D3 All features
Technical Analysis & Change Monitoring

Verify the security posture and track
every change on a domain

D3 performs a full DNS and email security audit, retrieves authoritative WHOIS/RDAP registration data, and continuously monitors for any change across DNS records, WHOIS fields and TLS certificates.

DNS & Email Security

Email-based attacks — phishing, BEC, spoofing — depend on weak or absent DNS authentication records. D3 checks all nine records that determine whether a domain is defensible against email-based impersonation, and maps findings directly to NIS2 Article 21 and ISO 27001:2022 controls.

SPF
Sender Policy Framework — defines which mail servers may send on behalf of the domain. Absence allows trivial domain spoofing.
Risk if absent: Email spoofing
DKIM
DomainKeys Identified Mail — cryptographic signature on outgoing mail. Absence allows message content to be altered in transit.
Risk if absent: Message tampering
DMARC
Domain-based Message Authentication — policy defining what happens to mail that fails SPF or DKIM. Policy of 'none' provides no protection.
Risk if absent: Phishing
BIMI
Brand Indicators for Message Identification — associates a verified logo with authenticated email. Requires DMARC enforcement.
Risk if absent: Brand impersonation
MTA-STS
Mail Transfer Agent Strict Transport Security — enforces TLS for inbound mail, preventing STARTTLS downgrade attacks.
Risk if absent: Downgrade attacks
DANE/TLSA
DNS-Based Authentication of Named Entities — pins TLS certificates in DNS, making MITM attacks detectable.
Risk if absent: Certificate spoofing
CAA
Certification Authority Authorisation — restricts which CAs may issue certificates for the domain.
Risk if absent: Rogue certificates
TLS-RPT
TLS Reporting — provides aggregate reports on TLS connection failures, enabling operators to detect and fix issues.
Risk if absent: Silent failures
DNSSEC
DNS Security Extensions — cryptographically signs DNS responses, preventing cache poisoning and spoofed DNS answers.
Risk if absent: Cache poisoning

WHOIS & RDAP

D3 queries RDAP (Registration Data Access Protocol) as the primary source — using IANA bootstrap to route to the authoritative registry for each TLD. For TLDs without RDAP support, D3 falls back to classic WHOIS via TCP port 43. All data is retrieved from the authoritative source, not a third-party aggregator.

RDAP vs. WHOIS: RDAP is the modern successor to WHOIS. It returns structured JSON, supports internationalised domain names, and includes machine-readable status codes. D3 prefers RDAP and falls back to WHOIS only when no RDAP server is available for a given TLD.
Registrar

The accredited registrar managing the domain registration.

Registrant

Organisation or individual that owns the domain. Often WHOIS-privacy protected under GDPR.

Registration date

When the domain was first registered. Short history may indicate a newly set-up phishing domain.

Expiry date

When the registration lapses. Domains expiring within 30 days are flagged — a lapsed domain can be acquired by a third party.

EPP status codes

Registry-level locks (clientTransferProhibited, serverDeleteProhibited etc.) indicating the domain's transfer and deletion protection state.

Nameservers

Authoritative DNS servers for the domain. Shared with a known registrant is strong evidence of common ownership.

DNSSEC signed

Whether the domain has DS records published at the registry, indicating active DNSSEC deployment.

Change Monitoring

Domain hijacks and infrastructure compromises rarely happen all at once. They leave traces: a nameserver change here, a new TLS certificate there. Change Monitoring runs continuously and alerts you the moment something changes — giving you time to respond before an attack completes.

What is monitored

DNS records

A, AAAA, MX, NS, TXT, CAA — any addition, removal or modification is detected and alerted.

WHOIS / RDAP

Registrant, registrar, expiry date, EPP status, nameservers — changes may indicate a transfer or hijack attempt.

TLS certificate

Certificate issuance, renewal or change — unexpected new certificates are a strong indicator of domain hijack or MITM setup.

SPF / DMARC policy

Policy weakening (e.g. DMARC from 'reject' to 'none') is a common attacker move after gaining access.

Attack scenarios detected

Domain hijacking via registrar compromise
An attacker gains access to the registrar account and transfers the domain to another registrar. WHOIS and NS changes trigger an immediate alert.
BGP route hijack + DNS manipulation
Nameserver records are altered to point to attacker-controlled infrastructure. NS change detected within the next monitoring cycle.
Unauthorised TLS certificate issuance
A rogue CA issues a certificate for the domain. Certificate transparency log entries trigger a TLS change alert.
Silent MX redirect
MX records are modified to redirect inbound mail to an attacker-controlled server. MX change detected and alerted.

Run a full technical analysis

Free account. 3 trial credits. No credit card required.

Create free account All features
Products
ValuationDue DiligenceSecurity AuditAvailability/defensePricing
Features
Features overviewRisk, Reputation & Brand MonitoringTechnical & Security AnalysisAudit-grade Reporting
Developers
API & MCP DocumentationAPI Reference (PDF)MCP Integration GuideOpenAPI Spec (JSON)
Company
About D3Data SourcesD3 Certified ReportContactPress informationPrivacy PolicyTerms & Conditions
© 2026 Veniatis · D3 Domain Due DiligenceSiriusstraat 4, 7622 VZ Borne · The NetherlandsAudit-ready. Evidence-based. Exportable.Built by AgenticDevelopment