Free Tool

Free DNS Security Checker

Check a domain's DNS security in one scan. We test SPF, DMARC, DKIM, CAA, and DNSSEC and tell you what is missing.

Free and instant. No account or signup needed.

What this DNS security checker tests

Your DNS records do more than point a name at a server. A handful of them decide whether someone can send mail in your name, request a certificate for your domain, or quietly redirect your visitors. This checker reads five of those records live and tells you which ones protect you and which ones leave a gap.

Three of the records secure email. SPF lists the servers allowed to send mail for your domain, so a receiver can reject mail from anywhere else. DKIM adds a cryptographic signature to each message that proves it really came from you and was not changed on the way. DMARC ties the two together and tells inbox providers what to do when a message fails, for example quarantine it or reject it outright. With all three in place, an attacker who tries to spoof your domain finds their phishing mail bounced or sent to spam.

The other two records protect the domain itself. CAA names the certificate authorities that are permitted to issue certificates for you, which stops a different CA from being tricked into issuing a certificate an attacker could use to impersonate your site. DNSSEC signs your DNS records so a resolver can detect a forged answer, the kind of tampering behind cache poisoning that sends visitors to a server an attacker controls.

How to add the records you are missing

Each record is a line you publish at your DNS host. Add a TXT record for SPF that lists your sending services, turn on DKIM signing in your mail provider and publish the public key it gives you, then add a DMARC TXT record starting at a policy of none to monitor before you move to quarantine or reject. Add a CAA record naming the CA you actually use, and enable DNSSEC from your registrar or DNS provider with one setting in most panels. For the full walkthrough, format examples, and the order to roll these out safely, read the DNS security guide.

Frequently asked questions

What is a DNS security checker?

A DNS security checker reads the records that protect a domain from spoofing and tampering, then tells you which ones are present and which are missing. SiteSecurityScore checks SPF, DMARC, DKIM, CAA, and DNSSEC live by scanning the domain you enter.

Which DNS records matter most for security?

SPF, DKIM, and DMARC protect email from being spoofed in your name. CAA controls which certificate authorities are allowed to issue certificates for your domain. DNSSEC adds cryptographic signatures so resolvers can detect forged DNS answers. A strong domain publishes all five.

Why is a missing DMARC policy a problem?

Without DMARC, or with a policy of none, anyone can send mail that appears to come from your domain and receivers have no instruction to reject it. That makes phishing and impersonation far easier. A policy of quarantine or reject tells inbox providers what to do with mail that fails authentication.

What does DNSSEC protect against?

DNSSEC signs your DNS records so a resolver can verify the answer it received was not altered in transit. Without it, an attacker who can tamper with DNS responses, for example through cache poisoning, can send your visitors to a server they control. DNSSEC makes that forgery detectable.

Does this checker scan a live domain?

Yes. Enter a domain and SiteSecurityScore queries its live DNS records, reads the SPF, DMARC, DKIM, CAA, and DNSSEC configuration, and reports what it found in seconds. No account or signup is required.

Related tools

Email Security CheckerCAA Records CheckerDNS Security guide

Check every layer in one scan

This checker covers one piece. Run a full SiteSecurityScore scan for your security headers, CSP, TLS, DNS, and cookies with a letter grade and copy and paste fixes. No account required.

Run a full scan