Skip to main content

Issue resolution and parked domains

Mark Glinski
  • Updated

In this article:

    Note: This article only concerns findings in the Application Security factor.

    Parked domains can be defined as domains that are not in use. For example, you may have purchased them to reserve them for future use, so that they cannot be used maliciously, or they are not in use anymore.

    The domains were parked where they were purchased, with the various hosting vendors. There is no data on them. They display a default "parked" page created by the hosting vendor to shows that they are not in use.

    https://www.m3aawg.org/sites/default/files/m3aawg_parked_domains_bp-2015-12.pdf

    Rules for parked domains and issue resolution

    • If the parked domain resolves to any site other than a third-party provider such as GoDaddy, that site must have HTTPS. SecurityScorecard would not accept refutes in the HTTPS category if the domains resolved.

    • The parked domain must not redirect to an active website. If the parked domain redirects to the company site, the issues will not be allowed for removal.
      (Valid parked domain: Domain Register page is served)
      (Invalid parked domain: Redirection to a the main company site)

    • If there is a name server configured on the parked domain, it must have an SPF record with the
      v=spf1 -all flag. 

    • If there is no name server configured on the parked domain, SecurityScorecard will accept resolution on the SPF record finding.
    • There are no active subdomains on the parked domain.
    • There must be no DNS mail exchange (MX) record associated with the domain.

    • Correctly attributed parked domains will not be removed from the Scorecard Digital Footprint, but they do not negatively impact your score.

    If all the above conditions are met, the current policies by SecurityScorecard only allow the removal of issues under Application Security category for the domains in question.

    SecurityScorecard recommends having security headers in place but for parked assets, this is not mandatory.

    Compensating control

    We recommend implementing HTTP strict transport security (HSTS) on the target domain, and we will accept that as a compensating control for the submitted IP or domain in your resolution request. Afterward the findings will no longer appear for that asset.

    Note: The finding will still show up for new assets not yet submitted with a compensating control.

    Related articles