SPF (Sender Policy Framework)
SPF records specify which mail servers are authorized to send email on behalf of your domain. When properly configured, SPF prevents spammers from forging emails that appear to come from your domain.
Example SPF Record:
v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~allThis record authorizes Google and Microsoft mail servers to send email for your domain. The ~all mechanism indicates a soft fail for unauthorized servers.
DKIM (DomainKeys Identified Mail)
DKIM adds a digital signature to email headers, allowing receiving mail servers to verify that the email wasn’t altered in transit and actually came from your domain. DKIM uses public-key cryptography with the public key published in DNS.
DKIM Record Components:
- v= Version (DKIM1)
- k= Key type (usually RSA)
- p= Public key data (Base64 encoded)
- t= Flags (s= for testing mode)
DMARC (Domain-based Message Authentication)
DMARC builds on SPF and DKIM, telling receiving mail servers what to do when authentication fails. It also provides reporting so you can monitor authentication results and identify abuse attempts.
Example DMARC Record:
v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100; adkim=s; aspf=sPolicy Options:
- p=none – Monitor only, no action taken
- p=quarantine – Move suspicious email to spam folder
- p=reject – Block unauthenticated email entirely
Advanced DNS Features
DNSSEC Chain of Trust
DNSSEC (DNS Security Extensions) provides cryptographic authentication for DNS responses, preventing DNS spoofing and cache poisoning attacks. Our tool validates the complete DNSSEC chain by checking DS (Delegation Signer), DNSKEY (public keys), and RRSIG (signature) records. If any records are missing, clickable warnings provide detailed explanations of what each record does, why it matters, and how to fix configuration issues.
SSL/TLS Certificate Discovery
Beyond basic DNS lookups, the tool automatically scans 20+ common subdomains (www, mail, smtp, webmail, api, etc.) for SSL/TLS certificates. It discovers additional hosts via reverse DNS on A record IPs and tracks certificate expiration with color-coded warnings. Recently expired certificates (within 90 days) are flagged if not replaced, helping you maintain secure connections across your entire domain infrastructure.
Multi-Server Propagation Analysis
DNS changes can take time to propagate globally. Our tool queries 8 major DNS servers simultaneously—Cloudflare (1.1.1.1, 1.0.0.1), Google (8.8.8.8, 8.8.4.4), Quad9 (9.9.9.9, 149.112.112.112), and OpenDNS (208.67.222.222, 208.67.220.220)—to verify propagation status. Inconsistencies are flagged with detailed diffs showing exactly which servers have updated records and which still cache old values.
Common Use Cases
Email Deliverability Troubleshooting
When legitimate emails are being marked as spam or rejected, checking DNS records is the first step. Misconfigured SPF, DKIM, or DMARC records are the most common cause of deliverability issues. This tool helps identify syntax errors, missing records, or conflicting configurations that prevent emails from reaching recipients.
Domain Security Audit
Security teams use DNS lookup tools to verify email authentication is properly configured across all company domains. Regular audits ensure that domains are protected from spoofing and phishing attacks. Organizations with multiple domains or subdomains need to verify each has appropriate email security records.
Migration & Configuration Verification
When migrating email services (e.g., from on-premises Exchange to Microsoft 365 or Google Workspace), IT administrators need to verify DNS record updates have propagated correctly. This tool checks that MX records point to new mail servers and that SPF/DKIM records include new service providers.
Reputation Monitoring
Email marketers and IT professionals regularly check domain and IP reputation to ensure they’re not blacklisted. Being added to a blacklist dramatically reduces email deliverability. Early detection allows teams to identify and resolve issues before email campaigns are affected.
Frequently Asked Questions
Why are my emails going to spam?
Common causes include missing or misconfigured SPF/DKIM/DMARC records, sending from a blacklisted IP address, lack of proper reverse DNS (PTR record), or sending patterns that trigger spam filters. Use this tool to verify all authentication records are properly configured and check blacklist status.
How long does DNS propagation take?
DNS changes typically propagate within 1-24 hours, though most updates are visible within 1-2 hours. The Time To Live (TTL) setting on your DNS records determines how long nameservers cache the old values. Lower TTL values (e.g., 300 seconds) speed up propagation but increase DNS query load.
What’s the difference between hard fail (~all) and soft fail (-all) in SPF?
In SPF records, ~all (soft fail) suggests that mail from unauthorized servers should be marked as suspicious but still accepted. -all (hard fail) instructs receiving servers to reject unauthorized email outright. Start with soft fail during testing, then move to hard fail once you’ve verified all legitimate mail servers are included.
Related Tools
- Subnet Calculator – Calculate network ranges and CIDR notation
- Port Reference Database – Look up common network ports and protocols
- HTTP Status Code Reference – Understand web server response codes
- Base64 Encoder/Decoder – Encode/decode DKIM public keys
Explore More Developer Tools
View our complete suite of free developer and security tools.
