A small collection of highly useful sites, all of them applicable for checking services for security, and potentially convincing them to improve their practices. After all, it is the users' security & privacy that these services should protect first & foremost, right?
Web:
SSLLabs – check the SSL/TLS security of any website.
Securityheaders.io – check if a website uses proper security headers to protect their content.
Asfafaweb – check a website if they are doing things correctly.
https://shaming.tumblr.com/ – (blog) websites that ask users to login using an unencrypted connection.
Mail:
https://starttls.info – Does a domain's mail servers offer RFC3207 SMTP STARTTLS for opportunistic and user-transparent email encryption?
https://dane.sys4.de – Does a domain use DNSSEC, have they published DANE TLSA records for highly secure email encryption, and does it work?
https://mxtoolbox.com/spf.aspx – Does a domain provide SPF records in DNS, to lower the risk of that domain being abused for sending spam to others?
http://dkimvalidator.com/ – Check a domain for DKIM, SPF and SpamAssassin configuration
DNSSEC
dnssec-name-and-shame.com – Does a domain use DNSSEC, and are they doing it correctly?
Password policies:
http://password-shaming.tumblr.com/ – (blog) websites with weird password policies
https://insecurityq.wordpress.com/ – (blog) websites with insecure "security questions"
http://plaintextoffenders.com/ – Does the website send users their password by plaintext email?