Help & Guidance

Frequently Asked Questions

Common questions about VP Shield, passive domain security scanning, and email authentication for UK businesses.

About VP Shield

What is VP Shield?
VP Shield is a free passive external attack surface scanner for domain security. It checks DNS hygiene, TLS/SSL grade, email authentication (DMARC, SPF, DKIM), HTTP security headers, subdomain takeover risk, and email spoofing exposure for any domain — no login, no installation, results in under two minutes.
Is VP Shield really free?
Yes. The full six-check passive domain scan is completely free — no account, no credit card, no hidden limits. VantagePoint Networks provides the tool as a public service. Paid services are available for organisations that need written reports, continuous monitoring, or implementation support.
Who built VP Shield?
VP Shield is built by VantagePoint Networks, an independent IT and cybersecurity consultancy based in London with over 25 years of infrastructure experience. VantagePoint Networks provides private AI deployment, network design, cybersecurity consulting, and managed IT services to UK SMBs.
Does VP Shield require any installation or browser extension?
No. VP Shield runs entirely in the browser. There is no software to install, no browser extension, and no app to download. Enter a domain in the text field and results appear within two minutes.

How the Scan Works

What does "passive" scanning mean?
Passive scanning reads only publicly available information — DNS records, published TLS certificates, DMARC policy records, and HTTP headers returned by your web server. No traffic is sent to probe or test your systems. Your servers have no record of the scan. This makes it safe to run on any domain, including domains you do not own.
Does VP Shield send any traffic to the domain I am scanning?
Minimal and only where necessary. VP Shield reads DNS records from public resolvers, checks TLS certificates via public certificate transparency logs and your server's public HTTPS endpoint, and reads publicly returned HTTP headers. It does not port-scan your servers, crawl your website, or send any test payloads.
How long does a scan take?
Most scans complete in 60–90 seconds. Some checks — particularly TLS grading via SSL Labs — can take longer for servers that are slow to respond or have complex cipher suite configurations.
Can I scan any domain or just my own?
You can scan any domain. Passive scanning reads only public information, so no permission is needed from the domain owner. This makes VP Shield useful for supplier due diligence, acquisition target assessment, and competitive intelligence.

Email Authentication

What is DMARC and why does it matter?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is a DNS record that tells receiving mail servers what to do when an email fails authentication checks — nothing (p=none), send to spam (p=quarantine), or reject it (p=reject). A DMARC policy of p=reject prevents attackers from sending phishing email that appears to come from your domain.
My domain has a p=none DMARC policy. What does that mean?
A p=none DMARC policy provides no protection — it is monitoring mode only. Spoofed emails claiming to be from your domain are still delivered. The value of p=none is the aggregate reports you receive, which show who is sending email as your domain. Move to p=quarantine then p=reject once you have audited your legitimate mail senders.
What is the difference between SPF, DKIM, and DMARC?
SPF lists the servers authorised to send email for your domain. DKIM adds a cryptographic signature to prove messages are genuine and unaltered. DMARC ties them together — it requires that SPF or DKIM pass and that the authenticated domain matches the visible From: header. All three are needed for complete email authentication.
Can VP Shield check DKIM?
VP Shield checks for common DKIM selector patterns. DKIM selectors are variable (set by your mail provider), so VP Shield checks the most common selectors used by Google Workspace, Microsoft 365, and major email service providers. If your provider uses a custom selector, it may not be detected.

TLS and Security Headers

What is an SSL Labs A+ grade?
An SSL Labs A+ grade indicates that your domain's TLS configuration uses only modern protocols (TLS 1.2 and 1.3), strong cipher suites with forward secrecy, a complete certificate chain, and an HSTS header with at least a 6-month max-age. It is the industry gold standard for HTTPS configuration.
What security headers does VP Shield check?
VP Shield checks: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. It uses Mozilla Observatory methodology to produce a comparable grade.
Will fixing security headers affect my website functionality?
Some headers are safe to add without testing (X-Content-Type-Options: nosniff, Referrer-Policy). HSTS requires all subdomains to support HTTPS before adding includeSubDomains. Content-Security-Policy is the most complex — use report-only mode first. X-Frame-Options and Permissions-Policy are generally safe if you do not embed your pages in iframes.

Getting Help

My domain has issues — can VP Shield fix them for me?
VP Shield identifies and explains the issues. Remediation requires changes to DNS records, web server configuration, or mail provider settings. VantagePoint Networks provides implementation support — from DNS record updates to full DMARC deployment projects. Contact us for a free 20-minute strategy call.
Do you offer domain security monitoring?
VantagePoint Networks provides a managed domain security monitoring service with scheduled scans, change detection alerts, and regular reporting. Contact us for details and pricing.
Can I use VP Shield for Cyber Essentials preparation?
Yes. VP Shield checks several controls relevant to Cyber Essentials — TLS configuration, security headers, DNS hygiene, and unknown internet-facing services (subdomain takeover risk). For a formal Cyber Essentials preparation service including pre-assessment review and remediation support, VantagePoint Networks offers paid services.

Ready to check your domain?

The free VP Shield scan takes under two minutes. No login, no install.

Scan a domain free →Talk to an expert