We Scanned the World's Most Famous Port Scanner — Here's What We Found
We tested Olimpio on scanme.nmap.org — a site built by the team behind Nmap, one of the most recognised security tools in the world. One finding was confirmed. One was a false positive. Here is what we learned from both.
The test target
When you build a vulnerability scanner, you need something real to test it against.
scanme.nmap.org is a server maintained by the Nmap project specifically so that people can legally scan it. Nmap is one of the most famous and widely used network scanning tools in the world — the kind of tool that professional penetration testers, security researchers, and IT teams have relied on for decades.
If Olimpio was going to prove it works, scanning the Nmap team's own test server felt like the right place to start.
What Olimpio found
The standard scan completed and returned 17 findings across the domain — open ports, weak SSH cipher configurations, missing security headers, and DNS hygiene issues.
Most were expected for a test server. But one finding stood out as HIGH severity, attributed to the root nmap.org domain:
Your domain has no protection against email impersonation attacks — no DMARC record found on nmap.org.
We verified it independently
Before writing this post, we checked the finding against MXToolbox — a widely trusted independent DNS lookup tool used by IT professionals and security teams worldwide.
The result was unambiguous: No DMARC record found on nmap.org.
The DMARC finding was genuine.
What happened next — a correction and a lesson
Olimpio also flagged a missing SPF record on nmap.org. We disclosed both findings directly to Gordon "Fyodor" Lyon — the original creator of Nmap — who responded within minutes.
He pointed out that nmap.org does have an SPF record, but it uses ~all (softfail) rather than -all (hardfail). Olimpio had incorrectly flagged softfail as missing entirely — a false positive.
He was right. We got that one wrong.
This distinction matters and is worth understanding:
No SPF record — anyone can send email from your domain with no restrictions at all. High severity.
SPF with ~all (softfail) — unauthorised senders are flagged but not blocked. Mail servers may still accept the email. Medium severity — better than nothing, but not fully enforced.
SPF with -all (hardfail) — unauthorised senders are rejected outright. This is the correct configuration.
Olimpio is being updated to correctly distinguish between these three states and assign appropriate severity to each. A softfail is not the same as a missing record, and the findings should reflect that.
Why the DMARC finding still matters
nmap.org has SPF configured, even if not at the strictest level. But the DMARC finding stands — confirmed independently by MXToolbox, and not disputed.
Without DMARC, SPF alone is not enough. DMARC is what ties SPF and DKIM together and tells the world's mail servers what to actually do when an email fails those checks. Without it, even a correctly configured SPF record provides limited protection against email impersonation in practice.
The Nmap team are security professionals who build tools that the security community relies on. Security hygiene gaps exist everywhere — including at organisations run by people who understand this space deeply. Operational DNS maintenance is unglamorous work and it falls through the cracks.
For a small business owner who is not a security professional, these gaps are far more common and far more dangerous. They do not have a security team watching for them. They often do not know what DMARC or SPF are, let alone whether they have them configured correctly.
That is exactly the problem Olimpio is built to solve.
What DMARC actually means in plain English
Without a DMARC record on your domain, anyone in the world can send an email that appears to come from you. Your logo, your name, your email address — all of it can be spoofed. The recipient's inbox will often accept it without any warning.
This is how invoice fraud happens. A supplier's domain is spoofed, a fake invoice is sent to their client, and the money goes to the wrong account. By the time anyone notices, it is too late.
DMARC tells the world's mail servers what to do when an email claims to be from your domain but did not come from an authorised source — reject it, quarantine it, or at minimum report it back to you.
It costs nothing to configure. It takes a few minutes. And without it, your domain is an open door for impersonation.
Try it on your own domain
If you want to know whether your domain has DMARC, SPF, and DKIM configured correctly — along with everything else that might be exposed on your public-facing systems — you can run a free scan on Olimpio today.
No technical knowledge required. No credit card. Results in plain English.