Features

72 checks. 8 categories. One verdict.

DNSSnuff doesn't just check your DNS — it reads it, interprets it, and tells you in plain English what needs fixing and why. Here's exactly what we check.

Run a Free Report →
1. Parent Zone — 6 checks
Delegation from the TLD registry

Confirms your domain is properly delegated from the parent zone. Checks NS delegation, glue records, parent–child NS consistency, reachability, lame delegation, and DS record presence. A broken parent zone delegation means resolvers can't even find your nameservers — everything else fails silently.

2. Nameservers — 13 checks
Redundancy, consistency, and correct configuration

Verifies nameserver count, hostname resolution, IPv4/IPv6 support, authoritative responses, answer consistency, UDP/TCP reachability, open resolver detection, recursive query rejection, EDNS support, zone transfer restriction, response time, and subnet diversity. Inconsistent nameservers cause intermittent failures that are almost impossible to diagnose without systematic checking.

3. Start of Authority — 9 checks
Zone health and timing parameters

Validates SOA record presence, primary nameserver match, hostmaster email format, serial number format (YYYYMMDDNN recommended), refresh interval, retry interval, expire value, negative TTL, and SOA consistency across nameservers. A badly configured SOA means DNS changes propagate slowly or inconsistently.

4. Mail Servers — 10 checks
MX records and SMTP configuration

Checks MX record presence and syntax, hostname resolution, priority ordering, whether MX points to a bare IP or CNAME (both invalid), null MX configuration, SMTP connectivity on port 25, SMTP banner validity, open relay detection, and PTR/reverse DNS match. A single misconfiguration here means email to your domain bounces — silently, from the sender's perspective.

5. Email Authentication — 14 checks ⭐ Most critical
SPF, DKIM, DMARC, and BIMI

SPF (5 checks): Record presence, syntax validation, policy strength (~all vs -all), DNS lookup count (10-lookup limit), and duplicate SPF record detection.

DKIM (3 checks): Record discovery at common selectors, key validity, and key length (1024-bit minimum, 2048 recommended).

DMARC (5 checks): Record presence, policy strength (none/quarantine/reject), reporting address configuration, alignment mode, and subdomain policy.

BIMI (1 check): Brand Indicators for Message Identification record presence — enables logo display in supporting email clients.

Without proper email authentication, your domain is vulnerable to spoofing. This is where most deliverability problems live.

6. Web Presence — 9 checks
HTTP/HTTPS, SSL, redirects, and security headers

HTTP and HTTPS reachability, HTTP→HTTPS redirect, www→root redirect, SSL certificate validity, SSL expiry, certificate chain completeness, HSTS header presence, and redirect chain depth. Catches the issues that affect SEO, security, and browser trust warnings — often invisible until something breaks badly.

7. DNSSEC — 5 checks
Full chain-of-trust verification

Checks whether DNSSEC is enabled, DS record in parent zone, DNSKEY record validity, RRSIG presence and validity period, and full chain-of-trust verification from root to zone. DNSSEC failures cause complete DNS resolution failure for security-conscious resolvers — often harder to diagnose than a simple outage.

8. Blacklists — 6 checks
50+ real-time block list lookups

Cross-references your domain and mail server IPs against 50+ RBL databases: domain RBL listing, MX IP listing, sending IP listing, URI RBL check, SURBL listing, and SpamCop. A single blacklist listing can cause 20–40% of your outbound email to go to spam with no bounce message. You won't know it's happening unless you check.

How results are presented

Health Score & Letter Grade

Every report produces a score (0–100) and letter grade (A+ through F). Critical checks carry more weight than best-practice improvements. One number tells you where you stand.

“Fix This First” Priority Stack

Failed checks ranked by severity. Critical issues — like a spoofable DMARC policy or an active blacklist listing — appear at the top. No time wasted reading low-priority notices when something is actually broken.

Plain-English Verdicts

Every failed check includes a specific explanation of what's wrong and what to fix — not just a status code. No RFC memorisation required.

Shareable Report URLs

Every report has a permanent URL you can share with a colleague, client, or developer. No DNSSnuff login required to view a shared report.

See what 72 checks find on your domain.

Free forever. No sign-up. Results in under 5 seconds.

Run Free Report →