Website still unsecure and Google error


I installed Cloudflare about a month ago and my site did not show the unsecured error for a while.

Then I started getting these emails from Google. I was very busy at the time and figured it was just spam wanting me to click and link so didn’t check into them, but they have continued and now I see the site is again showing the unsecured error.

Report domain: Submitter: Report-ID: 16889060362573362839

I probably set it up wrong when I did it, but I am pretty sure it was working at one point.

Can someone help me with this? Oh, I ran that scan and it never finished…

I can’t really find anything about the error,

It’s probably because your site is available over http:// (unsecured) but doesn’t redirect to https:// (secured). - click on that link and it’ll take you to the SSL settings of your domain. Make sure Always Use HTTPS is turned on.

I figured I’d forgotten to do something, thanks!

But why would it throw the google error? (I’m afraid to open the zip file in the email that google sent to me.

That’s a result of your DMARC record - it’s apart of your email security (to stop people sending emails from when they’re not allowed to) and is currently setup to email yourself whenever someone fails the checks that verify that someone is allowed to send as your domain.

"v=DMARC1; p=none; rua=mailto:[email protected]"

There’s nothing that stops me from sending an email as [email protected] so there’s things like SPF, DKIM & DMARC that help combat that. Someone has sent an email from your domain, failed SPF or DKIM and therefore you’ve got an email (due to your DMARC record above).

It’s unrelated to your website being ‘insecure’ which is now fixed, and you can likely just ignore that report for the most part.

1 Like

OH!! So someone tried to use my site to send out spam! I have been winging this, but I guess I did something right to keep that from happening.

(Now I’m going to be paranoid until I’m sure I have the site buttoned-down) Can you point me in the right direction to learn more about this?

Thank you!

Then you should start by actually securing your site :wink:

$ curl -I --connect-to ::[SERVER_ADDRESS]
curl: (35) error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error

Right now your site is as insecure as a site on HTTP can be.


This isn’t a recommendation to ignore @sandro’s advice to secure your site. You should still do that.

Receiving DMARC reports doesn’t mean that anyone is sending spam from your site. It doesn’t even mean that anyone is sending email spoofing your domain. It just means that your domain was seen by the reporter, in your case Google. Since you have published a DMARC record that indicates DMARC reports should be sent to your mailbox, they are simply honoring your request for reports.

Sending DMARC reports to a mailbox used by a human is not the most practical method for collecting and reviewing that data, especially when you factor in the probability of receiving daily reports from multiple providers. Sending the reports to an automated mailbox at a service that processes them and aggregates the data tends to work a lot better than routing them to your inbox.

1 Like

Good thing nobody ever goes there! :blush:


Oh, I wasn’t commenting on DMARC, only that @juliettegodot currently has an insecure site.

Probably best to take it offline then :slight_smile:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.