Home/Tools/Network/DNS Record Checker - Verify SPF, DKIM, DMARC & More

DNS Record Checker - Verify SPF, DKIM, DMARC & More

Instantly verify DNS records & email security settings: SPF, DKIM, DMARC, MX, A, AAAA, TXT, CNAME, NS, SOA. Free DNS diagnostics & troubleshooting.

Loading DNS Record Checker - Verify SPF, DKIM, DMARC & More...

Domain Name

Record Types

Loading interactive tool...

JavaScript Required

This interactive tool requires JavaScript to function. Please enable JavaScript in your browser to use the full features.

The tool description and documentation above provide information about this tool's capabilities. For the best experience, please enable JavaScript and refresh the page.

DNS Issues Affecting Your Users?

Misconfigured DNS causes email delivery failures and site outages. We monitor and optimize DNS for maximum uptime.

Learn About Infrastructure Monitoring Explore Email Security

Query DNS Records for Any Domain

Look up all DNS record types for any domain—A, AAAA, MX, TXT, CNAME, NS, SOA, and more. Essential for troubleshooting email delivery and domain configuration.

What You Can Check

A/AAAA: IPv4 and IPv6 addresses
MX: Mail server configuration and priorities
TXT: SPF, DKIM, DMARC, and domain verification records
CNAME: Domain aliases
NS: Nameserver delegation

Email Authentication

Verify your SPF, DKIM, and DMARC records are correctly configured to prevent email spoofing and improve deliverability.

Understanding Email Authentication Protocols

Email authentication is critical for protecting your domain from spoofing and phishing attacks. Three key protocols work together to verify email legitimacy:

SPF (Sender Policy Framework)

SPF records specify which mail servers are authorized to send email on behalf of your domain. When a recipient server receives an email claiming to be from your domain, it checks your SPF record to verify the sending server is authorized.

A typical SPF record might look like:

v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all

This example authorizes Google and Microsoft mail servers while using a "soft fail" (~all) for unauthorized senders.

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to email headers, allowing receiving mail servers to verify that the email wasn't altered in transit. It uses public-key cryptography, with the public key published in your DNS records.

A DKIM record contains:

Version: The DKIM version (typically v=DKIM1)
Key type: The encryption algorithm (usually RSA)
Public key: The encoded public key used for verification

DMARC (Domain-based Message Authentication)

DMARC builds on SPF and DKIM, enabling you to specify what actions should be taken when authentication fails. You can set policies ranging from monitoring-only (p=none) to quarantine or rejection.

A strong DMARC policy example:

v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100

This tells recipient servers to reject emails that fail authentication and send aggregate reports to your monitoring address.

Advanced DNS Security Features

Modern DNS lookup tools provide sophisticated capabilities beyond basic record queries:

DNSSEC Validation

DNS Security Extensions (DNSSEC) cryptographically authenticate DNS responses to prevent spoofing and cache poisoning attacks. When enabled, DNSSEC ensures the DNS records you receive are genuinely from the authoritative nameserver and haven't been tampered with during transmission.

DNSSEC uses a chain of trust:

DNSKEY records: Public keys for zone signing
RRSIG records: Digital signatures for record sets
DS records: Delegation signer records linking to parent zones

SSL/TLS Certificate Discovery

Advanced DNS tools can scan multiple subdomains (often 20+) to discover SSL/TLS certificates and identify expiration issues before they cause service disruptions. This is crucial for:

Preventing unexpected certificate expiration
Identifying orphaned subdomains with expired certificates
Maintaining security compliance across your infrastructure
Avoiding browser warnings that erode user trust

Global DNS Propagation Analysis

When you update DNS records, changes don't take effect instantly worldwide. Propagation analysis queries multiple DNS servers (typically 8+ major providers) across different geographic regions to verify your records have propagated correctly.

