DNS Security Checker
About the DNS Security Checker
DNS Security Checker inspects the email-authentication and zone-integrity records that protect a domain from spoofing, phishing, and tampering. It evaluates four key mechanisms: SPF (Sender Policy Framework), which lists the servers authorized to send mail for your domain; DKIM (DomainKeys Identified Mail), which uses cryptographic signatures to prove a message was not altered in transit; DMARC (Domain-based Message Authentication, Reporting and Conformance), which tells receivers how to handle messages that fail SPF or DKIM; and DNSSEC, which signs DNS records so resolvers can detect forged answers.
For SPF the tool reads the TXT record and checks its syntax, mechanism count, and policy qualifier so you know whether unauthorized senders are softly or hard-failed. For DKIM it looks up the public key at the relevant selector to confirm a valid key is published. For DMARC it parses the policy (none, quarantine, or reject) along with reporting addresses, helping you understand how aggressively receivers will act on failures. For DNSSEC it confirms whether the zone is signed and whether a chain of trust exists, which guards against cache poisoning and man-in-the-middle redirection.
Common use cases include hardening a domain before a sending reputation problem arises, diagnosing why legitimate mail lands in spam, preparing for bulk-sender requirements imposed by major mailbox providers, and auditing a newly acquired domain. Security and IT teams also use it to verify that SPF, DKIM, and DMARC are aligned and mutually reinforcing rather than configured in isolation.
A practical recommendation is to deploy DMARC in monitoring mode (p=none) first, review the aggregate reports, then tighten to quarantine and finally reject once you are confident all legitimate sources are covered by SPF and DKIM. Keep your SPF record under the ten-DNS-lookup limit to avoid permerror failures, and consider enabling DNSSEC at your registrar for resolver-level integrity. For the raw record values behind these checks, a standard DNS Lookup can confirm exactly what is published.
Frequently asked questions
- What is the difference between SPF, DKIM, and DMARC?
- SPF authorizes which servers may send mail for your domain, DKIM cryptographically signs messages to prove they were not altered, and DMARC tells receivers what to do when SPF or DKIM checks fail and where to send reports.
- What DMARC policy should I start with?
- Begin with p=none to monitor without affecting delivery, review the aggregate reports to confirm all legitimate senders pass, then progress to quarantine and finally reject once alignment is verified.
- Why does my SPF record fail with a permerror?
- SPF allows a maximum of ten DNS lookups during evaluation. Chaining too many include mechanisms exceeds that limit and causes a permanent error, so consolidate or flatten includes to stay under it.
- What does DNSSEC protect against?
- DNSSEC signs DNS records so resolvers can verify their authenticity, defending against cache poisoning and forged answers that would otherwise redirect users to malicious servers.
- Do I need all four mechanisms enabled?
- SPF, DKIM, and DMARC together are essential for modern email deliverability and anti-spoofing. DNSSEC is a separate, recommended layer that protects DNS resolution integrity rather than email specifically.