domain Security

Domain security for DNS, SSL, email, and phishing

Fencer scans your domains daily for DNS misconfigurations, expiring SSL certificates, email authentication failures, lookalike phishing domains, and subdomain exposure. One scan, six layers of coverage.

Get Started Book a Demo

Why Fencer?

Everything attached to your domain, checked daily

Works in Minutes, NOt MOnths

Add your domain, verify ownership with a TXT record, and Fencer runs a full domain security scan. No agents, no configuration, no security engineer required.

6 layers in a single scan

Most teams use separate tools for SSL monitoring, DMARC, and subdomains. Fencer covers all of it in one scan, updated daily, with findings in one place.

Your Full Security Foundation

Domain security is one part of Fencer's complete security platform. Application security, cloud, identity, endpoint, and monitoring all in one place.

Capabilities

Domain security for startups

DNS monitoring

DNS record inventory and health monitoring

Every domain scan runs a full DNS enumeration, collecting all A, AAAA, MX, NS, TXT, CAA, and other record types. Fencer surfaces unexpected records, flags missing security configurations like DNSSEC, and tracks changes across daily scans.

Full record inventory: A, AAAA, CNAME, MX, NS, TXT, SOA, and CAA records enumerated on every scan
DNSSEC status: Checked and flagged if not configured
CAA records: Verified so only authorized certificate authorities can issue certificates for the domain
Daily scheduled scans: Scans run automatically every day and can be triggered manually at any time

SSL/TLS analysis

SSL/TLS certificate analysis across all subdomains

For every HTTPS endpoint discovered on your domain, Fencer checks certificate health, supported TLS versions, cipher suite configuration, and known SSL vulnerabilities. Certificates expiring within 30 days are flagged automatically so you can renew before anything breaks.

Certificate health: Issuer, expiry date, key size, and algorithm for every HTTPS endpoint
Expiry warnings: Certificates expiring within 30 days highlighted so you can renew proactively
SSL vulnerability checks: Heartbleed, ROBOT, LOGJAM, POODLE, CCS Injection, DROWN, and weak DH parameters
Weak cipher detection: Deprecated or insecure cipher suites flagged for remediation
Letter grade scoring: Each endpoint receives an SSL security score for quick assessment

Email security

Email security validation for SPF, DMARC, and DKIM

Fencer validates SPF, DMARC, and MX records for every scanned domain and checks whether the domain or its IP addresses appear on spam blacklists. An overall email security status is computed and displayed with each specific failing check listed for remediation.

SPF validation: Checks for a valid SPF record and flags syntax errors and over-permissive configurations
DMARC validation: Flags missing records and weak policies — a p=none DMARC policy offers no real protection
MX record validation: Verifies mail exchange records are correctly configured
DNSBL blacklist checking: Domain and associated IPs checked against multiple blacklist providers
Overall status: Success, Warning (one issue), or Error (two or more issues, or blacklist hit)

Phishing detection

Lookalike domain and phishing detection

Fencer automatically generates permutations of your registered domains and checks which are registered and resolving. Lookalike domains that could be used to impersonate you are surfaced as findings before your customers encounter them.

Automated permutation detection: Typosquatting, character substitution, homoglyphs, and suffix variations checked automatically
Live resolution filtering: Only domains that are registered and actively resolving are surfaced, reducing noise
Owned domain exclusions: Domains already verified in Fencer are automatically excluded from phishing alerts
Vulnerability pipeline integration: Phishing domain findings flow into the standard findings workflow for tracking and assignment

Subdomain and WHOIS

Subdomain discovery and WHOIS expiry monitoring

Fencer discovers subdomains using both passive and active enumeration, then inventories each with its CDN, tech stack, IP address, and last-checked date. WHOIS data tracks domain expiry with days-until-renewal calculated automatically.

Passive and active enumeration: Certificate transparency logs and DNS brute-forcing combined for comprehensive discovery
Tech stack fingerprinting: CDN, framework, and technology stack identified per subdomain
Shadow IT detection: An unexpected subdomain count can indicate forgotten services or misconfigured wildcard DNS
WHOIS expiry tracking: Days until domain expiry calculated and flagged when renewal is approaching

use Cases

What can you do with Fencer's domain security capabilities?

Find out if someone is impersonating your domain

Attackers register lookalike domains to phish your customers and employees. Fencer finds them automatically, updated daily, before anyone reports one.

Never get caught by an expiring SSL certificate

Fencer flags certificates expiring within 30 days across all your subdomains. Renewal reminders before the disruption, not after.

Prove your email security configuration to auditors

SOC 2 auditors and enterprise prospects ask about DMARC, SPF, and email authentication controls. Fencer's daily scan history gives you a documented, auditable answer.

Inventory every subdomain you own

Shadow IT and forgotten services accumulate over time. Fencer's subdomain discovery runs on every scan and surfaces anything resolving under your domain.

"Fencer found potential name squatters on our domain. That's not something you'd think to look for, but it could really be a problem."

— Ben Papillon
CTO & Co-founder, Schematic

Secure your startup’s momentum

Get started