New version X-XSS-Protection removed and improvement for no MX domains

July 13, 2020
As of today a new version of is available that contains some small improvements and bugfixes. Although it is not big change, we hope you enjoy it. Good luck testing and improving on modern Internet standards!

X-XSS-Protection test removed

We decided to remove the test for X-XSS-Protection. Most browsers have deprecated support for X-XSS-Protection making it of very limited security value in practice. Furthermore browser implementations can be vulnerable for cross-site leak attacks. We advise website owners to use Content-Security-Policy (CSP) without allowing unsafe-inline scripts instead of X-XSS-Protection.

No MX configured

When no mail server (MX) is configured or when we detect a Null MX record certain tests are not applicable. From now on shows blue informational icons (instead of orange warnings) for these test results and provides more suitable verdict texts. Like before there is no score impact. So it is fine to have no MX configured, as long as you are aware and you still have the relevant standards (like DMARC) in place.

We advise to use "Null MX" (RFC 7505) for a domain without mail servers. In that way a domain clearly announces that it accepts no email. Note that the test does not fall back to A/AAAA records for mail servers in case of absence of an MX record.


The test tool is an initiative of the Dutch Internet Standards Platform which is a collaboration of partners from the internet community and the Dutch government. The aim of the platform is to jointly increase the use of modern Internet standards to make the Internet more accessible, safer and more reliable for everyone. ECP provides for the administrative home of the platform. Open Netlabs / NLnet Labs is responsible for the technical realisation of

Release notes

  • New:

    • Remove test for X-XSS-Protection
    • No MX configured: informational status/icons and more suitable category verdict for STARTTLS and DANE
  • Bugfixes:

    • Fix breaking bug when the cert chain could not be received
    • Fix breaking bug for DANE-TA
    • Make sure to pick and test the same mailservers when the number of configured mailservers is greater than the allowed one
    • Mailservers without STARTTLS support give wrong verdict
    • Make sure only one SMTP connection is active at a time
    • Fix IPv6 connectivity for nameservers
    • Fix uncaught exception when decrypting HTTPS data
    • Fix for connecting to either IPv4 or IPv6 for the mail test