About the DNS Lookup
The DNS Lookup queries every relevant record for a domain in one pass: A, AAAA, CNAME, MX, NS, SOA, TXT (SPF/DKIM/DMARC), and CAA. Results are grouped into four tabs (Address, Mail, Nameservers, Security/TXT) and annotated in plain English so non-specialists can spot what each record does. An email deliverability health check flags missing SPF, DKIM, or DMARC — the three records that overwhelmingly determine whether your mail lands in the inbox or the spam folder.
It is built for developers debugging a domain that just stopped serving traffic, sysadmins migrating MX records to a new mail provider, SEO consultants verifying a client’s nameservers point where they should, security auditors confirming CAA records lock down certificate issuance, and marketers diagnosing why their email keeps landing in spam.
The lookup runs through a server-side PHP endpoint that queries public DNS resolvers; only the domain name you submit is sent. No personal data, cookies, or browser fingerprint is logged with the query, and results are not cached against your IP. The domain you look up is information you would publish anyway — DNS is public by design.
DNS results are resolver-dependent and TTL-bound: if you just changed a record, expect 1–48 hours for global resolvers to update depending on the previous TTL. The tool reports what its resolver sees right now, which may lag what your ISP’s resolver returns. For DNSSEC-signed or split-horizon domains (different answers for internal vs. external clients), use authoritative `dig` from a controlled network for ground truth. The email-health check is a syntactic read of SPF/DKIM/DMARC records; it does not validate DKIM signatures against actual sent mail.
How to Use the DNS Lookup Tool
Type or paste any domain name into the input field above and click Lookup. The tool automatically strips protocols, “www” prefixes, and trailing slashes, so pasting a full URL from your browser bar works just fine. Within a few seconds you will see every DNS record associated with that domain, organized into four tabs: Address records (A, AAAA, CNAME), Mail records (MX), Nameservers (NS, SOA), and Security/TXT (SPF, DKIM, DMARC, CAA, and verification tokens). Each record includes a plain-English annotation explaining what it does and why it exists.
Understanding DNS Record Types
DNS is the system that translates human-readable domain names into the numeric addresses computers use to communicate. There are over a dozen record types, but the ones that matter most for web operations fall into four categories. A and AAAA records map a domain to an IPv4 or IPv6 address respectively — they are the fundamental records that make a website reachable. A CNAME record is an alias; it tells DNS to resolve another hostname instead, which is how services like CDNs and load balancers redirect traffic without requiring you to update IP addresses manually.
MX records specify which servers handle email for a domain and assign each one a priority number. Lower numbers mean higher priority, so a server with priority 10 receives mail before one with priority 20. NS records identify the authoritative nameservers for a zone, and the SOA record provides metadata about the zone itself, including the primary nameserver, the administrator contact, a serial number that increments on every update, and timing values that control how often secondary nameservers refresh their copies.
TXT Records and Email Security
TXT records are the Swiss Army knife of DNS. They carry arbitrary text data, but their most critical role today is email authentication. Three protocols work together to protect your domain from spoofing. SPF (Sender Policy Framework) publishes a list of IP addresses authorized to send mail on behalf of your domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to each outgoing message so the receiving server can verify it was not altered in transit. DMARC (Domain-based Message Authentication, Reporting & Conformance) ties the two together by telling receiving servers what to do when a message fails authentication — quarantine it, reject it, or let it through.
Without all three configured, your domain is vulnerable to spoofing, and legitimate email you send is far more likely to land in the recipient’s spam folder. The health check panel above flags any missing records so you can address them immediately.
CAA Records and Certificate Authority Authorization
CAA records let domain owners specify which certificate authorities (CAs) are permitted to issue SSL/TLS certificates for their domain. If a CA checks CAA records before issuance — and since September 2017, all public CAs are required to — an unauthorized CA will refuse the request. This prevents attackers who compromise a single CA from issuing fraudulent certificates for your domain. A typical setup includes an issue tag naming your preferred CA, an issuewild tag controlling wildcard certificates separately, and an iodef tag specifying an email or URL for violation reports.
TTL: What the Numbers Mean
Every DNS record has a TTL (Time to Live) expressed in seconds. This tells resolvers how long they may cache the record before asking the authoritative nameserver for a fresh copy. A TTL of 3600 means one hour; 86400 means one day. High TTLs reduce DNS query volume and improve performance, but they also mean that when you change a record, it can take up to that long for the change to propagate worldwide. Before making DNS changes — such as migrating hosting providers — it is common practice to lower your TTL to 300 seconds (five minutes) a day or two in advance, make the change, then raise it again once the new configuration is confirmed.
CNAME at Root: A Common Pitfall
The DNS specification (RFC 1034) forbids CNAME records at the zone apex — the bare domain like example.com without any prefix. A CNAME at the root conflicts with the mandatory SOA and NS records that must also exist at that level. Some DNS providers work around this limitation with proprietary record types such as ALIAS, ANAME, or “CNAME flattening,” which resolve the alias server-side before returning an A record to the querier. If this tool detects a CNAME record at the zone apex, the health check will flag it as a potential configuration issue worth investigating.
Nameserver Consistency
Reliable DNS depends on your nameservers agreeing with each other. When all NS records point to servers operated by the same provider, zone updates propagate predictably. Split-provider setups — where some NS records point to one provider and others to a different one — are technically valid but require careful synchronization to avoid serving stale or conflicting data. The health panel flags inconsistent nameserver providers so you can verify the configuration is intentional.
Need to check your network configuration? Try the Subnet Calculator for IP and CIDR calculations. Browse all Dev & Tech tools for more utilities that simplify network and development tasks.
Frequently Asked Questions
What is the difference between an A record and a CNAME?
An A record maps a domain directly to an IPv4 address, while a CNAME aliases one domain to another hostname. Per RFC 1034, a CNAME cannot coexist with other records at the same label, which is why apex domains generally use A or ALIAS records instead of CNAME.
Why is my DMARC record missing and does it matter?
DMARC (RFC 7489) tells receiving mail servers how to handle messages that fail SPF or DKIM. Without a DMARC record, attackers can more easily spoof your domain, and major providers including Gmail and Yahoo now require DMARC for bulk senders. Adding at minimum v=DMARC1; p=none is a strong starting point.
How long does a DNS change take to propagate?
Propagation is bounded by the TTL on the existing record. If the TTL is 3600 seconds, resolvers worldwide should pick up changes within an hour. Some ISPs and browsers cache beyond the TTL, so full propagation can take up to 24 to 48 hours.
What is a CAA record and should I have one?
A Certification Authority Authorization record (RFC 8659) lists which certificate authorities are permitted to issue certificates for your domain. It protects against unauthorized issuance. Most major CAs, including Let's Encrypt and DigiCert, enforce CAA during validation.
Can I have multiple MX records?
Yes. MX records include a priority value, and mail servers try the lowest priority first. Defining multiple MX records with different priorities provides failover, which is common for Google Workspace and Microsoft 365 configurations.
