What I Learned Building My First Cybersecurity Tool as a Student

How I built a free email security checker using only HTML and Google's DNS API — and what the market taught me.

Minhajul Mahib

~5 min read · April 13, 2026 (Updated: April 13, 2026) · Free: Yes

I'm a Computer Networks and Cybersecurity student at Monroe University in New York.

Three weeks ago, I decided to stop waiting until graduation to start building things that matter.

So, I built a free email security checker for small businesses — a tool that checks SPF, DMARC, and DKIM records for any domain in under 10 seconds and gives a plain-English security score. No backend, no database, no API key needed. Just a single HTML file using Google's public DNS API.

Here's what I learned building it — technically, strategically, and about the market I'm trying to serve.

Why I Built It

Most cybersecurity tools are built for enterprise companies with dedicated IT teams. The interfaces are complex, the pricing is enterprise, and the outputs assume you already know what a CVE is.

But the businesses getting hit hardest by cybercrime are small ones — dental offices, law firms, restaurants, accounting firms. They don't have IT teams. They don't have security budgets. And they have no idea whether their basic defenses are in place.

I wanted to build something that a dentist could use in 30 seconds and actually understand the result.

The Technical Decisions

The core challenge: How do you check DNS records from a frontend-only app without a backend?

The answer I landed on: Google's public DNS-over-HTTPS API (dns.google/resolve). It's free, requires no authentication, and supports CORS — meaning a browser can query it directly without routing through a server.

const response = await fetch(
  `https://dns.google/resolve?name=${domain}&type=TXT`
);
const data = await response.json();

This single endpoint lets me query TXT records (where SPF and DMARC live), MX records, and run DKIM lookups against common selectors.

The DKIM problem: DKIM records are stored under a selector subdomain (selector._domainkey.domain.com), and different email providers use different selectors. Google uses google, Microsoft uses selector1 and selector2, others use default, mail, or k1.

My solution: loop through an array of common selectors and try each one until I find a match. Not elegant, but it works for 90% of real-world cases.

Scoring: I weighted DMARC highest (35 points) because it's the enforcement layer — having SPF and DKIM without DMARC is like having a guest list with no bouncer. SPF is 30 points, DKIM 25, and MX records 10. Partial credit for weak policies (like ~all instead of -all in SPF).

What Surprised Me About the Market

People are embarrassed, not defensive.

When I shared early versions of the tool and showed people their score, I expected pushback — "why does this matter," "we're too small to be targeted," etc.

Instead, almost every response was some version of: "Oh. That's worse than I thought. How do I fix it?"

The problem isn't awareness that cybersecurity exists. It's that nobody has made it concrete and personal for small business owners before. When you show someone their specific domain scoring 22 out of 100, it's different from telling them "cybersecurity is important."

The fix guide is as valuable as the checker.

I built an 8-page PDF guide with copy-paste DNS records for every major email provider. I expected the tool to be the main product.

But the feedback I've gotten is that people are just as interested in the fix as the diagnosis. They want someone to walk them through it step by step. That told me something important about what ShieldDesk needs to be: not just a monitoring tool, but a guided remediation system.

IT consultants are an underserved channel.

Several people who tried the tool were freelance IT consultants who manage security for 10–30 small businesses each. They immediately asked: "Can I run this for all my clients at once?"

That's the MSP (managed service provider) opportunity — building a multi-client dashboard that consultants can white-label and use with their own clients. One IT consultant who manages 20 clients and pays $200/month brings me the same revenue as 4 individual business customers. That changes the economics significantly.

What I'd Do Differently

Talk to customers before building.

I built the tool first, then showed it to people. It worked out, but I got lucky. The right order is: talk to 10 potential customers, understand their exact problem and language, then build.

If I'd done that first, I would have led with the compliance angle earlier. Several small business owners mentioned cyber insurance audits as their primary concern — not security per se, but the paperwork and documentation their insurer requires. That's a slightly different product than what I initially imagined.

Ship uglier, faster.

My first internal version was significantly simpler than what I eventually published. I spent extra time polishing the design before showing anyone. In retrospect, I should have shared the rough version sooner and gotten feedback earlier. The polish didn't change whether the core idea was useful — only talking to people could tell me that.

What's Next: ShieldDesk

The email checker is the first piece of a larger product I'm building called ShieldDesk — a full security health monitoring platform for small businesses.

The roadmap:

Phase 1 (now): Email security checker (live), SSL certificate checker (in progress)
Phase 2: Full security health dashboard with automated monthly PDF reports
Phase 3: MSP multi-client dashboard with white-label reports
Phase 4: Compliance templates (HIPAA, PCI-DSS basics) and employee training module

I'm building this while finishing my BS in Computer Networks and Cybersecurity at Monroe University (graduating December 2026), so the timeline is deliberately patient.

If you're a small business owner or IT consultant interested in early access, the waitlist is at shielddeskhq.com.

For Other Students Reading This

You don't need to wait until you have a degree, a job, or a co-founder to start building.

The tool I built uses skills from my first year of studying networking and security. It's not technically impressive by professional standards. But it solves a real problem for real people — and that's worth more than technical sophistication at this stage.

Start with the smallest possible version of a useful thing. Talk to the people you're trying to help. Ship it before you're ready. Then iterate.

That's the only way I know how to do this.

Minhajul Munim Mahib is studying Computer Networks & Cybersecurity at Monroe University and building ShieldDesk — cybersecurity monitoring for small businesses. He's based in New York.

Follow on LinkedIn: linkedin.com/in/minhajul-mahib Try the free email security checker: shielddeskhq.com/checker

#cybersecurity #information-technology #networking #technology #startup