Trust Rail: Free Security Scanning for Aqaba Businesses
5 min read
By Yousof Almalkawi, Founder
Trust Rail: Free Security Scanning for Aqaba Businesses
A business can spend years building a reputation and lose it in 48 hours because an attacker spoofed their email domain. For most small and medium businesses in Aqaba — and across Jordan — the gap between "has a website" and "has a secure website" is invisible until something goes wrong.
Trust Rail closes that gap. It is a free security scanner for any business with a domain. Paste your domain, get a report in under 60 seconds.
What Trust Rail Checks
Trust Rail runs five technical checks that cover the most common attack vectors against business domains:
DNS Health
Your DNS records are the address book of the internet. If they are misconfigured — dangling subdomains pointing to services you no longer use, missing CAA records that allow unauthorized certificate issuance, exposed zone transfers — attackers can exploit them in ways that are invisible to you until the damage is done.
Trust Rail checks DNS configuration against a set of security baselines: CAA records, DNSSEC status, subdomain enumeration exposure, and dangling record detection. A failing grade on DNS health does not mean your site is compromised — it means the configuration creates exploitable surface area.
SSL/TLS Certificate
HTTPS is a basic requirement for any business website in 2026. But HTTPS is not binary — a certificate that is expired, misconfigured, or signed by a weak algorithm creates real risk even though the browser shows a padlock.
Trust Rail checks certificate validity, expiration date, cipher suite strength, and certificate chain completeness. A certificate expiring in 15 days is a business continuity risk. A certificate using deprecated SHA-1 signatures is a security risk. Both show up in the scan.
SPF (Sender Policy Framework)
SPF is a DNS record that tells receiving mail servers which servers are authorized to send email on behalf of your domain. Without SPF, any server on the internet can send email claiming to be from your domain. With a misconfigured SPF record, legitimate email may be marked as spam.
For a business in Aqaba sending invoices, proposals, and client communications by email, an SPF misconfiguration means clients may never receive your emails — or worse, they receive fake emails that appear to come from you.
Trust Rail checks whether your SPF record exists, whether it is syntactically valid, and whether it has a hard fail (-all) or soft fail (~all) policy. Soft fail is better than nothing. Hard fail is better than soft fail.
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to outgoing email. When a receiving server checks DKIM, it verifies that the email was sent by an authorized sender and has not been tampered with in transit.
Businesses using Google Workspace, Microsoft 365, or any modern email provider can enable DKIM signing with a few clicks. Many do not, because it is an invisible setting that has no effect until an attacker or spam filter checks for it.
Trust Rail checks whether DKIM records are present for the most common email providers and whether the key length meets current standards (2048-bit minimum).
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC is the policy layer on top of SPF and DKIM. It tells receiving servers what to do when an email fails SPF and DKIM checks: deliver it, quarantine it, or reject it. It also provides reporting — the domain owner receives aggregate reports of authentication failures, which makes it possible to detect spoofing attempts before they reach clients.
Without DMARC, a passing SPF and DKIM setup still leaves the decision of how to handle failures up to each receiving server. With DMARC set to p=reject, your domain cannot be spoofed — any email that fails authentication is rejected before delivery.
Trust Rail checks whether DMARC is configured, what the policy level is (none, quarantine, or reject), and whether reporting addresses are configured.
Why This Matters for Aqaba Businesses
Jordan's Personal Data Protection Law (PDPL) was enacted in 2023 and came into force in 2024. It imposes obligations on organizations processing personal data of Jordanian residents — including requirements for appropriate technical measures to protect data.
Email domain security is not explicitly named in PDPL, but the "appropriate technical measures" standard is broadly interpreted. An organization that is actively spoofed, resulting in personal data being disclosed to attackers, faces regulatory exposure under PDPL.
Beyond compliance, there is a practical business case. Aqaba's economy is built on tourism, hospitality, logistics, and trade. These are relationship-based industries. A spoofed email — one that appears to come from your company but was sent by an attacker — can compromise client relationships that took years to build.
The five checks Trust Rail runs are not exotic security measures. They are basic hygiene that every business with a domain should have in place. The problem is that most businesses do not know whether they have it in place or not. Trust Rail makes the check free and immediate.
Enter your domain — no account required, no email address, no sign-up flow. The scanner runs the five checks against live DNS data and returns a report within 60 seconds.
The report shows a pass/fail status for each check, a plain-language explanation of what failed and why it matters, and a recommended fix for each failing check.
The recommended fixes are specific: the exact DNS record format to add, which settings to enable in your email provider's admin console, and which test to run to verify the fix worked.
The Broader Context
Trust Rail is part of STEADYWRK's Aqaba initiative — a set of tools and services built specifically for businesses in the Aqaba Special Economic Zone and the surrounding region.
Aqaba's growth as a logistics and technology hub is creating a new class of businesses: companies that operate at the intersection of traditional Jordanian industry and modern digital infrastructure. These businesses need security tooling that is accessible in Arabic and English, built for their scale, and not gated behind enterprise contracts.
Trust Rail is free and will remain free. The long-term roadmap includes monthly automated re-scanning, team accounts for businesses managing multiple domains, and an Arabic-language interface.
If your business has a domain and you have never run a security scan, start at steadywrk.app/aqaba/trust-rail. The scan takes less than a minute. What you find might take an afternoon to fix — but that afternoon is significantly cheaper than the alternative.
Trust Rail is a free service from STEADYWRK, an AI dispatch platform built in Aqaba, Jordan. Questions about the scanner or Aqaba's PDPL compliance landscape: contact@steadywrk.app.