Free tool · Runs from your browser

DNS Record Lookup + SPF / DMARC / DKIM Checker

Enter a domain and see its full DNS - A, AAAA, MX, TXT, NS, CNAME, SOA, CAA - alongside a real email-authentication audit: SPF with a live 10-lookup count, DMARC policy strength, DKIM keys across 20 probed selectors, plus MTA-STS, TLS-RPT, and BIMI. Every check comes with a pass, warning, or fail and how to fix it.

Lookups run from your browser over DNS-over-HTTPS (Cloudflare, with Google as fallback). Only the domain you enter reaches the public resolver - never a CtrlOps server, and no email content is involved.

Enter a domain like example.com - protocol and path are ignored.
Optional
Try:

Prefer the command line? The equivalent dig commands:

All common records
$dig example.com ANY +noall +answer
Mail servers
$dig example.com MX +short
SPF (in TXT)
$dig example.com TXT +short
DMARC policy
$dig _dmarc.example.com TXT +short
DKIM key (replace selector)
$dig selector1._domainkey.example.com TXT +short

What this tool checks, and why it matters

A domain's DNS is the source of truth for where its website points and how its email is authenticated. This tool resolves the core records - A and AAAA (addresses), MX (mail servers), NS (nameservers), CNAME, SOA, CAA, and every TXT record - and then goes further than a plain lookup by parsing the three records that stop email spoofing: SPF, DMARC, and DKIM.

Misconfigured email authentication is the quiet reason legitimate mail lands in spam and the reason attackers can forge your domain. Each check here returns a clear pass, warning, or fail with the exact fix, so you are not left staring at a raw TXT string wondering whether it is correct.

SPF and the 10-lookup limit that quietly breaks email

An SPF record lists which servers may send mail for your domain. The catch most people miss is in RFC 7208: SPF is allowed a maximum of 10 DNS lookups during evaluation. Every include:, a, mx, ptr, and exists mechanism costs one lookup, and include: records nest - so a single include:_spf.google.com can pull in several more.

Go over 10 and receivers return a permerror: SPF is treated as broken and your mail can fail authentication even though the record "looks fine." This tool recursively resolves your includes and counts the real total, warns as you approach the limit, and flags the dangerous +all (which lets anyone send as you) and a missing all mechanism.

DMARC: none vs quarantine vs reject

DMARC ties SPF and DKIM together and tells receivers what to do with mail that fails both. Its policy tag p= has three values. p=none is monitor-only: it collects reports but still delivers failing mail, so it provides visibility, not protection. p=quarantine sends failing mail to spam. p=reject blocks it outright and is the strongest setting.

A domain sitting on p=none for months is a common finding - it feels safe but stops nothing. The checker reports your policy, whether pct= is throttling enforcement below 100%, and whether an rua= reporting address is set so you can actually see who is sending as you before you tighten the policy.

DKIM and why selectors matter

DKIM signs each message with a private key; the matching public key is published in DNS at <selector>._domainkey.<domain>. The selector is chosen by your mail provider, so there is no single place to look - Google Workspace uses google, Microsoft 365 uses selector1 and selector2, Mailchimp uses k1, and so on.

This tool probes about 20 of the most common selectors in parallel and also takes a selector you supply. If you know yours, find it in any email you sent: open the raw headers and read DKIM-Signature: ... s=<selector>. An empty p= in a DKIM record means the key has been revoked, which the tool flags.

MTA-STS, TLS-RPT, and BIMI: the modern deliverability layer

Beyond the big three, three newer records improve security and inbox presence. MTA-STS forces senders to use TLS when delivering to you, closing a downgrade-attack gap that opportunistic TLS leaves open. TLS-RPT asks other servers to report when TLS delivery to you fails, so you find problems before users do. BIMI displays your verified logo next to authenticated mail in supporting inboxes.

These are optional, so the tool marks them as enabled or not set rather than pass or fail. One honest limit: the full MTA-STS policy file is served over HTTPS at mta-sts.<domain>/.well-known/mta-sts.txt, which a browser cannot fetch cross-origin - so the tool confirms the DNS record exists but does not read the policy body.

