Decoding
your Score

Yes, you’ll receive a bespoke Digital Trust Report along with your score. This explains how your score was calculated, highlights weaknesses and suggests possible fixes. 

A Digital Trust Mark is awarded for the calendar year in question, after which it must be renewed. 

Online, trust has become a vital asset. A Digital Trust Mark is proof you’ve been independently verified by .IE, Ireland’s national domain registry. 

Absolutely. Our algorithm scores each factor individually and objectively. It then averages these to reveal your final score as a percentage. To achieve the Digital Trust Mark, you need a score of 60% or higher. 

Your Digital Trust score is based on multiple essential factors. Website & HTTPS security, secure connection setup, email authenticity, certificate trust, DNS & Domain protection. 

In short, every essential that underpins online trust is checked.

Everywhere! If you’re awarded a Digital Trust Mark, you’ll receive electronic files with artwork for use on any public-facing communication: your website, social media accounts, PowerPoint presentations, brochures and posters.

It doesn’t matter whether it’s a .ie, a .com, a .org or any other domain. Maybe you run a small local website. Possibly you have online customers worldwide. Or perhaps you’re a not-for-profit that needs to reach donors. 

If you’re online, you can be assessed for a Digital Trust Mark. 

It’s most likely that your domain is part of a group of domains that are very similar to each other, like “example.ie ”, “example.net ”, “examplee.ie”, but are not related to your website. One of the reasons to validate identity is to prevent Phishing where your website is impersonated, so it’s very important that your certificate correctly describes your domain.

In the security process, Cipher Suite is the system you want to implement with the combination of parts necessary to keep your website safe. While you can have all your steps for verification set on your connection, a weak Cipher Suite skips your efforts, just like having a vault door placed on a cardboard safe… On the other hand, a Strong Cipher Suite ensures all your algorithms are correctly implemented throughout the connection.

Renegotiation is necessary to update expired credentials, but it can also be called anytime aclient requests an update. While it was intended to give flexibility, attackers can misuse it to overload the server. Disabling this function is essential to prevent attacks.

Content Security Policy protects what’s inside the webpage by limiting sources allowed to load content. Websites often contain third-party scripts, such as advertisements, analytics tools, widgets, or other similar data inputs, through which attackers could inject malicious code.

DKIM Record strengthens your e-mail security through authentication. It adds digital signatures to ensure the legitimate origin of the e-mails on your @domain and the content integrity of the messages sent through it.

Additionally, helps e-mail providers such as @gmail or @outlook identify you as a trusted source, so messages from your domain don’t easily end up in spam folders.

DMARC Record is implemented to report and classify emails that failed the authenticationstep on your server and decide what to do with them. This way, your main email folder only contains trusted messages and notifies suspicious emails to prevent attacks.

DNSKEY Record ensures the validation by implementing a pair of Signature Keys to verifythat the addresses come from a legitimate source. Let’s say your ID gets stolen: a good impersonator can still book a flight and validate a boarding pass, but biometric control at security will scan face or fingerprints (Signature Keys) and detect that it does not match the legitimate owner’s.

Validation processes are always precise. The DNSKEY has to match the officially registered DS Record to grant access, otherwise it will be rejected because your address failed verification, preventing users from being able to reach your website.

First of all, DNS is the system that indicates your website’s address, but this “path” is not secure by itself, so attackers could give users wrong directions to follow. DS Record keeps track of legitimate addresses for your domain, to be compared when accessed.

Among the choices of algorithms for generating your pair of Keys, ECDH is the recommended option. The most important feature in it is the handling of the used Keys history. It keeps past data safe even if a Key is compromised by creating temporary credentials that can’t be exposed once used.

HTTP is what enables access to websites. The “S” stands for Secure and increases the security by implementing encryption. This way, the communication is encrypted to protect your website from having data stolen. Today, most websites handle business or personal sensitive information, so HTTPS prevents data from being read or modified.

