Enter any domain name below to see its complete DNS configuration — every record type, mail server, nameserver, and security policy, all explained in plain English.
Pro tip: Missing a DMARC record is the single most common reason email from your domain lands in spam. Scroll to the health check after your lookup to see if yours is configured.
How to Use the DNS Lookup Tool
Type or paste any domain name into the input field above and click Lookup. The tool automatically strips protocols, “www” prefixes, and trailing slashes, so pasting a full URL from your browser bar works just fine. Within a few seconds you will see every DNS record associated with that domain, organized into four tabs: Address records (A, AAAA, CNAME), Mail records (MX), Nameservers (NS, SOA), and Security/TXT (SPF, DKIM, DMARC, CAA, and verification tokens). Each record includes a plain-English annotation explaining what it does and why it exists.
Understanding DNS Record Types
DNS is the system that translates human-readable domain names into the numeric addresses computers use to communicate. There are over a dozen record types, but the ones that matter most for web operations fall into four categories. A and AAAA records map a domain to an IPv4 or IPv6 address respectively — they are the fundamental records that make a website reachable. A CNAME record is an alias; it tells DNS to resolve another hostname instead, which is how services like CDNs and load balancers redirect traffic without requiring you to update IP addresses manually.
MX records specify which servers handle email for a domain and assign each one a priority number. Lower numbers mean higher priority, so a server with priority 10 receives mail before one with priority 20. NS records identify the authoritative nameservers for a zone, and the SOA record provides metadata about the zone itself, including the primary nameserver, the administrator contact, a serial number that increments on every update, and timing values that control how often secondary nameservers refresh their copies.
TXT Records and Email Security
TXT records are the Swiss Army knife of DNS. They carry arbitrary text data, but their most critical role today is email authentication. Three protocols work together to protect your domain from spoofing. SPF (Sender Policy Framework) publishes a list of IP addresses authorized to send mail on behalf of your domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to each outgoing message so the receiving server can verify it was not altered in transit. DMARC (Domain-based Message Authentication, Reporting & Conformance) ties the two together by telling receiving servers what to do when a message fails authentication — quarantine it, reject it, or let it through.
Without all three configured, your domain is vulnerable to spoofing, and legitimate email you send is far more likely to land in the recipient’s spam folder. The health check panel above flags any missing records so you can address them immediately.
CAA Records and Certificate Authority Authorization
CAA records let domain owners specify which certificate authorities (CAs) are permitted to issue SSL/TLS certificates for their domain. If a CA checks CAA records before issuance — and since September 2017, all public CAs are required to — an unauthorized CA will refuse the request. This prevents attackers who compromise a single CA from issuing fraudulent certificates for your domain. A typical setup includes an issue tag naming your preferred CA, an issuewild tag controlling wildcard certificates separately, and an iodef tag specifying an email or URL for violation reports.
TTL: What the Numbers Mean
Every DNS record has a TTL (Time to Live) expressed in seconds. This tells resolvers how long they may cache the record before asking the authoritative nameserver for a fresh copy. A TTL of 3600 means one hour; 86400 means one day. High TTLs reduce DNS query volume and improve performance, but they also mean that when you change a record, it can take up to that long for the change to propagate worldwide. Before making DNS changes — such as migrating hosting providers — it is common practice to lower your TTL to 300 seconds (five minutes) a day or two in advance, make the change, then raise it again once the new configuration is confirmed.
CNAME at Root: A Common Pitfall
The DNS specification (RFC 1034) forbids CNAME records at the zone apex — the bare domain like example.com without any prefix. A CNAME at the root conflicts with the mandatory SOA and NS records that must also exist at that level. Some DNS providers work around this limitation with proprietary record types such as ALIAS, ANAME, or “CNAME flattening,” which resolve the alias server-side before returning an A record to the querier. If this tool detects a CNAME record at the zone apex, the health check will flag it as a potential configuration issue worth investigating.
Nameserver Consistency
Reliable DNS depends on your nameservers agreeing with each other. When all NS records point to servers operated by the same provider, zone updates propagate predictably. Split-provider setups — where some NS records point to one provider and others to a different one — are technically valid but require careful synchronization to avoid serving stale or conflicting data. The health panel flags inconsistent nameserver providers so you can verify the configuration is intentional.
Need to check your network configuration? Try the Subnet Calculator for IP and CIDR calculations. Browse all Dev & Tech tools for more utilities that simplify network and development tasks.