How this differs from dig - and where your lookup goes

On your own machine, dig example.com ANY and dig _dmarc.example.com TXT return the same raw records. The tool shows those dig equivalents with copy buttons. What it adds is the parsing and judgement: counting SPF lookups, grading the DMARC policy, resolving MX hosts, and probing DKIM selectors you would otherwise have to guess one by one.

Because browsers cannot make raw DNS queries, the lookups run over DNS-over-HTTPS to Cloudflare (with Google as a fallback). Only the domain name you type is sent to that public resolver - never to a CtrlOps server, and no email content is ever involved. You can confirm this in your browser's network tab.

Where each email-authentication record lives

RecordDNS host / nameStarts withWhat it does
SPF@ (root TXT)v=spf1Lists the servers allowed to send mail for the domain
DMARC_dmarcv=DMARC1Tells receivers what to do when SPF and DKIM fail
DKIM<selector>._domainkeyv=DKIM1Publishes the public key that verifies the signature
MTA-STS_mta-stsv=STSv1Requires TLS for mail delivered to the domain
TLS-RPT_smtp._tlsv=TLSRPTv1Receives reports about TLS delivery failures
BIMIdefault._bimiv=BIMI1Shows your verified brand logo in the inbox
DNS & email authentication FAQ

Frequently asked questions

The most common cause is SPF exceeding the 10 DNS-lookup limit in RFC 7208, which makes receivers treat SPF as a permerror. Another is a weak DMARC policy or a missing DKIM signature. Enter your domain here: the tool counts your real SPF lookups (following nested includes), grades DMARC, and probes for DKIM keys, so you can see which of the three is failing.
Ten. Each include, a, mx, ptr, and exists mechanism, plus the redirect modifier, counts as one lookup, and includes nest so the total adds up fast. Over ten and SPF returns permerror. This checker resolves your includes recursively and reports the true count, warning you at eight so you have room to spare.
A selector is the label that points to a specific DKIM public key at <selector>._domainkey.yourdomain. Providers pick their own: Google Workspace uses "google", Microsoft 365 uses "selector1" and "selector2", Mailchimp uses "k1". To find yours, open the raw headers of an email you sent and look for DKIM-Signature with s=<selector>. This tool also auto-probes about 20 common selectors, and you can type a known one in the DKIM selector field.
No. p=none is monitor-only - it collects reports but still delivers spoofed mail, so it offers visibility, not protection. Use p=none to discover your legitimate senders via the aggregate (rua) reports, then move to p=quarantine and finally p=reject to actually block forgery. The tool flags p=none as a warning for this reason.
Both act on mail that fails SPF and DKIM. Quarantine tells the receiver to deliver it to spam or junk; reject tells the receiver to refuse it entirely so it never reaches the mailbox. Reject is the strongest policy and the recommended end state once you are confident no legitimate mail is failing.
No. The lookups run entirely from your browser using DNS-over-HTTPS to Cloudflare, with Google as a fallback. Only the domain name you enter is sent to that public resolver, never to a CtrlOps server, and no email content is involved. You can verify this in your browser network tab.
Yes. The tool probes around 20 of the most common provider selectors automatically, so for most mainstream mail providers a key is found without any input. If your provider uses a custom selector, enter it in the DKIM selector field and the tool will query it directly. No result does not prove DKIM is missing - only that none of the probed selectors matched.
A null MX (a single MX record with priority 0 and a "." host, per RFC 7505) explicitly declares that a domain does not receive email. It is the correct configuration for a domain used only for a website. The tool detects and labels it so you are not misled into thinking mail is misconfigured.
The "all" mechanism sets the default result for senders not otherwise listed. +all passes everyone, which authorizes any server on the internet to send mail as your domain - it disables SPF completely. Use -all for a hard fail (recommended) or ~all for a soft fail. The tool flags +all as a hard error.
DNSSEC cryptographically signs DNS responses so they cannot be tampered with in transit. When the resolver returns the Authenticated Data flag, meaning the answer was DNSSEC-validated, the tool shows a "DNSSEC: Validated" badge in the summary. Absence of the badge means the domain is not signed or the resolver could not validate it.
DNS points at servers

Check the records here, fix them on the box.

CtrlOps is a modern SSH workspace for the machines behind your DNS - organized hosts, secure key management, and instant terminals. Audit the domain here, then jump onto the mail or web server in one click to make the change.

Start instantly· No credit card· No sneaky autorenewals