Before your client submits a cyber insurance application, the underwriter is already looking at them.

Not at their policies or their security software inventory. At the actual domain: DNS records, TLS certificates, mail server configuration, publicly visible infrastructure. This outside-in reconnaissance happens silently and instantly. It's the first thing that shapes underwriter appetite—long before you fill out a 40-page questionnaire.

The problem is you probably don't know what they're seeing. And if those DNS records are misconfigured, missing DMARC enforcement, or exposing old subdomains, the underwriter has already made assumptions about operational maturity and risk posture.

Run your domain through the free readiness check right now. See exactly what an underwriter can discover in seconds. Then come back here to understand what it means and what still requires evidence.

Key Takeaways

  • Underwriters do not start from a blank page. They start with the public footprint your domain already exposes.
  • Email authentication, TLS posture, subdomain exposure, and internet-facing services are some of the fastest carrier-relevant signals to verify.
  • Outside-in evidence is valuable because it is observable, repeatable, and timestamped.
  • A readiness scan is the first layer of the file, not the whole file. It shows what is visible now and what still needs internal evidence.

Why This Matters Before the Questionnaire Lands

The easiest renewal problems to fix are the ones you find before the carrier asks about them.

If a domain has no DMARC record, weak SPF posture, outdated TLS, or an exposed service that creates an avoidable underwriting question, you want that surfaced while you still have time to remediate it cleanly. Once the renewal email lands, every gap becomes a timeline problem.

That is also why outside-in evidence tends to punch above its weight. It does not depend on a screenshot somebody grabbed six months ago. It does not depend on whether the right admin remembered where to click. It reflects what is live and observable now.

Run the free readiness check before you send anything to market. It gives you the outside-in layer carriers can already see and helps you separate "quick cleanup" from "needs deeper evidence."

What Underwriters See Before You Apply

Cyber insurance carriers—particularly Coalition, Hartford, and Travelers—conduct passive reconnaissance on every applicant domain before underwriting. This isn't active penetration testing. It's passive enumeration: publicly visible configurations that reveal security posture and operational discipline.

Here's what they're checking:

  • Email authentication (SPF, DKIM, DMARC): Is the domain configured to prevent spoofing? Is DMARC actually enforced or just in reporting mode?
  • TLS/SSL posture: Are certificates valid, properly configured, and covering all the right hostnames?
  • Subdomain discovery: What subdomains exist publicly? Are legacy/abandoned subdomains still resolvable? Do they have valid certificates?
  • Mail server configuration: Are MX records clean? Are there open relays or misconfigured SMTP endpoints?
  • DNS security: Is DNSSEC implemented? Are there suspicious DNS records that suggest previous compromise or lateral configuration?

This reconnaissance feeds directly into underwriter decisioning. A domain with missing DMARC, expired certificates, or orphaned subdomains signals operational gaps. It doesn't prove a breach has occurred, but it does indicate whether the organization treats foundational security as a priority.

For brokers and MSPs, this matters because it's visible before you have a chance to explain context. You can't convince an underwriter to overlook it later.

The Four DNS Security Postures Underwriters See

Most domains fall into one of four categories when an underwriter performs this scan. Each signals something different about control maturity.

1. DMARC Enforcement (p=reject)

What it is: SPF and DKIM configured, DMARC policy set to reject (not quarantine or none).

What it signals: The organization treats email authentication seriously. They're not just logging failures—they're actively blocking unauthenticated email. This is the baseline expectation for managed organizations.

Underwriter appetite: This is the control configuration that most carriers expect. It shows operational discipline and reduces impersonation risk.

2. DMARC Reporting (p=quarantine or p=none)

What it is: SPF/DKIM configured, DMARC set to reporting mode but not enforcing rejection.

What it signals: The organization is monitoring but hasn't enforced the policy. This typically indicates either a transition in progress or a deliberate choice to avoid blocking legitimate mail. In the latter case, it suggests operational chaos (legacy integrations, third-party vendors that don't authenticate properly).

Underwriter appetite: Neutral-to-negative. Some carriers accept this as a transition state, but if it's been in reporting mode for months, it reads as neglect.

3. Missing DMARC Entirely

What it is: SPF and/or DKIM present, but no DMARC record at all.

What it signals: The organization is not defending against domain spoofing at scale. Email authentication is incomplete.

Underwriter appetite: Red flag. This is control gap #1. Most carriers will flag this on the application.

