DNS Security Auditor
Your domain's DNS records are the first line of defense against email spoofing, phishing attacks, and unauthorized certificate issuance. A single missing TXT record can let anyone send email as your company.
This tool audits the DNS records that protect your domain: SPF, DKIM, DMARC, CAA, DNSSEC, MTA-STS, and TLS-RPT. Each record serves a specific purpose, and they work together to form a complete email authentication chain.
Automated checker coming soon
We're building an automated DNS security auditor that will check all your records in one click. In the meantime, read the guide below to understand what each record does and how to verify them manually. You can also run a full security scan which already includes basic DNS checks.
DNS records that protect your email
SPF. Sender Policy Framework
SPF is a DNS TXT record published at your domain's root. It declares which IP addresses and mail servers are authorized to send email on your behalf. When a receiving server gets an email claiming to be from your-domain.com, it queries your SPF record and checks whether the sending IP is listed.
The -allat the end means "reject everything not explicitly listed" as defined in RFC 7208. Use ~all (softfail) only during initial rollout. The 10-lookup limit is real and enforced. Every include: counts.
DKIM. DomainKeys Identified Mail
DKIM signs every outgoing email with a private key held by your mail server. The corresponding public key lives in a DNS TXT record at selector._domainkey.your-domain.com. The receiving server fetches this key and verifies the signature against the email body and headers.
Use 2048-bit RSA keys at minimum. 1024-bit keys are considered weak and can theoretically be factored. If your p= value is shorter than about 390 characters in base64, you need to rotate to a longer key.
DMARC. Domain-based Message Authentication
DMARC is published as a TXT record at _dmarc.your-domain.com. It tells receiving servers what to do when an email fails both SPF and DKIM alignment: do nothing (p=none), quarantine it (p=quarantine), or reject it outright (p=reject).
The ruatag is critical. It tells receivers where to send aggregate reports about authentication results. Without it, you're flying blind. The adkim=s and aspf=s flags enforce strict alignment per the DMARC specification (RFC 7489), meaning the domain in the From header must exactly match the domain used by DKIM/SPF.
MTA-STS & TLS-RPT. Transport encryption
MTA-STS forces other mail servers to use TLS when delivering to your domain. Without it, a man-in-the-middle attacker can strip encryption from the SMTP connection and read emails in plaintext. It works by publishing a TXT record at _mta-sts.your-domain.com and hosting a policy file at https://mta-sts.your-domain.com/.well-known/mta-sts.txt.
TLS-RPT is the companion reporting mechanism. Published at _smtp._tls.your-domain.com, it tells senders where to report TLS failures so you can detect certificate issues, downgrade attacks, or misconfigured servers before they cause delivery problems.
DNS records that protect your domain
CAA. Certificate Authority Authorization
A CAA record restricts which certificate authorities can issue SSL/TLS certificates for your domain. There are hundreds of public CAs, and any of them can issue a certificate for any domain unless a CAA record says otherwise. This isn't theoretical. Compromised CAs have issued fraudulent certificates for major domains in the past (DigiNotar in 2011, Symantec in 2015-2017). The CAA specification (RFC 8659) standardizes this control.
The iodef tag is optional but valuable. It tells CAs where to report policy violations. Pair CAA records with SSL/TLS certificate monitoring to catch unauthorized issuance early.
DNSSEC. DNS Security Extensions
Standard DNS has no authentication. A limitation addressed by ICANN's DNSSEC initiative. When your browser asks "what's the IP for example.com?", any server along the path could return a forged answer. DNSSEC adds cryptographic signatures (RRSIG records) to DNS responses, creating a chain of trust from the root zone down to your domain.
Enabling DNSSEC prevents DNS cache poisoning, which is the attack where an adversary injects false DNS responses into a resolver's cache. The setup varies by provider: Cloudflare enables it with one toggle, AWS Route 53 requires creating a DS record at your registrar, and some older hosting providers don't support it at all. Check with your DNS provider first.
