Free Tool
DNS Security Checker
Review DNS security records that affect certificate issuance, email spoofing resistance, and domain trust.
Sign in with Google or GitHub to run the scan. Start with a free scan.
What this tool checks
This page uses ZeriFlow's deterministic website security engine and focuses the guidance on the configuration area above. For the full report, run a complete free security scan.
Key Checks
DNSSEC
Checks whether DNSSEC appears enabled to help protect DNS responses from tampering.
CAA Records
Reviews certificate authority authorization records that control who can issue certificates.
Email Authentication
Looks for SPF and DMARC records that help reduce email spoofing and abuse.
MX Configuration
Reviews mail exchanger presence and related DNS signals for operational clarity.
Recommended Baseline
CAA
Add CAA records for the certificate authorities your team actually uses.
SPF
Publish a focused SPF record with only authorized email senders.
DMARC
Move from monitoring to enforcement after reviewing reports.
DNSSEC
Enable DNSSEC when your registrar and DNS provider support it reliably.
FAQ
What DNS security records should a domain have?
Common DNS security records include CAA for certificate authority control, SPF and DMARC for email authentication, and DNSSEC when supported by your registrar and DNS provider.
What is a CAA record?
A CAA record tells certificate authorities which providers are allowed to issue TLS certificates for your domain.
Does DNSSEC stop phishing?
DNSSEC protects DNS integrity, but it does not stop all phishing. Email authentication records like SPF, DKIM, and DMARC help reduce domain spoofing.
Is DNS security only for large companies?
No. Small teams can benefit from basic DNS hardening because DNS and email misconfigurations are common and often easy to fix.
Need the full security picture?
ZeriFlow combines deterministic website checks across headers, TLS, DNS, cookies, and email security with monitoring, reporting, and AI-powered developer workflows where implemented.