Free Domain Security Check Tools: A Comparison for UK Businesses
Comparing the best free domain security check tools — SSL Labs, MXToolbox, Google Admin Toolbox, Mozilla Observatory, and VP Shield — so you can choose the right one for your needs.
The free tool landscape
A number of well-established free tools exist for checking different aspects of domain security. Most cover one area well; few cover everything in a single scan. Here is how the main options compare.
Qualys SSL Labs
What it checks: TLS configuration in exhaustive detail — protocol versions, cipher suites, certificate chain, HSTS, key exchange strength, handshake simulation across dozens of browsers.
Strengths: The industry gold standard for TLS grading. The A+ rating from SSL Labs is referenced in procurement questionnaires and compliance frameworks. Detailed enough to diagnose exactly which cipher or protocol is dragging your grade down.
Limitations: Covers only TLS. No email authentication, no DNS hygiene, no security headers (beyond HSTS). Scans are public by default. Can take several minutes.
Mozilla Observatory
What it checks: HTTP security headers — CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Subresource Integrity. Also checks cookies.
Strengths: Excellent at explaining header requirements and grading. Specific, actionable recommendations.
Limitations: Headers only. Does not check TLS beyond HSTS, no email authentication, no DNS.
MXToolbox
What it checks: MX records, blacklists, SPF, DMARC, DKIM (with a known selector). Also has individual lookup tools for DNS records.
Strengths: Excellent for email-specific diagnostics. Blacklist checking across dozens of lists is useful for deliverability troubleshooting.
Limitations: Separate tools for each check rather than a combined view. No TLS grading, limited security header checking.
Google Admin Toolbox — Dig
What it checks: DNS record lookup from Google's resolvers. Useful for verifying how Google sees your DNS records — especially important since Gmail uses Google's resolvers for DMARC evaluation.
Strengths: Authoritative view from Google's perspective. Useful for debugging SPF/DMARC issues where your ISP's resolver may be returning different results.
Limitations: A lookup tool, not a scanner. No scoring, no consolidated view.
Hardenize
What it checks: Comprehensive — TLS, email authentication, security headers, certificate transparency, HPKP, CAA. Good breadth.
Strengths: Most comprehensive single-scan tool. Good visual presentation.
Limitations: The free tier is rate-limited and scans are public. Less well known than SSL Labs or MXToolbox.
VP Shield
What it checks: Six checks in a single scan: DNS hygiene (dangling CNAMEs, CAA records, nameserver consistency), TLS grade (SSL Labs-equivalent), email authentication (SPF, DKIM, DMARC policy and alignment), HTTP security headers (Mozilla Observatory-equivalent), subdomain takeover risk, and email spoofing exposure.
Strengths: Consolidated — one scan covers everything the specialist tools cover individually. No login, no install, results in under two minutes. Designed for UK SMBs who want a complete picture without switching between six different tools.
Built for: Organisations that want a complete posture assessment, pre-certification checks, supplier due diligence, or ongoing monitoring of their primary domain and subdomain portfolio.
Which tool should you use?
For deep TLS diagnostics, SSL Labs remains the reference. For email troubleshooting, MXToolbox's individual tools are hard to beat. For a complete passive posture assessment in one scan with no signup, VP Shield covers everything.