4. Misconfigured SPF/DKIM

What it is: SPF record exceeds 10 DNS lookups (SPF fail), or DKIM keys are not properly published.

What it signals: Either the organization doesn't understand their own email infrastructure, or they've added vendors/integrations without cleaning up old SPF entries.

Underwriter appetite: Red flag. This is control gap #2. It indicates lack of email infrastructure governance.

For a deep technical explanation of these configurations and how they work, see our guide on SPF, DKIM, and DMARC for cyber insurance.

What Carriers Actually Check: Carrier-Specific Insights

Coalition: Silent External Scanning

Coalition is known for passive reconnaissance before underwriting. They have published research on external vulnerability assessment and regularly cite findings about DNS misconfigurations in their underwriting guidelines.[1]

If a domain has:

  • Missing or weak DMARC
  • Open DNS resolvers
  • Expired certificates on public-facing services
  • Publicly discoverable subdomains with weak controls

Coalition will ask about it on the application. They build this reconnaissance into their underwriting algorithm; applicants with weaker external postures receive higher premiums or decline decisions.

Hartford: Explicit Application Questions

Hartford includes several questions on their cyber insurance application that directly map to external reconnaissance findings. Their questionnaire asks about:

  • Email authentication implementation
  • Certificate management and renewal processes
  • Subdomain inventory and monitoring
  • Incident response to past compromises

These questions don't appear random—they're designed to validate what underwriters discovered in the outside-in scan. If your domain shows weak DMARC and Hartford asks "Do you have email authentication configured?"—your answer better align with what the domain actually shows.[2]

Travelers: Ongoing Monitoring

Travelers uses external monitoring services (including Cyber Risk Services) to track domain security posture after a policy is issued. Changes in DMARC configuration, certificate validity, or subdomain discovery directly factor into renewal decisioning. If a policy holder's domain degrades between underwriting and renewal, Travelers will notice.[3]

What the Free Readiness Check Shows You

The free Underwriter Blocker Analysis scans your domain exactly as underwriters do:

  1. Email Authentication Scan: Checks SPF, DKIM, and DMARC records. Reports exact policy settings, enforcement status, and common misconfigurations.

  2. Subdomain Discovery: Enumerates publicly resolvable subdomains. Flags abandoned or legacy subdomains that may have weak controls or outdated certificates.

  3. TLS/Certificate Analysis: Validates certificate chains, checks for expiration, identifies certificate configuration gaps.

  4. DNS Security Posture: Checks for DNSSEC implementation, unusual records, and common DNS attack vectors.

  5. Mail Infrastructure Assessment: Reviews MX records, SMTP configuration, and common misconfigurations.

The scan produces a report that shows:

  • Current posture (compliant, partial, or gap)
  • Specific findings with risk context
  • What underwriters will see
  • Priority remediation steps

You can run the scan in seconds and share results with your team or your client immediately.

What the Scan CANNOT Tell You (And Why That Matters)

This is critical: the external scan reveals operational configuration, not evidence of security controls. A readiness scan is powerful because it is specific. It becomes dangerous only when people overstate it.

What it can see:

  • Whether DMARC is enforced
  • Certificate validity
  • Subdomain inventory
  • DNS configuration

What it cannot see:

  • Whether the organization actually uses multi-factor authentication (MFA)
  • What endpoint detection and response (EDR) tools are deployed
  • Patch management practices
  • Employee security awareness training
  • Backup/recovery capabilities
  • Incident response procedures
  • Whether backups are actually tested
  • That MFA is enforced on every relevant identity and access path
  • That backups are isolated and restore-tested
  • That endpoint protection covers every managed device
  • That privileged accounts are reviewed and tightly controlled
  • That an incident response plan is current and practiced

The right sentence is not "our scan proves we are ready." The right sentence is "our scan proves the public posture, and it tells us where deeper evidence work still needs to happen."

This is why attestation and evidence collection still matter. An underwriter will ask 100+ questions that go far beyond what a domain scan reveals. The scan is a prerequisite, not a replacement for due diligence.

If your domain shows strong DMARC enforcement but you have no EDR deployed, you're only half-prepared. The scan shows one dimension; the full application requires control verification across infrastructure, processes, and people.

For a comprehensive framework of what carriers actually require, see our guide on 8 controls 3 carriers care about most.

