We obtain the IP addresses of the mail server record(s) associated with the domain and look up its country in a GeoIP database. It is believed that personal data is protected better, if a website is hosted in a country that implements the European General Data Protection Directive (GDPR). We plan to offer more flexible geo-location tests in the future.
Conditions for passing: The test passes if all IP addresses associated with the MX records are found to be in countries that implement the GDPR. This test is neutral if there are no MX records.
Reliability: unreliable. We perform a single DNS lookup for the MX records of the domain name of the respective site. Then we obtain all A records of each MX record. Due to DNS round robin configurations, we may not see all IP addresses that are actually used by a site. Furthermore, if the site uses content delivery networks or anycasting the set of addresses we observe may differ from the set for other users. We look up the IP addresses within a local copy of a GeoIP database. We use the GeoLite2 data created by MaxMind, available from http://www.maxmind.com. Finally, we only check mail servers found in MX records. Therefore, we miss sites where the domain does not have MX records, but mail is directly handled by a mail server running on the IP address given by its A record.
Potential scan errors: The result may be incorrect for the following reasons. First, we may miss some IP addresses and therefore our results may be incomplete (causing the test to pass while it shouldn’t). Second, we may see a set of IP addresses that is biased due to the location of our scanning servers (all of them are currently in Germany), which may again cause the test to pass while it shouldn’t. Therefore, the results may be wrong for users located in other countries. Third, the determination of the geo-location of IP addresses is known to be imperfect. This may cause the test to fail or succeed where it shouldn’t.
Scan module: network