DNS Lookup & Email Security Check

Check DNS records, SPF, DKIM, DMARC, and email security configuration for your domain

Key Features

  • 14 DNS Record Types – Query A, AAAA, CNAME, MX, TXT, NS, PTR, SOA, SRV, NAPTR, DNAME, DS, RRSIG, DNSKEY, and CAA records
  • Live TTL Countdown – Real-time cache expiration timer for all DNS records
  • SSL/TLS Certificate Analysis – Scan 20+ common subdomains for certificates with expiration tracking
  • DNSSEC Validation – Verify complete chain of trust with detailed explanations for missing records
  • Email Security Suite – SPF parsing, DMARC policy analysis, and automatic DKIM selector discovery (25+ selectors)
  • 8-Server Propagation Check – Compare DNS records across Cloudflare, Google, Quad9, and OpenDNS servers
  • Reverse DNS Lookup – Auto-detect IPs for PTR record resolution and hostname discovery
  • Interactive DNS Map – Visual representation of your DNS infrastructure and record relationships
  • Export Options – Download DNS records as CSV or JSON with one-click copy
  • WHOIS Integration – Domain registration, contact details, and name server information

Understanding Email Authentication

Email authentication is critical for protecting your domain from spoofing, phishing attacks, and ensuring legitimate emails reach recipients’ inboxes. Three key protocols work together to secure email delivery:

SPF (Sender Policy Framework)

SPF records specify which mail servers are authorized to send email on behalf of your domain. When properly configured, SPF prevents spammers from forging emails that appear to come from your domain.

Example SPF Record:

v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all

This record authorizes Google and Microsoft mail servers to send email for your domain. The ~all mechanism indicates a soft fail for unauthorized servers.

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to email headers, allowing receiving mail servers to verify that the email wasn’t altered in transit and actually came from your domain. DKIM uses public-key cryptography with the public key published in DNS.

DKIM Record Components:

  • v= Version (DKIM1)
  • k= Key type (usually RSA)
  • p= Public key data (Base64 encoded)
  • t= Flags (s= for testing mode)

DMARC (Domain-based Message Authentication)

DMARC builds on SPF and DKIM, telling receiving mail servers what to do when authentication fails. It also provides reporting so you can monitor authentication results and identify abuse attempts.

Example DMARC Record:

v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100; adkim=s; aspf=s

Policy Options:

  • p=none – Monitor only, no action taken
  • p=quarantine – Move suspicious email to spam folder
  • p=reject – Block unauthenticated email entirely

Advanced DNS Features

DNSSEC Chain of Trust

DNSSEC (DNS Security Extensions) provides cryptographic authentication for DNS responses, preventing DNS spoofing and cache poisoning attacks. Our tool validates the complete DNSSEC chain by checking DS (Delegation Signer), DNSKEY (public keys), and RRSIG (signature) records. If any records are missing, clickable warnings provide detailed explanations of what each record does, why it matters, and how to fix configuration issues.

SSL/TLS Certificate Discovery

Beyond basic DNS lookups, the tool automatically scans 20+ common subdomains (www, mail, smtp, webmail, api, etc.) for SSL/TLS certificates. It discovers additional hosts via reverse DNS on A record IPs and tracks certificate expiration with color-coded warnings. Recently expired certificates (within 90 days) are flagged if not replaced, helping you maintain secure connections across your entire domain infrastructure.

Multi-Server Propagation Analysis

DNS changes can take time to propagate globally. Our tool queries 8 major DNS servers simultaneously—Cloudflare (1.1.1.1, 1.0.0.1), Google (8.8.8.8, 8.8.4.4), Quad9 (9.9.9.9, 149.112.112.112), and OpenDNS (208.67.222.222, 208.67.220.220)—to verify propagation status. Inconsistencies are flagged with detailed diffs showing exactly which servers have updated records and which still cache old values.

Common Use Cases

Email Deliverability Troubleshooting

When legitimate emails are being marked as spam or rejected, checking DNS records is the first step. Misconfigured SPF, DKIM, or DMARC records are the most common cause of deliverability issues. This tool helps identify syntax errors, missing records, or conflicting configurations that prevent emails from reaching recipients.

Domain Security Audit

Security teams use DNS lookup tools to verify email authentication is properly configured across all company domains. Regular audits ensure that domains are protected from spoofing and phishing attacks. Organizations with multiple domains or subdomains need to verify each has appropriate email security records.

Migration & Configuration Verification

When migrating email services (e.g., from on-premises Exchange to Microsoft 365 or Google Workspace), IT administrators need to verify DNS record updates have propagated correctly. This tool checks that MX records point to new mail servers and that SPF/DKIM records include new service providers.

Reputation Monitoring

Email marketers and IT professionals regularly check domain and IP reputation to ensure they’re not blacklisted. Being added to a blacklist dramatically reduces email deliverability. Early detection allows teams to identify and resolve issues before email campaigns are affected.

Frequently Asked Questions

Why are my emails going to spam?

Common causes include missing or misconfigured SPF/DKIM/DMARC records, sending from a blacklisted IP address, lack of proper reverse DNS (PTR record), or sending patterns that trigger spam filters. Use this tool to verify all authentication records are properly configured and check blacklist status.

How long does DNS propagation take?

DNS changes typically propagate within 1-24 hours, though most updates are visible within 1-2 hours. The Time To Live (TTL) setting on your DNS records determines how long nameservers cache the old values. Lower TTL values (e.g., 300 seconds) speed up propagation but increase DNS query load.

What’s the difference between hard fail (~all) and soft fail (-all) in SPF?

In SPF records, ~all (soft fail) suggests that mail from unauthorized servers should be marked as suspicious but still accepted. -all (hard fail) instructs receiving servers to reject unauthorized email outright. Start with soft fail during testing, then move to hard fail once you’ve verified all legitimate mail servers are included.

Related Tools

Explore More Developer Tools

View our complete suite of free developer and security tools.

View All Tools →