SPF, DKIM, DMARC: how email authentication works
These three protocols form a chain. SPF verifies the sending server. DKIM verifies the message hasn't been altered. DMARC enforces policy when either fails. Here's the step-by-step flow:
Sender dispatches email
Your mail server (or a service like SendGrid, Postmark, or Google Workspace) sends an email. The DKIM module signs the message headers and body with your private key.
Receiver checks SPF
The receiving mail server extracts the envelope sender domain and queries the SPF TXT record. If the sending IP is listed, SPF passes. If not, SPF fails.
Receiver checks DKIM
The receiver extracts the DKIM-Signature header, fetches the public key from DNS, and verifies the cryptographic signature. If the message was modified in transit, DKIM fails.
Receiver evaluates DMARC
The receiver fetches the _dmarc TXT record and checks whether SPF or DKIM passed with proper alignment (the domains match the From header). Based on the DMARC policy, the message is delivered, quarantined, or rejected.
Aggregate reports sent
At regular intervals (usually daily), the receiving server sends DMARC aggregate reports to the address specified in the rua tag. These XML reports show pass/fail rates, source IPs, and alignment results.
How to check your DNS records manually
You don't need a special tool to inspect DNS records. The commands below work on any system with terminal access.
Check SPF record
Look for a record starting with v=spf1.
Check DMARC record
Should return something like v=DMARC1; p=reject; rua=mailto:....
Check DKIM record
Replace google with your DKIM selector. Common selectors: google, s1, selector1, k1.
Check CAA and DNSSEC
If the DNSSEC query returns RRSIG records, DNSSEC is active. No RRSIG means unsigned responses.
Common DNS security mistakes
Missing DMARC record entirely
Over 70% of domains lack a DMARC record. Without one, email receivers have no policy to enforce, and attackers can spoof your domain with zero resistance. Even p=none with reporting is better than nothing.
SPF record exceeds 10 DNS lookups
Adding every SaaS tool's include directive to your SPF record eventually breaks the 10-lookup limit. The result is a permerror. And most receivers treat that as an SPF fail, sending your legitimate email to spam.
Using ~all instead of -all in SPF
The ~all (softfail) mechanism tells receivers that unauthorized senders should be treated with suspicion but not rejected. In practice, many receivers ignore softfail. Switch to -all (hardfail) once you've confirmed all legitimate senders are listed.
No CAA record set
Without a CAA record, any certificate authority in the world can issue a certificate for your domain. It takes one DNS record to restrict issuance to only the CAs you actually use. Typically Let's Encrypt, DigiCert, or Sectigo.
DKIM key still using 1024-bit RSA
A 1024-bit DKIM key can be factored with enough compute resources. Google, Microsoft, and other major providers have moved to 2048-bit keys. Check your DKIM record. If the p= value is shorter than ~390 characters, you're likely still on 1024-bit.
Jumping straight to DMARC p=reject
Deploying a reject policy without first monitoring with p=none breaks email from forgotten third-party senders. Marketing platforms, CRMs, transactional email services. Always start with p=none and rua reporting.
Frequently asked questions
What is SPF and why does my domain need it?▼
SPF (Sender Policy Framework) is a DNS TXT record that lists the IP addresses and mail servers authorized to send email on behalf of your domain. Without SPF, any server on the internet can forge emails using your domain name. Most email providers (Gmail, Outlook, Yahoo) check SPF on every inbound message. A missing or misconfigured SPF record increases the chance your legitimate emails land in spam, and makes your domain an easy target for phishing campaigns.
What is DKIM and how does it prevent email tampering?▼
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every outgoing email. The sending server signs the message body and selected headers using a private key, and the receiving server verifies the signature against a public key published in your DNS. If someone modifies the email in transit (changing a link, altering the body, injecting malware) the DKIM signature fails verification and the message gets flagged or rejected.
What does a DMARC policy actually do?▼
DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together with an enforcement policy. It tells receiving mail servers what to do when a message fails both SPF and DKIM checks: none (monitor only), quarantine (send to spam), or reject (block entirely). DMARC also requires identifier alignment. The domain in the From header must match the domain used by SPF or DKIM. Without DMARC, attackers can pass SPF checks using their own domain while spoofing yours in the visible From field.
