Domain Security Guides

Email Security

What is DMARC and Why Does Your Domain Need It?

DMARC (Domain-based Message Authentication, Reporting & Conformance) prevents attackers from sending emails that look like they come from your domain. Learn how DMARC works with SPF and DKIM, what the three policy levels mean (none, quarantine, reject), and how to set it up step by step.

Read Guide → Email Security

What Does "SPF Record Missing" Mean?

If your domain scan shows "SPF record missing," anyone can send emails pretending to be your business. Learn what an SPF record is, why it matters for email deliverability, and follow our step-by-step guide to add one in minutes — even if you've never touched DNS before.

Read Guide → Domain Protection

What is Domain Hijacking and How to Prevent It?

Domain hijacking is when an attacker takes unauthorized control of your domain name — redirecting your website, intercepting your email, and damaging your brand. Learn how hijacking works, the warning signs to watch for, real-world cases, and a prevention checklist to lock down your domains.

Read Guide → Phishing Defense

What is a Lookalike Domain Attack?

Attackers register domains that look nearly identical to yours — like "paypa1.com" instead of "paypal.com" — to phish your customers and employees. Learn about typosquatting, homoglyph attacks, real-world examples, and how to detect lookalike domains before they cause damage.

Read Guide → SSL / TLS

SSL Certificate Expired? What It Means and How to Fix It

An expired SSL certificate triggers browser warnings that scare away visitors, breaks payment processing, and hurts your Google rankings. Learn why certificates expire, how to check your expiry date, how to renew (including free options), and how to set up monitoring so it never catches you off guard again.

Read Guide → Threat Intelligence

Hosting Reputation Flagged? What It Means and How to Fix It

An IP your domain points at is in active threat-intelligence pulses. Learn what hosting reputation actually measures, how to tell shared-CDN noise from a real compromise, and the three remediation paths — verify-and-dismiss, request a fresh egress IP, or migrate origin.

Read Guide → Risk Score

The Eight-Dimension Risk Score, Explained

Every domain in GuardHound carries a single 0-100 number that summarises uptime, certificates, DNS, email authentication, breach exposure, vulnerabilities, and brand risk. See exactly how each dimension is weighted and how daily snapshots help you track real improvement over time.

Read Guide → Status Pages

Public Status Pages, Powered by Your Monitors

Spin up branded status pages backed by the same service monitors you already alert on. See how to map monitors into sections, post incident timelines, embed status badges, and (on Agency) point a custom domain like status.yourdomain.com.

Read Guide → Vulnerabilities

CVEs & CISA KEV \u2014 Patching the Vulnerabilities That Matter

A CVE is a public software vulnerability ID; a KEV is one CISA has confirmed is being actively exploited. Learn how to triage CVE findings against your stack, prioritise KEV entries first, and verify backported patches that don\u2019t bump the visible version string.

Read Guide → Incident Response

Data Breach Detected \u2014 The First 48 Hours

When emails on your domain appear in a public breach corpus, the first two days determine whether this is a contained incident or a full account-takeover wave. Scope, force resets, rotate tokens, audit access, notify users.

Read Guide → Threat Intelligence

Domain Flagged for Malware \u2014 What to Do First

Google Safe Browsing or AlienVault OTX flagged your domain. Browser interstitials are about to wreck your traffic. Learn how to investigate, clean up, and request review so the warning clears within 24\u201372 hours.

Read Guide → Email Security

DKIM Missing \u2014 Why Recipients Can\u2019t Verify Your Email

DKIM cryptographically signs your outbound mail so recipients can prove it came from you and wasn\u2019t modified. Without it, DMARC enforcement breaks and your messages are easier to spoof. Per-provider setup steps for Google, Microsoft 365, Resend, SendGrid, and more.

Read Guide → DNS

DNSSEC Not Enabled \u2014 Why It Matters and How to Turn It On

DNSSEC cryptographically signs your DNS records so attackers can\u2019t poison the cache and silently redirect your visitors. Step-by-step enablement on Cloudflare, Route 53, and managed registrars, plus the gotchas that leave it half-broken.

Read Guide → Domain Protection

Domain Expiring Soon \u2014 Don\u2019t Lose Your Domain

A lapsed domain is the single most preventable disaster in domain security. How registrar grace periods, redemption, and pending-delete actually work \u2014 and why auto-renew alone isn\u2019t a safety net.

Read Guide → SSL / TLS

Self-Signed SSL Certificate \u2014 What It Is and How to Replace It

A self-signed certificate triggers a full-page browser warning that scares away almost every visitor. The fix takes ten minutes with Let\u2019s Encrypt and is free \u2014 here\u2019s how to do it on Linux, on managed hosts, and how to make sure it never recurs.

Read Guide → SSL / TLS

SSL Endpoint Unreachable \u2014 What It Means and How to Investigate

\u201CUnreachable\u201D doesn\u2019t mean missing \u2014 it means we couldn\u2019t verify, so the score isn\u2019t penalised. Learn the four common causes (transient timeout, firewall, outage, TLS misconfig) and how to investigate in 60 seconds.

Read Guide → DNS

No A Record \u2014 Your Domain Isn\u2019t Resolving

When your domain has no A or AAAA record, browsers literally don\u2019t know where to send the request. The fix is a single DNS record edit; the propagation is the slow part. Including how to handle the apex-CNAME corner case.

Read Guide → API & Data

Bulk Import and Cursor-Paginated Exports

Onboard hundreds of monitors from a CSV in one shot, then stream cursor-paginated CSV / JSON exports of incidents, monitors, scan history, and per-domain bundles into your warehouse, BI tool, or SIEM. Pro, Business, and Agency.

Read Guide →