You ran a security scan on your domain and got a letter grade. Maybe it was a B. Maybe it was a D. Either way, the grade only matters if you understand what it is actually measuring and what you can do about it.
This post breaks down the seven checks that go into a website security score, explains why each one matters in practical terms, and tells you exactly how to fix any gaps.
How Scoring Works
A security scorecard evaluates your domain across seven categories, each worth a set number of points. The total adds up to 100. Your letter grade maps to the total:
- A (90-100): Strong across the board. No critical gaps.
- B (75-89): Solid foundation with minor improvements needed.
- C (60-74): Several important protections are missing.
- D (40-59): Significant security gaps that need immediate attention.
- F (0-39): Missing most basic protections.
Let's walk through each check.
1. SSL/TLS Certificate (20 points)
What it checks
Whether your website is accessible over HTTPS. The scan tries to connect to your domain using an encrypted connection (https://yourdomain.com) and sees if it succeeds.
Why it matters
SSL/TLS encrypts the connection between your visitors' browsers and your server. Without it, everything sent between them (form submissions, login credentials, personal data) travels in plain text. Anyone on the same network can read it. Beyond security, browsers now show "Not Secure" warnings for sites without SSL, and Google factors it into search rankings.
How to fix it
Most hosting providers offer free SSL certificates through Let's Encrypt. If you use Cloudflare, you can enable their free SSL with one click. For other providers, check your hosting control panel for an SSL or HTTPS option. The certificate itself is free. The setup usually takes less than ten minutes.
2. HTTPS Redirect (10 points)
What it checks
Whether visitors who go to the HTTP version of your site (http://yourdomain.com) are automatically redirected to the HTTPS version. Having SSL installed is not enough if people can still access the insecure version.
Why it matters
If someone types your domain into a browser without specifying "https://", the browser defaults to HTTP. Without a redirect, those visitors get the unencrypted version of your site. This is especially risky on shared WiFi networks where traffic can be intercepted.
How to fix it
If you use Nginx, add this to your server block:
server { listen 80; server_name yourdomain.com; return 301 https://$server_name$request_uri; }
If you use Apache, add a redirect rule in your .htaccess file. If you use Cloudflare, toggle "Always Use HTTPS" in the SSL/TLS settings. Most hosting panels also have an "Force HTTPS" toggle somewhere in the SSL section.
3. SPF Email Authentication (10 points)
What it checks
Whether your domain has an SPF (Sender Policy Framework) DNS record. This record lists which mail servers are allowed to send email on behalf of your domain.
Why it matters
Without SPF, anyone can send an email that appears to come from your domain. This is how phishing attacks work. An attacker sends an email that looks like it came from [email protected], and without SPF, receiving mail servers have no way to know it is fake.
How to fix it
Add a TXT record to your domain's DNS settings. If you use Google Workspace for email, your SPF record would look like:
v=spf1 include:_spf.google.com ~all
If you use Microsoft 365, it would be:
v=spf1 include:spf.protection.outlook.com ~all
If you do not send email from this domain at all, you can add a record that rejects everything: v=spf1 -all. This tells receiving servers that no server is authorized to send email for your domain.
4. DMARC Policy (15 points)
What it checks
Whether your domain has a DMARC (Domain-based Message Authentication, Reporting, and Conformance) record at _dmarc.yourdomain.com.
Why it matters
DMARC ties SPF and DKIM together and tells receiving mail servers what to do when an email fails authentication. Without DMARC, even if you have SPF set up, receiving servers might still deliver forged emails. DMARC is what gives your domain's email authentication real teeth. It is worth the most points in the email category for this reason.
How to fix it
Add a TXT record at _dmarc.yourdomain.com. A good starting point:
v=DMARC1; p=none; rua=mailto:[email protected]
Start with p=none (monitor mode) so you can see reports without blocking legitimate email. Once you have confirmed that all your authorized email sources pass, move to p=quarantine and eventually p=reject for full protection.
5. DKIM Email Signing (10 points)
What it checks
Whether your domain has DKIM (DomainKeys Identified Mail) records. DKIM adds a cryptographic signature to your outgoing emails that receiving servers can verify.
Why it matters
DKIM proves that an email was not altered in transit and that it was actually sent by a server authorized by your domain. Without DKIM, there is no way for a receiving server to verify the integrity of the message. It also improves your email deliverability. Many email providers treat DKIM-signed messages more favorably.
How to fix it
DKIM setup depends on your email provider. Google Workspace, Microsoft 365, and most major email services provide DKIM keys that you add as DNS TXT records. Check your email provider's documentation for the exact record. The process usually involves generating a key pair in your admin console and then adding the public key as a DNS record.
6. Security Headers (20 points)
What it checks
Whether your web server sends five recommended HTTP security headers. Each header is worth 4 points:
- Strict-Transport-Security (HSTS): Tells browsers to always use HTTPS for your site, even if someone types the HTTP address.
- Content-Security-Policy (CSP): Controls which scripts, styles, and resources can load on your pages. Prevents most cross-site scripting (XSS) attacks.
- X-Content-Type-Options: Prevents browsers from guessing the type of a file, which stops certain attacks that exploit MIME type confusion.
- X-Frame-Options: Prevents your site from being embedded in iframes on other sites, blocking clickjacking attacks.
- Referrer-Policy: Controls how much URL information is sent when a visitor clicks a link from your site to another site.
Why it matters
Security headers are your second line of defense. Even if an attacker finds a vulnerability in your application code, headers like CSP can prevent them from exploiting it. They cost nothing to implement and protect every visitor automatically.
How to fix it
Add these headers in your web server configuration. For Nginx, add them to your server block:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
CSP is the most complex one because it needs to be tailored to what your site actually loads. Start with a report-only policy to see what would break, then tighten it from there. If you use Cloudflare, you can add all of these as Transform Rules without touching your server.
7. Blacklist Status (15 points)
What it checks
Whether your domain resolves to a live server and has valid SSL. This is a basic check to confirm that your domain is active and not flagged as unreachable or suspicious.
Why it matters
If your domain does not resolve or lacks SSL, it signals to browsers, search engines, and security tools that something may be wrong. Domains that are blacklisted by services like Google Safe Browsing get warning screens that drive away visitors and damage trust.
How to fix it
If your domain resolves and has SSL, you get full points here. If it does not resolve, check your DNS configuration. If you have been blacklisted, Google Search Console has a Security Issues section where you can request a review after fixing the underlying problem.
What a Good Score Looks Like
A perfect 100 means you have SSL, HTTPS redirects, all three email authentication records (SPF, DMARC, DKIM), all five security headers, and a clean blacklist status. Very few sites score a perfect 100 on the first scan. That is normal.
The most impactful fixes are usually:
- SSL + HTTPS redirect (30 points combined, often fixable in minutes)
- SPF + DMARC (25 points combined, two DNS records)
- Security headers (20 points, a few lines of server config)
If your site scores below 60, focus on SSL and email authentication first. Those are the highest-value fixes with the least effort. Security headers come next. Most businesses can go from a D to a B in an afternoon.
Try It Yourself
You can scan any domain for free using our Security Scorecard. Enter your domain, get your grade, and use this guide to fix whatever comes up. If you want help implementing the fixes, reach out and we will walk you through it.
Security does not have to be complicated. Most of these checks come down to a few DNS records and a few lines of server configuration. The hard part is knowing what to look for. Now you do.