How do I check my DNS security records manually?▼
Use dig on Linux/macOS or nslookup on Windows. For SPF: dig TXT example.com and look for a record starting with v=spf1. For DMARC: dig TXT _dmarc.example.com. For DKIM: dig TXT selector._domainkey.example.com (replace 'selector' with your actual DKIM selector, which you can find in your email provider's settings). For CAA: dig CAA example.com. For DNSSEC: dig +dnssec example.com and look for RRSIG records in the response.
What is a CAA record and should I set one up?▼
A CAA (Certificate Authority Authorization) record specifies which certificate authorities are allowed to issue SSL/TLS certificates for your domain. Without a CAA record, any of the hundreds of public CAs can issue a certificate for your domain. This is a real risk. A compromised or negligent CA could issue a fraudulent certificate that enables man-in-the-middle attacks. Setting a CAA record takes two minutes and eliminates this entire attack surface.
What is DNSSEC and is it worth enabling?▼
DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS responses, preventing attackers from poisoning DNS caches with forged records. Without DNSSEC, an attacker performing a DNS cache poisoning attack could redirect your users to a malicious server without anyone noticing. Enabling DNSSEC depends on your registrar and DNS provider. Cloudflare, AWS Route 53, and Google Cloud DNS all support it with one-click activation.
What are MTA-STS and TLS-RPT?▼
MTA-STS (Mail Transfer Agent Strict Transport Security) forces other mail servers to use TLS encryption when delivering email to your domain. Without it, a network attacker can downgrade the connection to plaintext and read emails in transit. TLS-RPT (TLS Reporting) is a companion record that tells other mail servers where to send reports about TLS connection failures, so you can detect and troubleshoot delivery problems caused by certificate issues or downgrade attacks.
My SPF record has too many DNS lookups. What do I do?▼
The SPF specification (RFC 7208) limits you to 10 DNS lookups per SPF evaluation. Every 'include', 'a', 'mx', and 'redirect' mechanism counts as a lookup. Exceeding 10 causes a permerror, which most receivers treat as a fail. To fix this: flatten your SPF record by replacing include mechanisms with the actual IP ranges, remove unused includes for services you no longer use, or use an SPF flattening service that automatically resolves and updates the IP list.
What DMARC policy should I start with?▼
Start with p=none and add a rua tag pointing to an email address or DMARC report aggregator (like Postmark, Valimail, or dmarcian). This monitors authentication results without affecting delivery. After 2-4 weeks of reviewing reports and fixing SPF/DKIM alignment issues, move to p=quarantine. Once you are confident all legitimate mail passes, set p=reject. Skipping straight to reject without monitoring will break email delivery from services you forgot to configure.
How does DNS security relate to overall website security?▼
DNS is the foundation of every internet connection. Compromised DNS records let attackers redirect traffic, intercept emails, and issue fraudulent certificates. A full security posture requires DNS records (SPF, DKIM, DMARC, CAA, DNSSEC), HTTP security headers (CSP, HSTS, X-Frame-Options), valid SSL/TLS certificates, and secure cookie flags. These layers work together. HSTS prevents SSL stripping, CAA prevents rogue certificates, and DMARC prevents email spoofing.
Related security tools
HTTP Security Header Checker
Check CSP, HSTS, X-Frame-Options, and 10+ other security headers.
SSL/TLS Certificate Checker
Verify certificate validity, expiry date, protocol version, and cipher strength.
Cookie Security Analyzer
Inspect Secure, HttpOnly, and SameSite flags on every cookie.
CSP Generator
Build a Content-Security-Policy header from a visual editor.
Want a complete security audit?
DNS records are one piece of the puzzle. Run a full scan to check 150+ security vectors including HTTP headers, SSL/TLS certificates, open ports, OWASP Top 10, CVE lookups, and more.
Run Free Full Scan