72 checks. 8 categories. One verdict.

Confirms your domain is properly delegated from the parent zone. Checks NS delegation, glue records, parent–child NS consistency, reachability, lame delegation, and DS record presence. A broken parent zone delegation means resolvers can't even find your nameservers — everything else fails silently.

Verifies nameserver count, hostname resolution, IPv4/IPv6 support, authoritative responses, answer consistency, UDP/TCP reachability, open resolver detection, recursive query rejection, EDNS support, zone transfer restriction, response time, and subnet diversity. Inconsistent nameservers cause intermittent failures that are almost impossible to diagnose without systematic checking.

Validates SOA record presence, primary nameserver match, hostmaster email format, serial number format (YYYYMMDDNN recommended), refresh interval, retry interval, expire value, negative TTL, and SOA consistency across nameservers. A badly configured SOA means DNS changes propagate slowly or inconsistently.

Checks MX record presence and syntax, hostname resolution, priority ordering, whether MX points to a bare IP or CNAME (both invalid), null MX configuration, SMTP connectivity on port 25, SMTP banner validity, open relay detection, and PTR/reverse DNS match. A single misconfiguration here means email to your domain bounces — silently, from the sender's perspective.

SPF (5 checks): Record presence, syntax validation, policy strength (~all vs -all), DNS lookup count (10-lookup limit), and duplicate SPF record detection.

DKIM (3 checks): Record discovery at common selectors, key validity, and key length (1024-bit minimum, 2048 recommended).

DMARC (5 checks): Record presence, policy strength (none/quarantine/reject), reporting address configuration, alignment mode, and subdomain policy.

BIMI (1 check): Brand Indicators for Message Identification record presence — enables logo display in supporting email clients.

Without proper email authentication, your domain is vulnerable to spoofing. This is where most deliverability problems live.

HTTP and HTTPS reachability, HTTP→HTTPS redirect, www→root redirect, SSL certificate validity, SSL expiry, certificate chain completeness, HSTS header presence, and redirect chain depth. Catches the issues that affect SEO, security, and browser trust warnings — often invisible until something breaks badly.

Checks whether DNSSEC is enabled, DS record in parent zone, DNSKEY record validity, RRSIG presence and validity period, and full chain-of-trust verification from root to zone. DNSSEC failures cause complete DNS resolution failure for security-conscious resolvers — often harder to diagnose than a simple outage.

Cross-references your domain and mail server IPs against 50+ RBL databases: domain RBL listing, MX IP listing, sending IP listing, URI RBL check, SURBL listing, and SpamCop. A single blacklist listing can cause 20–40% of your outbound email to go to spam with no bounce message. You won't know it's happening unless you check.