How to Use the Scan in Your Workflow

For Brokers

Use the scan to sort accounts into three buckets early: likely straight-through, evidence-needed, and remediation-needed. Don't spend equal time on every account. Spend the early cycle where the scan suggests the renewal conversation could get complicated.

  1. Pre-application triage: Run the scan on new prospects before gathering any paperwork. It takes 30 seconds.
  2. Baseline documentation: Share the scan results with the client. Explain what findings mean. Use it as proof that you're protecting them—you're identifying gaps before the underwriter.
  3. Renewal strategy: Repeat the scan annually. If posture has degraded, address it before renewal season. Carriers track this.
  4. Negotiation: If you have a relationship with an underwriter, reference the scan results in early conversations. Show them you've done the reconnaissance work.

For MSPs

Use the scan to set the order of operations. Clear the public blockers first, then move into internal evidence: MFA exports, backup proof, endpoint coverage, IR documentation, and client attestations. That keeps your engineering time pointed at the controls most likely to matter.

  1. Client onboarding: Run the scan on every new client domain. Add it to your security checklist.
  2. Remediation tracking: DMARC misconfiguration? Document the fix. Subdomain cleanup needed? Track it in your ticketing system.
  3. Cyber insurance enablement: Help your clients prepare for cyber insurance applications. A cleaned-up domain is often the fastest win.
  4. Proof of service: Include scan results in quarterly security reviews. Show clients that you're monitoring their external posture.

The Right Next Step After the Scan

A readiness scan is the front door, not the full platform. Once the outside-in story is clear, the rest of the work usually follows a predictable path:

  1. Run the public scan — Get the baseline of what underwriters will immediately see.
  2. Identify blockers and quick wins — DMARC misconfiguration? Expired certificates? Start here.
  3. Gather the internal evidence the scan cannot see — MFA deployment, EDR coverage, backup testing, incident response plans.
  4. Map that evidence to the actual carrier questions — Use the scan results to inform what you need to prove internally.
  5. Package the result cleanly for submission — Build an evidence packet that answers carrier questions with observable proof.

If DMARC is misconfigured or missing: This is the highest-priority remediation. DMARC enforcement is table stakes for cyber insurance. Get this right before you apply.

If subdomains are orphaned: Inventory them. Either delete them or bring them into your managed infrastructure. Don't leave abandoned DNS records floating.

If certificates are expiring: Set up automated monitoring and renewal (most CAs offer this). Certificate management is a control that underwriters specifically check.

If you're preparing a full application: Use the scan as one input to a broader evidence collection effort. The scan handles external verification. You'll still need to verify internal controls: MFA deployment, EDR/EDR agent coverage, patch management, backup testing, and incident response plans.

If the renewal email or supplement is already in hand, upload the document into the Carrier Decoder (formerly "Supplement Parser") to see what is auto-verifiable, what needs MSP evidence, and what needs client attestation. For deeper context on evidence collection, see our guide on the complete evidence strategy for cyber insurance.

What to Do Right Now

If you are within 90 days of renewal, do this in order:

  • Run the scan on the primary domain.
  • Review the email-authentication and exposure story.
  • Fix obvious public blockers.
  • Then decide what deeper evidence needs to be collected before the application is signed.

That is a much stronger starting point than opening the form and hoping the answers will sort themselves out.

The Bottom Line

Underwriters see your domain before you apply. They can't see inside your network, but they can see every DNS record, certificate, and email authentication setting you've published. That reconnaissance feeds directly into underwriting appetite.

The free readiness check lets you see what they're seeing. Run it now. It takes 30 seconds and shows you exactly what an underwriter will find.

Then decide: Is your domain configured to pass external reconnaissance? Or are there gaps worth fixing before you apply?

For a deeper dive into what underwriters do with scan results, see what underwriters see before binding. To decode your carrier questionnaire after running the scan, check out the Carrier Decoder tool. And if you want to compare how different carriers handle these findings, see our Coalition vs. Hartford vs. Travelers comparison.

Footnotes

[1] Coalition publishes regular external assessment research and cites DNS configuration findings in their underwriting methodologies. See Coalition's "Cyber Insurance State of Risk" reports for carrier-specific data on external posture findings.

[2] Hartford's cyber insurance applications include explicit questions about email authentication and certificate management—questions that directly map to external reconnaissance findings. Misalignment between scan results and application responses raises underwriter questions.

[3] Travelers' use of ongoing external monitoring services (including third-party risk monitoring) means domain security posture is tracked through the policy period, not just at underwriting.