Frequently asked questions

zmam.ai performs an external, non-intrusive review of your domain’s public configuration: DNS, TLS/SSL certificates, HTTP security headers, and mail authentication (SPF, DKIM, and DMARC). Deeper checks — port and service discovery, technology fingerprinting, and known-vulnerability lookups — are in development.

Yes, it is safe. The scan is non-intrusive: it only reads information that is already public. It never tests passwords, submits forms, exploits vulnerabilities, or modifies or deletes anything.

Email verification confirms that whoever requested the scan controls a real inbox, which prevents abuse and lets us deliver the report securely. After you submit a domain and a work email, we send a confirmation link that is valid for 24 hours; the scan is queued only after you click it.

No. zmam.ai is a non-intrusive external review of your public-facing configuration — a safe first look at what an attacker can see. A penetration test is a separate, authorised, in-depth engagement where a tester actively probes your systems. See Free website security checks: what they cover and what they miss .

They are three DNS records that let receiving mail servers verify your email really came from your domain, which stops spoofing and improves deliverability. See SPF, DKIM, and DMARC explained .

No. Sensitive findings are never published on the site or emailed in the clear. The emailed report contains a safe summary only. Out-of-band routing of sensitive findings to a verified security contact at the scanned organisation is planned for a future version.

The external scan is free. You submit a domain and a work email, confirm the email, and receive a plain-language report.

We use your email only to send the confirmation link and the report, and we never share it. IP and browser identifiers are stored as one-way hashes only, never as raw values. See our Privacy Policy for full detail.

The service is intended for domains you own or are authorised to assess. Requests where the work email is on a different domain than the scan target require operator approval before they are queued.

Yes. An external check sees only what is public, so it cannot know your intent. A public admin page, a staging host, or a broad SPF include may be deliberate — the report flags them for review, it does not assume they are wrong. Treat findings as a prioritised list to confirm, not a verdict.

Submit the same domain again once your change is live. DNS, TLS, and header changes can take time to propagate, so if a fix does not show yet, wait for propagation and re-run the check.

Cross-domain requests (a work email on a different domain than the scan target) require operator approval before they are queued. This keeps the service tied to people with a legitimate reason to assess the domain.

The email-verification step proves you control the inbox you gave us, not that you own the domain. For same-domain requests (email and domain match) that is a strong signal; cross-domain requests are reviewed by an operator.

Scan results are retained to produce and deliver your report, then removed on a retention schedule. IP and browser identifiers are stored only as one-way hashes. See the Privacy Policy for retention windows.

Yes. You can request deletion of your data; contact us from the same email you used for the scan. See the Privacy Policy for how data- subject requests work.

Not yet. Today the check covers DNS, TLS, email authentication, and HTTP security headers. Port and service discovery, technology fingerprinting, and known-vulnerability lookups are in development.

It can support hygiene and visibility, but it does not establish compliance. zmam.ai is an external hygiene check, not a compliance audit or certification. See Cybersecurity for Saudi companies .

A vulnerability scan typically probes a system more actively for known software flaws. zmam.ai is a read-only external review of public-facing configuration — it reports exposure and misconfiguration, and never actively exploits anything. Both differ from a full penetration test.