About

About wellknownaudit

A free, open auditor for a domain’s entire /.well-known/ directory.

The /.well-known/ directory (RFC 8615) is where machine-readable files live at predictable paths so that browsers, apps, mail servers and scanners can find them automatically. There are good validators for individual files — a security.txt checker here, an Apple App Site Association validator there — but checking a domain properly means visiting a dozen different tools. wellknownaudit runs them all in one pass.

wellknownaudit fetches every path in the /.well-known/ catalog (curated from the IANA Well-Known URIs registry) in one pass, then runs a per-file conformance check defined by that file’s spec — RFC 9116 for security.txt, RFC 8461 for mta-sts.txt (including its DNS record), valid-JSON-and-required-keys for the app-link and identity files, and so on. Absent files are informational; only real problems are flagged, each linked to its spec. Open methodology, no black-box score.

It cross-references related signals too — most usefully the mta-sts.txt policy file against the _mta-sts DNS TXT record it needs to actually take effect. It runs on Cloudflare, fetches only public URLs at well-known paths (private/metadata addresses blocked, responses capped), and keeps no logs.

Related tools: spam-check for full email auth, and aicrawlcheck for AI-crawler access. Audit a domain →