Analysis Free · no signup

DNS Record Checker

Check all DNS record types: A, AAAA, MX, TXT, NS, SOA, SRV, CAA, CNAME, and email security (SPF/DMARC).

Enter a domain and the DNS Record Checker queries every standard record type at once — A, AAAA, MX, TXT, NS, SOA, SRV, CAA, and CNAME — then pulls the SPF and DMARC records that govern your email security. You see the full authoritative picture of how a domain resolves and routes mail in a single lookup, without running nine separate dig commands. Ideal for verifying a new DNS setup, debugging why mail bounces, or confirming a migration before you cut over.

Updated Krawly Editorial TeamIn-house engineers, writers & reviewers

Explore More Free Tools

Discover 150+ free tools for web scraping, SEO analysis, OSINT, and more. 30 free uses every day — no signup required.

150+ Free Tools No Signup Required JSON / CSV / Excel 30 Uses / Day
Quick answer

Enter a domain and the DNS Record Checker queries every standard record type at once — A, AAAA, MX, TXT, NS, SOA, SRV, CAA, and CNAME — then pulls the SPF and DMARC records that govern your email security. You see the full authoritative picture of how a domain resolves and routes mail in a single lookup, without running nine separate dig commands. Ideal for verifying a new DNS setup, debugging why mail bounces, or confirming a migration before you cut over.

What is DNS Record Checker?

The DNS Record Checker queries all standard DNS record types for a domain in one pass: A and AAAA (IPv4/IPv6 addresses), MX (mail routing), TXT (including SPF and domain verification strings), NS (nameservers), SOA (zone authority), SRV, CAA, and CNAME. It also inspects the _dmarc subdomain for your DMARC policy, giving you both the resolution layer and the email-authentication layer at a glance. It's built for anyone who needs to see exactly what a public resolver returns for a domain right now.

How to use DNS Record Checker

  1. 1

    Enter the domain

    Type the bare domain (example.com) — not a full URL. The tool queries it directly against public DNS, so you get the authoritative answer a real resolver would see, not a cached browser result.

  2. 2

    Read the address records

    Check the A/AAAA records to confirm the domain points at the right server IP. If you just moved hosts, this is where you verify the new IP has taken effect. A missing AAAA record simply means the host has no IPv6 — not an error.

  3. 3

    Verify mail and security records

    The MX records show which servers accept mail for the domain, ordered by priority (lowest number wins). The TXT/SPF and DMARC sections reveal whether your domain is protected against spoofing.

  4. 4

    Cross-check the SOA and NS

    The SOA serial number tells you which version of the zone you're seeing; the NS records confirm which nameservers are authoritative. If these don't match your registrar's expected nameservers, your DNS delegation is misconfigured.

Try it when you need to…

  • Try it when your emails are landing in spam and you suspect a missing or broken SPF/DMARC record
  • Try it when a domain verification (Google Search Console, Microsoft 365, SSL) fails and you need to confirm the TXT record is live
  • Try it right after a hosting migration to confirm the A record points to the new server before you decommission the old one

Use cases

  • DNS debugging — confirm a domain resolves to the IP you expect after a config change
  • Email deliverability — verify MX, SPF, and DMARC are all present before mail starts bouncing
  • Domain/host migration — check the new zone is live and serving the right records before cutover
  • Third-party verification — confirm the TXT record Google, Microsoft, or a SaaS asked you to add is actually published
  • Security audit — spot a missing CAA record that would let any CA issue certificates for your domain

Key features

Queries 9 record types plus SPF and DMARC in a single lookup
Reads the _dmarc subdomain to surface your anti-spoofing policy
Parses SOA fields (serial, refresh, retry, expire, minimum TTL)
Shows MX priority ordering so you can see the preferred mail server
Flags CAA records that restrict which certificate authorities can issue certs

Tips & best practices

DNS changes are not instant. Even after you update a record, resolvers keep the old value until its TTL expires — a record with a 24-hour TTL can take up to a day to fully propagate worldwide. Lower the TTL a day before a planned migration.

SPF must be a single TXT record starting with 'v=spf1'. If you see two SPF records, mail servers treat that as a permerror and authentication fails — merge them into one.

A domain can have a CNAME, or it can have other records (A, MX, TXT) — but never both on the same name. This is the classic 'CNAME at apex' problem; use ALIAS/ANAME or a flattening service for the root domain.

An SPF record that ends in '~all' (softfail) is weaker than '-all' (hardfail). '~all' tells receivers to accept but mark suspicious mail; '-all' tells them to reject outright.

Frequently asked questions

A, AAAA, MX, TXT, NS, SOA, SRV, CAA, and CNAME — the full set of standard record types. On top of that it specifically parses SPF (from TXT) and looks up the DMARC policy on the _dmarc subdomain.

This tool queries public resolvers directly, so it reflects the authoritative answer. Your browser and OS cache DNS separately based on TTL, so they may still be serving the old value until that cache expires. Flush your local DNS cache to sync them.

An A record maps a hostname directly to an IPv4 address. A CNAME maps a hostname to another hostname (an alias), which then resolves to an IP. Use A for the root domain and CNAME for subdomains that point at a service like a CDN.

If a domain has no MX record, receiving servers fall back to the A record (implicit MX). Mail may still be delivered, but relying on that fallback is fragile — always publish an explicit MX record for any domain that receives email.

The serial is a version number for the zone; it increments every time you edit DNS. When you make a change, secondary nameservers compare serials to know they need to pull the update. If the serial hasn't changed after an edit, your provider hasn't published it yet.

It's optional but recommended. A CAA record lists which certificate authorities are allowed to issue SSL certificates for your domain. Without one, any CA can issue a cert, which is a small but real attack surface for mis-issuance.