Score any domain's DNS in 5 seconds.
60+ checks across delegation, DNSSEC, mail, TLS, security posture. Every issue has a fix.
What this report checks
Delegation and nameserver hygiene
We pull your apex NS records and probe each one directly. Is it reachable on UDP and TCP? Does it claim authority for the zone (AA bit set)? Does it support EDNS0? Does it answer within a healthy time budget? Crucially, does it refuse AXFR to the public, and does it refuse recursion? An authoritative nameserver that allows AXFR leaks your entire zone; one that allows recursion becomes a DDoS amplifier.
SOA and zone hygiene
We audit refresh, retry, expire, and minimum (negative-cache TTL) against the RFC 1912 sane ranges. We check that the SOA MNAME is actually listed in your NS set (otherwise NOTIFY-driven secondaries silently miss updates) and that RNAME parses as a usable email. The serial gets a freshness check: if you use YYYYMMDDnn we decode the date, and a zone that hasn't been touched in over a year flags as potentially abandoned.
DNSSEC chain validation
We walk the chain from the parent DS to your DNSKEY RRset to your apex SOA, and we actually cryptographically verify the RRSIGs. So we catch a misconfigured signing pipeline that publishes valid-looking signatures that don't actually verify. We also check algorithm modernity (RFC 8624 deprecation list), NSEC3 iteration counts against the RFC 9276 ceiling, and signature expiration windows.
Mail readiness (SPF, DKIM, DMARC, MTA-STS, TLS-RPT, BIMI)
Mail is where most domains have rotting config. We parse your SPF record and walk every include and redirect recursively, counting DNS lookups against the RFC 7208 10-lookup ceiling. Going over means receivers return PermError and treat your whole SPF as broken. We parse DMARC including policy, pct, rua, ruf, and subdomain policy. We probe common DKIM selectors (default, google, k1, s1, s2). We check for MTA-STS records and try to fetch your policy file at the well-known URL. We check TLS-RPT and BIMI.
TLS hygiene
We dial 443, read the leaf cert, and check expiry, chain depth, key type and size, SAN coverage of apex and www, and protocol versions accepted. TLS 1.0 and 1.1 were deprecated by RFC 8996 in 2021, so accepting them is now a finding. We read your HSTS header and check max-age, includeSubDomains, and preload.
CAA
We check your CAA records for issue and issuewild restrictions and for an iodef contact. We cross-reference the actual issuer of your current cert against the CAA allow-list, which catches the most common CAA mistake: changing your CA without updating CAA, so the next renewal will fail.
Security posture roll-up
A cross-cutting overview that reads the underlying findings and surfaces the patterns: DNSSEC plus CAA plus DMARC plus HSTS is the modern security floor. We also flag wildcard records (which can mask subdomain takeover risk) and DNS that leaks private or metadata addresses.
How we score
Each section has a weight reflecting how load-bearing its failure mode is. A bad finding in a section docks the full weight; a warning docks half. The score floors at 0 and ceilings at 100. Grades: A is 90+, B is 80+, C is 70+, D is 60+, F is everything below. Honest scoring matters here. The point of the tool is to tell you what to fix, not to flatter your domain.
Is anything stored?
No. Reports run on demand. The only thing stored is when you click Share: we save the rendered result to a snapshot table with a 30-day TTL and return a short URL anyone with the URL can read. There's no signup, no cookies, no tracking on the tool path.