This helps you:

Confirm DNS changes have taken effect globally
Identify propagation delays in specific regions
Troubleshoot inconsistent DNS behavior
Plan maintenance windows based on actual propagation times

Practical Applications & Use Cases

DNS lookup and email security checks are essential for various scenarios:

Troubleshooting Email Deliverability

When your emails aren't reaching recipients, DNS records are often the culprit. Check for:

Missing or misconfigured SPF records causing soft bounces
DKIM signatures failing due to incorrect DNS entries
Overly restrictive DMARC policies blocking legitimate mail
Exceeding the SPF 10-lookup limit (too many includes)

Security Auditing

Regular DNS audits help identify security gaps:

Domain spoofing protection: Ensure email authentication is properly configured
Subdomain takeover risks: Find orphaned DNS records pointing to decommissioned services
Certificate management: Track SSL/TLS expiration across your entire infrastructure
DNS hijacking detection: Verify records haven't been maliciously altered

Email Provider Migration

When migrating between email providers (e.g., from Gmail to Microsoft 365), DNS verification is critical:

Verify new provider's MX records are configured correctly
Update SPF records to authorize new mail servers
Configure DKIM for the new provider
Monitor DMARC reports during the transition period
Confirm global DNS propagation before decommissioning old services

Reputation Monitoring

Proactive DNS monitoring helps maintain your domain reputation:

Track SPF alignment to prevent unauthorized use of your domain
Monitor DMARC reports to identify spoofing attempts
Verify your domain isn't listed on DNS-based blocklists (DNSBLs)
Ensure proper reverse DNS (PTR records) for your mail servers

Pro Tip: Set up automated DNS monitoring to receive alerts when records change unexpectedly or certificates are approaching expiration. This proactive approach prevents many common issues before they impact your users.

References & Citations

Paul Mockapetris. (1987). RFC 1035: Domain Names - Implementation and Specification. Retrieved from https://www.rfc-editor.org/rfc/rfc1035 (accessed January 2025)
Roy Arends, et al.. (2005). RFC 4033: DNS Security Introduction and Requirements. Retrieved from https://www.rfc-editor.org/rfc/rfc4033 (accessed January 2025)

Note: These citations are provided for informational and educational purposes. Always verify information with the original sources and consult with qualified professionals for specific advice related to your situation.

Frequently Asked Questions

Common questions about the DNS Record Checker - Verify SPF, DKIM, DMARC & More

DNS lookup translates domain names to IP addresses, enabling browsers to locate websites. It's essential for troubleshooting connectivity issues, verifying mail server configurations (MX records), validating domain ownership (TXT records), and ensuring proper DNS propagation after changes. Network administrators use it daily for diagnostics and configuration verification.

Common DNS records include: A (IPv4 address), AAAA (IPv6 address), MX (mail server), CNAME (alias), TXT (text/verification), NS (nameserver), SOA (zone authority), PTR (reverse lookup), and SRV (service location). Each serves specific purposes in routing traffic, email delivery, domain verification, and service discovery across the internet.

DNS propagation typically takes 24-48 hours globally, though local changes may appear within minutes. The delay depends on TTL (Time To Live) values set on records, ISP caching policies, and geographic distribution. Lower TTL values (e.g., 300 seconds) speed up propagation but increase DNS query load on authoritative nameservers.

Authoritative DNS servers store actual DNS records for domains they manage and provide definitive answers. Recursive DNS servers (resolvers) query authoritative servers on behalf of clients, caching results to improve performance. ISPs and public services like Google (8.8.8.8) and Cloudflare (1.1.1.1) operate recursive resolvers for end users.

Check if the domain exists, verify nameserver configuration, test with multiple DNS servers (8.8.8.8, 1.1.1.1), clear local DNS cache (ipconfig /flushdns on Windows, sudo dscacheutil -flushcache on Mac), check for DNSSEC validation errors, verify firewall rules allow port 53, and use tools like nslookup or dig for detailed diagnostics.

TXT records store text data for domain verification (Google Search Console, SSL certificates), email authentication (SPF, DKIM, DMARC), site ownership validation, and configuration information. They're critical for email security, preventing spoofing, and proving domain control for third-party services. Each TXT record can contain up to 255 characters per string.

DNS caching causes temporary inconsistencies. Each resolver caches records based on TTL values, so recent changes may not appear everywhere immediately. Geographic DNS (GeoDNS) also provides different answers based on query location. Additionally, some ISPs filter or redirect DNS queries, and DNS hijacking or poisoning can return incorrect results.

DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, preventing cache poisoning and man-in-the-middle attacks. It verifies authenticity of DNS responses but requires proper configuration. Enable DNSSEC if your registrar and DNS provider support it, especially for high-security domains, though it adds complexity to DNS management and troubleshooting.