When we discovered DigitalTrust.ie — an initiative by .IE, Ireland's national domain registry, that grades your domain's security posture across 28 checks covering DNS, email, web, and TLS — we did what any honest Donegal-based security firm should do. We ran it against our own site. The result was a C at 57 percent. Not catastrophic, but not where a cybersecurity advisory firm should be sitting. So we worked through every finding, documented the entire process, and came out the other side at an A. This article is that journey — an honest account of what we found, what we fixed, and what any Irish SME can take from it.
What DigitalTrust.ie Actually Checks
DigitalTrust.ie scans your domain across four security categories: DNS security, email authentication, web security headers, and TLS certificate configuration. Think of it as an NCT for your website's security posture. The assessment currently costs €89 excluding VAT and is reviewed by the .IE team, with results delivered within 24 hours.
The four categories map to four different ways your domain can be exploited if the controls are not in place. DNS security (specifically DNSSEC) prevents attackers from hijacking your domain's responses and redirecting customers to a fake version of your site. Email authentication — SPF, DKIM, and DMARC — prevents criminals from sending emails that appear to come from your domain, which is the technical foundation of most phishing and business email compromise attacks. Web security headers protect visitors from clickjacking and content injection attacks. TLS configuration ensures the encrypted connection between your site and every visitor is using current standards, not deprecated protocols that are vulnerable to interception.
How does your own domain score on these four categories — do you actually know? Book a free 20-minute strategy call — we can run through your domain's security posture and explain what any findings mean in plain English.
What We Found When We Ran the Test
Our initial C score broke down across several findings. DNSSEC was not enabled on our domain. Our DMARC policy existed but was set to p=none, which means it monitors but takes no action when spoofed emails are detected — functionally useless as a protection. Several web security headers were missing, including Content Security Policy and the X-Frame-Options header. Our TLS configuration was adequate but not optimal — older cipher suites were still enabled that should have been disabled.
None of these findings were dramatic in isolation. But together, they represented meaningful exposure. Without DMARC enforcement, an attacker could send emails appearing to come from our domain to our clients, suppliers, or anyone else — and our mail security infrastructure would do nothing to stop it. Without DNSSEC, a DNS hijacking attack against our domain was theoretically possible. Without appropriate security headers, a visitor to our site could be subjected to clickjacking or content injection that we would never know about.
The NCSC Ireland has published specific guidance on email authentication and domain security as baseline controls for Irish organisations.[^1] What our DigitalTrust score revealed was that our advice to others was ahead of our own implementation. That is a useful lesson in itself.
How We Fixed Each Finding
Fixing DNSSEC required enabling it through our domain registrar. Most Irish domain registrars support DNSSEC, but it is typically not enabled by default. The process took about 30 minutes and propagated within 24 hours. DNSSEC does require careful management — changing DNS records without updating the DNSSEC signature breaks the validation chain — but for a business that rarely changes DNS records, it is a low-maintenance improvement with meaningful security benefit.
Strengthening our DMARC policy was the change with the highest security return. We moved our DMARC record from p=none to p=quarantine, which tells receiving mail servers to quarantine emails that fail authentication, rather than simply noting the failure and delivering the message anyway. This is the critical step that actually prevents email spoofing of your domain. The Data Protection Commission expects businesses handling personal data to take proportionate technical measures against foreseeable threats, and email spoofing of an Irish business domain is a foreseeable and documented threat.[^3]
Web security headers were implemented through our hosting configuration. Content Security Policy, X-Frame-Options, Referrer-Policy, and Permissions-Policy headers were all added. Each one prevents a different class of client-side attack. An Garda Síochána's National Cyber Crime Bureau notes that web-based attacks against Irish business sites have increased year on year, and many exploit the absence of basic protective headers.[^2] For businesses hosted on Cloudflare, many of these headers can be added through Cloudflare's Transform Rules without touching the origin server at all.
TLS hardening involved disabling older protocol versions (TLS 1.0 and 1.1 are deprecated) and removing cipher suites that have known weaknesses. Again, for businesses using Cloudflare, this is a single settings change in the SSL/TLS configuration panel.
What the Improved Score Means in Practice
After implementing all the fixes, we resubmitted for the DigitalTrust assessment and received an A. That grade is now visible on our site as a trust badge — a signal to Irish clients, partners, and suppliers that our domain security meets a verified standard. For businesses pursuing NIS2 compliance, cyber insurance qualification, or enterprise client procurement, a DigitalTrust grade is becoming a meaningful and verifiable signal of technical security posture.
More practically, the improvements we made close real attack vectors. Our domain can no longer be convincingly spoofed in phishing emails without those emails being quarantined by compliant mail servers. Our DNS records are cryptographically protected. Our visitors are protected by appropriate browser security policies. These are controls that matter, not compliance theatre.
A DigitalTrust grade is one of the few pieces of security evidence Irish SMEs can point to that is independently verified, publicly visible, and directly relevant to the threats they face.
What to Do Next
Three steps for any Irish business that wants to improve their domain security:
Run our free Digital Trust Checker first. Before paying €89 for the DigitalTrust.ie assessment, use our tool to identify the obvious gaps. Fix what you can fix, then submit for the formal assessment from a position of strength.
Prioritise DMARC with enforcement. If you only do one thing, move your DMARC policy from
p=nonetop=quarantine. This is the single change that prevents email spoofing of your domain. Your DNS provider or IT supplier can make this change in minutes.Enable DNSSEC through your registrar. For .ie domains, this is supported by all major registrars. It is a one-time setup that significantly improves your DNS security posture without ongoing management overhead for most businesses.
Related Reading
- Spot a Phishing Email: Plain English Guide for Donegal Businesses
- BEC Fraud in Donegal Firms Every Week
- The SME Cybersecurity Starter Kit: 10 Steps to Get Protected Today
[^1]: NCSC Ireland — Advice for Organisations: https://www.ncsc.gov.ie/advice-for-organisations/ [^2]: An Garda Síochána — Cyber Crime: https://www.garda.ie/en/crime/cyber-crime/ [^3]: Data Protection Commission: https://www.dataprotection.ie
Pragmatic Security — Cybersecurity advisory for Irish businesses. Based in Donegal, Ireland. CISA, CISSP, CISM certified advisors.