
Allow: /
Disallow: /debug
Disallow: /styleguide
Disallow: /manage
Disallow: /showcase
Disallow: /api/preview
Disallow: /v2-docs
Disallow: /*.json*
Disallow: /collections/vendors?q=*

Sitemap: https://www.sanity.io/sitemap.xml

sitemap.xml 200 OK

Type Sitemap Index URLs 7 entries Valid XML Yes

Child Sitemaps:

URL Variants

www/non-www, trailing slash, HTTP→HTTPS

PASS

www/non-www, trailing slash, HTTP→HTTPS

www/non-www redirect configured correctly (preferred: www)

HTTP→HTTPS redirect uses 302 instead of 301

Got: 302 temporary redirect Expected: 301 permanent redirect

www / non-www

200https://www.sanity.io/

301https://sanity.io/

Preferred variant: www

HTTP → HTTPS

308http://www.sanity.io/ → https://www.sanity.io/

Use 301 (permanent) instead of 302 (temporary)

A+

HTTP Probe Timing

Total 198 ms — DNS, TCP, TLS, TTFB, content transfer breakdown

PASS

DNS Lookup

75 ms

TCP Connect

1 ms

TLS Handshake

37 ms

Time to First Byte

181 ms

Total Time

199 ms

Connection waterfall

DNS Lookup 75 ms TCP Connect 1 ms TLS Handshake 37 ms Server Processing 69 ms Content Transfer 18 ms

A+

CDN & Delivery

Vercel (HIT)

PASS

Vercel (HIT)

Site is served via Vercel CDN

Got: x-vercel-id: cdg1::g6zxs-1775593950924-da65a73dfa7d

CDN cache status: HIT

CDN Detected: Vercel

Provider Vercel Cache Status HIT Evidence x-vercel-id: cdg1::g6zxs-1775593950924-da65a73dfa7d

Domain Intelligence

Domain intelligence data not available

INFO

Domain intelligence data not available

RDAP and WHOIS lookup both failed

All checks on this page are automated. Results are estimates - run targeted manual reviews when the score affects a release decision.