Redirection to a secure https:// website that encrypts communication is the best action for prevention. Accessing http:// webpages instead exposes all kinds of data to anyone, leaving users vulnerable to attacks, especially when connected to public networks like your local Café Wi-Fi or the Airport.

Additionally, to have a strong Key Algorithm, it is important to have robust Key Parameters as well. These parameters determine the length and complexity of your generated code and are essential to set them to a high complexity configuration because even strong systems can be weak if settings are too simple.

OCSP protocol checks the status of your website identity, which, for different reasons, could be at some point disregarded. Imagine your Passport got stolen, broken or expired and needs a replacement: authorities would be informed so that previous versions aren’t valid for security. This process can take some time… So instead of informing and requesting validation, the Stapling mechanism constantly checks the status of your id, so your identity is always reliable, updated, fast and valid.

In the process of encryption, a pair of Keys is necessary to securely access the data (Public and Private Keys), working just like a lock and its code. A weak or predictable set of Keys breaks the purpose of having a secure protocol, and it would be similar to securing your phone with “1234” as your pin number.

Your website might contain links that intentionally redirect to other webpages. This policy is for choosing what information is shared from the Referrer (origin webpage) into the newly accessed link. Some URLs include personal data, like, for example, “https://www.example../location:1234/username=Mickey&Mouse/…”, but with Referrer Policy, you can decide to share little to no data to protect users when clicking links.

Secure websites have multiple encryption and authentication steps, but safe connections require periodical revalidation, checked by TLS. It is the case that such credentials must be refreshed and kept up to date for security. This process is called Renegotiation.

Stopping the connection opens doors for attackers to jump in and interfere, so Secure Renegotiation solves this problem by updating encryption without breaking the connection.

Pairs of Keys are generated by algorithms (Cryptographic Signature) and follow certain criteria to be considered safe, such as length and combinations. Over the years, algorithms have improved with technology but so have hackers who decipher them. 

Failure to accomplish criteria will make your website unsafe, raise warnings in browsers and compromise data. Having a strong signature means implementing up-to-date algorithms.

SPF Policy controls what happens with unauthorised senders in your email domain, and it has a variety of parameters to choose from, along with 3 levels of restriction.

• “+all”: unauthorised senders are not restricted, anyone can send (not recommended).
  • “~all”: unauthorised senders are allowed but monitored.
  • “-all”: unauthorised senders are strictly rejected for security.

The recommended level is always “-all” to limit to your selection only, since many email services have no security restrictions for creating email accounts.

SPF Record takes part in the identification of the origin of emails in your domain. This is done by specifying which servers are allowed to send messages through your domain by keeping a list of authorised senders. Suspicious senders will be recognised to protect from fake users.

Also known as HSTS, it’s a mechanism that enforces Secure Protocol. By refusing to follow insecure links, it protects from attackers trying to force users into “http://…” versions where they can easily access data. This problem can still happen on certified websites; HSTS will not only protect data but also reduce warnings on your website, increasing user trust.

It has been found after major attacks that, in practice, TLS Compression compromises the encryption. Most modern servers have this function deactivated by default, but it’s essential to ensure it is disabled.

TLS/SSL is what enables Secure Protocol on your website. Some algorithms have been cracked in the past and are not secure. All of the SSL versions have been deprecated for this reason, and it is recommended to implement TLS versions from 1.2 onwards for optimal security rules, better algorithms and speed.

Secure Protocol is enabled and validated on your website through certificates. While a self-signed certificate will apply the required encryption, it is not officially verified like one obtained from a Trusted Certificate Chain, which validates your webpage identity, so users and other websites can trust you. Without it, browsers show warning messages.

X-Content-Type-Options limits or restricts the type of data read before loading it. This means if you have an input for user profile picture, you can restrict it to only .jpg or .png as the appropriate file format and no other options, or to accept various files except scripts, which can modify your code to reduce threats.

You might have come across websites that seem to be covered with confusing or invisible layers where, for example, it is impossible to exit advertisements. With X-Frame-Options enabled, you can opt to block modifications from external sources, resulting in a cleaner website interface and avoiding unwanted link redirects.