Most websites are quietly failing at things their owner has no idea about. Emails landing in spam. Legal exposure. Invisible to AI. Slow on mobile. We check 25 of them in 60 seconds and tell you, in plain English, what's costing you business.
Free. Nothing to install. No signup. Results in 60 seconds.
Five readers. One report. Pick the version written for you.
The same scan, written five ways. Owners get the business cost. Marketers get the channel impact. Developers get the exact fix. Legal gets the risk class. Candidates get a walk-in script.
Most businesses never notice when a third of their outbound quietly lands in spam. No bounce, no reply, just silence. We catch the spoofing risk and the delivery risk before another customer drops off the thread.
You spent five to fifty thousand on a website. Did they ship the structural work, or did they just make it look nice? Pull a report, forward it to your provider, ask why half the boxes are unchecked.
Pull a report on the company you are interviewing with, and one on a competitor. Show up with a read their own team doesn't have. Solid people notice solid prep.
Know what is broken before you pitch. Use the findings as the opener. A concrete "your DMARC is open to spoofing" beats a generic "we do websites" every time.
AI assistants are becoming the new front door. Most sites quietly fail the structural signals that get them cited. We check schema, robots, hreflang, and the llms.txt conventions that are emerging.
An A means the same thing across any site. A C means the same thing across any site. Benchmark in minutes, not in a quarterly review meeting that never happens.
Your mail provider tells you DMARC is fine. Your SEO dashboard says your sitemap is fine. Your legal tool says your GDPR page is fine. Everyone reports on their own corner, and nobody reports on the one view a board member actually asks for: is our online presence, taken as a whole, working.
That question isn't answered by specialists. It's the gap between them. GradeMyWeb was built to fill it. 25 checks, across the six things a business depends on online, scored A to F in plain English.
One report. No silos. No jargon between the finding and the consequence.
Every check is passive. We read what your site shows the open web. No installation, no login needed to run the scan. Each check is wired into the overall grade and into the category score you see in the report.
SPF, DKIM, DMARC. Domain blocklist status. If your outbound is landing in spam, you find out here.
Legal notice, SSL, cookie consent, GDPR firing order, privacy policy content quality across 20+ GDPR disclosure points.
Analytics, Search Console, session tooling. No analytics means flying blind. No Search Console means Google can delist you and you won't know.
Open Graph, sitemap, contact page, mobile viewport, social linkage, freshness, broken links. The basics search engines and humans both use to find you.
Schema markup, robots.txt, hreflang, llms.txt, image format. The structural signals that get you cited by ChatGPT, Claude, and Perplexity.
PageSpeed, response time, site freshness. A slow, stale, or broken site costs you customers before they ever read a word.
Every finding in your report is written five ways. The CEO version names the business cost. The marketer version names the channel impact. The developer version has the exact DNS records and fix steps. The legal version names the regulatory risk. The interview-prep version turns it into a question you can ask in a meeting. Same truth, five voices, nobody left squinting at jargon.
Real risk on this site. At least one finding is costing you deals every month it stays open.
Strong measurement and site performance. Visibility to AI is middling. Email authentication is the single most urgent fix.
Anyone can send email pretending to be your company. A scammer can spoof your domain to trick a customer, a supplier, or your own staff, and you have no technical protection in place. This is a one-hour fix on your DNS. It should be top of your list this week.
Your outbound is fighting gravity. Gmail and Outlook now require strict authentication from bulk senders, and without it your campaigns get routed to spam more often, your reply rates drop, and your sender reputation slowly rots. Fix this before the next send.
DMARC record found, policy=none, rua=mailto:[email protected]. Move to p=quarantine pct=25 and monitor aggregate reports for two weeks, then advance to p=reject pct=100. SPF and DKIM are correctly aligned, so the enforcement move is safe. Update DNS TXT record for _dmarc.
p=none means your domain can be spoofed with no enforcement action. Under GDPR Article 32, reasonable technical measures must protect personal data in transit. A domain that allows spoofing creates a documented phishing vector. Bringing policy to p=quarantine is the minimum defensible posture before the next audit cycle.
Ask in the first meeting: "What is your current DMARC policy, p=none, quarantine, or reject?" If they say p=none or do not know, you have identified a gap their team has not closed. This shows you did the homework before the call.
_dmarc.yourdomain.com.p=quarantine with pct=25.rua=mailto: for two weeks, confirm no legitimate mail is being flagged.p=reject with pct=100 once clean.Your real report covers every finding at this depth. Run the scan →
No account, no install. Your domain is all we need.
All 25 checks, email through site quality, usually in about 60 to 90 seconds.
A through F. Your email unlocks the full report, in the language your business actually reads.
25 passive checks across 6 outcome-focused categories: does your email arrive (SPF, DKIM, DMARC, blocklist), are you legally safe (legal notice, SSL, consent, cookie manager, privacy policy content quality), do you know what is happening (analytics, Search Console, session tooling), can people find you (Open Graph, sitemap, contact page, mobile viewport, social links), are you visible to AI (robots.txt, schema, hreflang, llms.txt, image formats), and is the site fast and working (PageSpeed, response time, freshness).
Every finding is written five ways. For the business owner, the marketing manager, the developer or IT lead, the legal officer or DPO, and the job candidate doing interview prep. Same finding, five readings. Pick the version that matches why you ran the scan.
We do not invent findings to scare you into buying. Some tools flag fabricated risks or score your privacy policy at 15% when it actually covers most of what regulators require. We check what is publicly visible, show our work, and grade on the same scale regardless of who you are. If a check cannot tell the answer from a passive scan, we say so honestly rather than guess.
Other tools grade one slice of your site: privacy, SEO, email, accessibility. We grade all of it together so you see the full picture in one report. We also report what we actually find and skip the speculative findings (like fake typosquatting risks) some scanners use to nudge you toward an upgrade.
Yes. The scan, the grade, and the category scores are all free. Your email unlocks the full per-check report.
Usually 60 to 90 seconds. All 25 checks run in parallel. PageSpeed, which queries Google's Lighthouse API, is usually the slowest of them.
All checks are passive. We read public DNS, public HTTP headers, and public HTML. Nothing on your site is modified, no forms are submitted, nothing is logged in to.
A through F. Any category scoring 3 or below caps the overall grade at C. Two or more weak categories cap it at D. A failing email authentication check (B3) also caps the grade. The letter is anchored to the categories that actually hurt you if they fail.
To stop scraping and abuse, and because we occasionally improve the report format and want to let people who used the tool know. We send a one-time code, we do not share your address, and you can use a VIP access code to skip the gate entirely.
After any change to your site, DNS, hosting, or legal pages. SSL certificates expire. Consent managers get reconfigured. Content goes stale. Running a scan once a quarter catches most drift before it bites.