Back to blog
FILE 0x5B·CERTWATCH: COMPLETE DOMAIN AND EMAIL SECURITY MONITORING IN

CertWatch: complete domain and email security monitoring in 25+ validators

June 27, 2026 · certwatch, security, tls, monitoring, dns, devtools

The first CertWatch post covered 18 validators. Since then the list has grown. Here's the complete picture: 25+ validators across SSL/TLS, DNS, email security, HTTP security, and infrastructure exposure — 1,296 tests, all passing.

SSL and TLS

SSL certificate chain validator — verifies the full chain from leaf to root: expiry dates, hostname matching, intermediate certs present, chain ordering correct. Flags chains within 30 days of expiry.

TLS version scanner — checks which TLS versions the server accepts. TLS 1.0 and 1.1 are deprecated. Flags any host still accepting connections on end-of-life versions.

TLS fingerprinting (tls_fingerprint.py) — captures the JA3 fingerprint of the TLS handshake. Useful for detecting if a CDN or load balancer changed configuration — JA3 fingerprints are stable for a given software stack and change on upgrades or misconfigurations. Also useful for verifying that test environments and production have matching TLS stacks.

Cipher suite auditor — evaluates the cipher suite list for deprecated or weak ciphers (RC4, DES, 3DES, export ciphers, anonymous suites). Reports a pass/fail with the specific offending ciphers listed.

OCSP stapling checker — verifies that the server is stapling OCSP responses in the TLS handshake. Without stapling, browsers make a separate request to the CA's OCSP server on every connection — slower for users and a privacy leak.

Certificate Transparency log monitor (ct_monitor.py) — watches for new certificates issued for your domains in CT logs. An unexpected issuance against your domain is an early sign of potential domain takeover or unauthorized certificate issuance.

DNS and domain health

DNS propagation checker — verifies that a DNS change has propagated to all major resolvers (8.8.8.8, 1.1.1.1, 9.9.9.9, and a selection of regional resolvers). Useful after a nameserver migration or TTL change.

DNSSEC monitor (dnssec_monitor.py) — checks that DNSSEC is properly configured: DS records at the registrar, DNSKEY records at the authoritative server, RRSIG signatures valid, chain of trust intact.

CAA record checker (caa_checker.py) + CAA monitor (caa_monitor.py) — verifies that CAA records are present and limit certificate issuance to your intended CAs. Without CAA, any CA can issue for your domain. With CAA misconfigured, your monitoring CA may be blocked.

WHOIS/RDAP monitor (whois_monitor.py, rdap.py) — tracks domain registration data for changes: expiry date (flags < 30 days), registrar changes, nameserver changes, contact changes. RDAP is the modern WHOIS replacement with structured JSON output; CertWatch checks both.

MX record validator (mx_validator.py) — verifies that MX records resolve, have valid hostnames (not IP addresses), have proper PTR records, and are reachable on port 25. A broken MX configuration means you're not receiving email.

DNS blacklist monitor (dnsbl_monitor.py) — checks your sending IPs against 30+ DNS blacklists (Spamhaus, SORBS, Barracuda, URIBL, and more). A blacklist listing will silently drop your outbound email. CertWatch runs this daily and alerts on any new listings.

Subdomain takeover detector (subdomain_takeover.py) — scans your DNS records for CNAME entries pointing at cloud services that may have been deprovisioned. Classic pattern: a developer points staging.example.com → company-old-staging.s3-website.amazonaws.com, decommissions the bucket, and forgets the CNAME. An attacker can claim the S3 bucket and serve content from your subdomain. CertWatch flags CNAME targets that return 404s from common cloud provider domains.

HTTP security headers

HSTS checker (hsts_checker.py) — verifies Strict-Transport-Security header is present, has a max-age ≥ 1 year, and includes includeSubDomains. Flags missing or weak HSTS.

HSTS preload status — checks whether the domain is in the HSTS preload list (the browser-shipped list of domains that must always use HTTPS). Separate from the header check — preloading requires submitting to hstspreload.org and waiting for inclusion.

HTTP security headers (http_headers.py) — scans for a full set of security headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy. Reports which are missing, which are present but misconfigured.

Content Security Policy analyzer — checks for the CSP header, analyzes the policy for dangerous directives (unsafe-inline, unsafe-eval, wildcard * in script-src), and reports a CSP score. A permissive CSP defeats the purpose of having one.

Mixed content scanner — crawls the landing page and checks all subresources (images, scripts, stylesheets, fonts) for HTTP URLs loaded on an HTTPS page. Modern browsers block these; users see broken images or a degraded experience.

Redirect and URL integrity

HTTP redirect chain (http_redirect_chain.py, redirect_scanner.py) — follows the complete redirect chain from HTTP to HTTPS and flags: redirect loops, intermediate stops on HTTP URLs, excessive chain length (> 3 hops adds latency), final destination on wrong domain.

Subresource Integrity checker (sri_checker.py) — scans HTML for <script> and <link> tags loading from CDNs without integrity attributes. SRI lets browsers verify that the CDN-served file hasn't been tampered with. Without it, a compromised CDN can serve malicious JS to your users.

Email authentication

Email security monitor (email_security.py) — a combined check for the full email authentication stack:

DKIM validator (dkim_validator.py) — deeper DKIM check: key length (1024-bit keys should be rotated to 2048+), algorithm (RSA vs Ed25519), TTL, selector enumeration across common patterns.

BIMI validator (bimi_validator.py) — Brand Indicators for Message Identification. BIMI lets email clients (Gmail, Apple Mail) show your verified brand logo next to messages. CertWatch validates the BIMI record, checks that the VMC (Verified Mark Certificate) is present for major providers that require it, and verifies the logo URL is reachable and returns valid SVG.

Infrastructure exposure

Port exposure scanner (port_exposure.py, port_monitor.py) — scans a configurable set of ports for unexpected open services. Flags ports that shouldn't be public: 22 (SSH) on prod web servers, 3306 (MySQL), 5432 (Postgres), 27017 (MongoDB), 6379 (Redis), 9200 (Elasticsearch), 11211 (Memcached). Database ports open to the internet are a finding in almost every security audit.

Uptime monitor (uptime_monitor.py) — HTTP/HTTPS availability check with 30-second interval. Separate from cert monitoring — uptime tracks whether the endpoint responds, cert monitoring tracks whether the TLS configuration is correct. They can diverge: a site can be up but serving an expired cert.

security.txt validator (securitytxt_validator.py) — checks that /.well-known/security.txt exists, is reachable over HTTPS, contains a valid Contact: field, has an Expires: date in the future, and optionally has a PGP-signed version. RFC 9116 compliance. If you want security researchers to be able to report vulnerabilities without guessing who to contact, security.txt is table stakes.

Weekly digest

Every Monday, CertWatch sends a domain health summary:

The digest is formatted for a 30-second skim — one grade per category, red/yellow/green indicators, one-liner explanations. It's designed to be readable by a non-technical founder who just wants to know if anything broke.

Current state

1,296 tests across 25+ validators. Each validator is a standalone Lambda cron function with DynamoDB for finding storage. The weekly digest aggregates across all validators and sends via SES.

Pricing target: $9/month (1 domain), $29/month (5 domains), $99/month (50 domains). The first customer use case is obvious: any SaaS company that doesn't want to discover their SSL cert expired at 2 AM when customers start tweeting.

The monitoring stack is built. The deploy is pending. The first customer is an email away.