Full DNS health audit for your domain. Checks SPF, DMARC, DKIM email authentication records, DNSSEC signing, CAA certificate authority restriction records, and nameserver configuration.
This tool checks one area. The full scan covers SSL, open ports, HTTP headers, breach exposure, subdomain enumeration, compliance mapping, and more — free, no login required.
DNS is the phone book of the internet. Every time a user types your domain into a browser, a DNS query translates that human-readable name into the IP address of your server. Because DNS underpins virtually all internet communication, it is a high-value target for attackers. DNS security encompasses the protocols, records, and configurations that protect your domain from tampering, spoofing, and misconfiguration.
Key DNS security protocols include DNSSEC for cryptographic validation of DNS responses, SPF and DMARC for email authentication, DKIM for message signing, and CAA records for restricting which certificate authorities can issue certificates for your domain. A single misconfigured record can expose your organization to phishing, man-in-the-middle attacks, or email spoofing — often without any visible indication that something is wrong.
Understanding which DNS record types carry security implications is the first step toward a hardened configuration. The table below summarizes the records most relevant to domain security.
| Record Type | Purpose | Security Implications |
|---|---|---|
| A / AAAA | Maps domain to IPv4/IPv6 address | Vulnerable to cache poisoning without DNSSEC; stale records can point to attacker-controlled servers |
| MX | Directs email to mail servers | Incorrect MX records cause email loss; missing records leave domains open to spoofing |
| TXT | Stores SPF, DMARC, DKIM, and verification data | Misconfigured TXT records undermine email authentication and domain verification |
| CNAME | Aliases one domain to another | Dangling CNAMEs enable subdomain takeover attacks when the target resource is deprovisioned |
| CAA | Restricts certificate issuance | Without CAA records, any certificate authority can issue certificates for your domain |
| NS | Delegates DNS authority | Compromised or misconfigured nameservers give attackers full control over your DNS zone |
DNSSEC adds a layer of cryptographic trust to the Domain Name System. Without DNSSEC, DNS responses are unsigned and can be forged by an attacker sitting between the user and the DNS resolver — a technique known as DNS cache poisoning or DNS spoofing. Once a cache is poisoned, all users relying on that resolver are silently redirected to an attacker-controlled server.
DNSSEC works by establishing a chain of trust that extends from the DNS root zone down to your individual domain records. Each level in the DNS hierarchy signs its records with a private key and publishes the corresponding public key in a DNSKEY record. The parent zone then stores a DS (Delegation Signer) record that links to the child zone's key. Resolvers walk this chain from root to leaf, verifying each signature. If any link in the chain is missing or invalid, the response is rejected.
Enabling DNSSEC prevents cache poisoning, protects against on-path attacks, and provides authentication of DNS data. Most modern registrars and DNS providers support DNSSEC activation through their dashboards. The primary barrier is awareness — many domain owners simply do not know they need it.
Even well-managed domains frequently exhibit DNS security gaps. The most common issues include:
The majority of domains on the internet still lack DNSSEC. Without it, DNS responses can be forged and users can be redirected without detection. Enabling DNSSEC is one of the highest-impact improvements you can make to your DNS security posture.
Without CAA records, any certificate authority can issue an SSL/TLS certificate for your domain. This means an attacker who compromises a less-secure CA could obtain a valid certificate for your domain and use it for man-in-the-middle attacks.
When a CNAME record points to an external resource (such as a cloud service, CDN, or SaaS platform) that has been deprovisioned, an attacker can claim that resource and take over your subdomain. This is known as a subdomain takeover and is one of the most exploited DNS vulnerabilities.
DNS zone transfers (AXFR) allow replication of an entire DNS zone between nameservers. If zone transfers are not restricted to authorized servers, attackers can enumerate all subdomains and records in your zone, revealing internal infrastructure and potential attack targets.
Without SPF records and DMARC policies, attackers can send emails that appear to come from your domain. This is the mechanism behind most business email compromise attacks. A properly configured SPF record combined with a DMARC policy set to reject is the most effective defense against email spoofing.
When you enter a domain, our DNS Security Check performs a comprehensive audit by querying authoritative nameservers for all security-relevant record types. The tool validates DNSSEC chain of trust from root to your domain, checks for SPF, DMARC, and DKIM records and evaluates their configuration strength, looks up CAA records and verifies they restrict certificate issuance appropriately, enumerates MX records and validates mail server configuration, and identifies dangling CNAME records that could enable subdomain takeover.
Each finding is categorized by severity — critical, high, medium, or low — with specific remediation steps. For a complete security assessment that includes SSL/TLS, HTTP headers, and more, use our full domain security scan.
DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that responses have not been tampered with in transit. Without DNSSEC, attackers can poison DNS caches and redirect your users to malicious servers. Most registrars and DNS providers now support DNSSEC with one-click activation. If your domain handles sensitive data, processes payments, or serves a significant user base, enabling DNSSEC is strongly recommended.
CAA (Certificate Authority Authorization) records specify which certificate authorities are permitted to issue SSL/TLS certificates for your domain. Without CAA records, any CA can issue a certificate for your domain, increasing the risk of unauthorized certificate issuance. Adding CAA records is a simple but effective way to reduce your attack surface. For example, if you only use Let's Encrypt, your CAA record would restrict issuance to letsencrypt.org.
A comprehensive DNS security check should verify several layers: DNSSEC signing and chain of trust validation, SPF records for email sender authorization, DMARC policies for email authentication enforcement, DKIM key publication, CAA records for certificate issuance control, proper nameserver configuration, and the absence of dangling CNAME records. Use the free DNS Security Check tool above to audit all of these in one scan.
Yes, DNS misconfigurations are one of the most common causes of email delivery failures. Missing or incorrect MX records prevent email from reaching your servers entirely. Invalid SPF records cause receiving servers to reject legitimate email. A missing or weak DMARC policy allows attackers to spoof your domain, which can lead to your legitimate emails being treated as suspicious. Proper DNS configuration is the foundation of reliable email delivery.