📡 DNS Checker

Free DNS checker & DNS lookup for any domain — nslookup + dig + MX lookup + SPF/DMARC checker in one screen. Check A, AAAA, MX, TXT, CNAME, NS, SOA, CAA records with automatic SPF, DKIM, DMARC classification and third-party verification token detection.

Try: google.com github.com cloudflare.com stripe.com netflix.com
⚙️
Resolving DNS records…
Copied

What is a DNS checker?

A DNS checker queries the Domain Name System for a domain and reports every record type that domain publishes — which servers host it, which mail servers handle its email, and what security policies (SPF, DKIM, DMARC) it has in place. This tool does a full DNS lookup for any domain in one screen: A, AAAA (IPv6), MX (mail), TXT, CNAME, NS, SOA, CAA, SRV — plus an automatic _dmarc.<domain> probe and reverse DNS (PTR) for the primary A record.

TXT records are automatically classified: SPF, DKIM hints, DMARC, and 15+ third-party verification tokens (Google Search Console, Microsoft 365, Facebook, Apple, Stripe, GitHub, OpenAI, Notion, Adobe, and more) each get a colored tag so you can identify them at a glance.

How to look up a domain's DNS records

Paste any domain into the box at the top of this page and click Look up. That's it. The DNS records checker queries every record type at once from our server's resolver — so what you see is what a real DNS resolver on the public internet sees, not what your ISP might be caching. You can enter any of these formats:

  • example.com
  • www.example.com (we normalize the host)
  • https://example.com/path (we extract the domain)
  • IDN / Unicode domain names — automatically converted to punycode

nslookup online — web version of the Unix nslookup command

If you're used to nslookup example.com from a terminal, this tool is nslookup online: same information, cleaner presentation, works on any device with a browser. Where the CLI nslookup gives you one record type at a time (and different behavior on Windows vs macOS vs Linux), this DNS checker queries every common record type in parallel and highlights the ones that matter for email deliverability and SSL.

dig online — web version of the Unix dig command

Same story for dig: this is dig online for anyone who doesn't have a Unix shell handy. The output is structured (typed sections per record type + auto-parsed TTL, priority, target) rather than the raw dig +short / +noall format, so you can quickly compare a domain's records without decoding zone-file syntax.

MX record lookup — check any domain's mail servers

The MX lookup shows all mail exchangers for the domain, sorted by priority. Lower priority number = tried first. If the primary MX is down, mail servers fall back to the next. Common patterns:

  • MX records pointing at *.google.com or *.googlemail.com → Google Workspace
  • MX records pointing at *.outlook.com or *.mail.protection.outlook.com → Microsoft 365
  • MX records pointing at the domain itself → self-hosted mail server
  • MX records pointing at a mail-relay provider (Mailgun, SendGrid, Postmark, etc.) → transactional email service

Whatever the MX pattern says, cross-check the SPF record — the sending servers should match. If the MX says Google Workspace but the SPF doesn't include _spf.google.com, outbound email will fail authentication.

TXT record lookup — SPF, DKIM, DMARC, and verification tokens

The TXT record lookup pulls every TXT entry the domain publishes and auto-classifies each one. TXT is DNS's most versatile record — it carries email authentication (SPF, DKIM, DMARC), domain-ownership proof for third-party services (Google, Microsoft, Facebook, Apple, and dozens more), and various policy publishing.

Check SPF, DKIM, and DMARC in one shot

The Email Authentication panel at the top of each result gives you a single-glance view of your email security posture:

  • SPF checker — the v=spf1 record at the root of your domain. Missing SPF means most inboxes route your outbound mail to spam.
  • DMARC checker — the v=DMARC1 record at _dmarc.<domain>. The tool auto-probes that location so you don't have to know the convention. It shows the DMARC policy (none / quarantine / reject) and any rua= / ruf= aggregate report addresses.
  • Check DKIM — DKIM lives at <selector>._domainkey.<domain>. Because selectors vary per email provider (Google uses google, Mailgun uses k1, etc.), we detect the ones publishing at common root paths. For provider-specific selectors, ask your email provider.

Together, SPF + DKIM + DMARC form the modern email-authentication trilogy. Get all three right and your emails land in inboxes, not spam.

CNAME, NS, SOA, CAA lookup

Beyond the email-focused records, the DNS checker also queries the structural records that govern the domain:

  • CNAME lookup — canonical name aliases (e.g. www.example.com CNAME example.com).
  • NS lookup — the nameservers responsible for the domain, at the resolver level. Should match what your registrar shows.
  • SOA lookup — one per zone: primary nameserver, contact email, serial number, refresh/retry/expire timings.
  • CAA lookup — which Certificate Authorities may issue SSL/TLS certificates for the domain. Missing CAA means any CA can issue.

Record types explained

A & AAAA — IP address records

A maps a name to an IPv4 address (e.g., 93.184.216.34). AAAA maps it to an IPv6 address (e.g., 2606:2800:220:1:248:1893:25c8:1946). A domain can have multiple A/AAAA records for load balancing.

MX — mail exchangers

MX records list the servers that receive email for the domain, in priority order (lower priority number = tried first). If the top-priority server is down, mail servers fall back to the next.

TXT — text records

Free-form text — the workhorse for email authentication (SPF, DMARC, DKIM), domain verification (Google, Microsoft, Facebook, etc.), and various policy publishing. This tool highlights recognized formats.

CNAME — canonical name

An alias — www.example.com CNAME example.com means "www" resolves to whatever "example.com" resolves to." A domain with a CNAME cannot have any other record type at that name.

NS — nameservers

The authoritative DNS servers responsible for the domain's records. Should match the NS records you set at your registrar.

SOA — start of authority

One per zone. Contains the primary nameserver, contact email (with . instead of @), serial number (updated on every change), refresh/retry/expire timings, and the negative-cache TTL.

CAA — certificate authorities

Restricts which CAs may issue SSL certificates for the domain. Missing CAA means any CA can issue.

SRV — service records

Maps a service+protocol combo to a hostname and port. Used by SIP, XMPP, Minecraft servers, Microsoft AutoDiscover, and more.

Email authentication: SPF, DKIM, DMARC

Modern email requires all three for reliable deliverability:

  • SPF — a TXT record starting v=spf1 that lists which servers may send email from your domain. Missing SPF means most inboxes send your mail to spam.
  • DKIM — a public key at <selector>._domainkey.<domain> used to verify cryptographic signatures on outbound mail. Since selectors vary per sender, this tool only detects DKIM if the selector is a standard root — check with your email provider for exact selector names.
  • DMARC — a TXT record at _dmarc.<domain> starting v=DMARC1 that tells receiving servers what to do with mail that fails SPF or DKIM (none/quarantine/reject). The tool auto-probes this location for you.

The Email Authentication panel at the top of each result shows the status of all three at a glance.

DNS lookup vs DNS propagation checker — what's the difference?

These two get confused constantly. Quick clarification:

  • DNS lookup / DNS checker (this tool) — queries authoritative DNS for a domain right now, from one server. Fast, definitive answer.
  • DNS propagation checker — polls dozens of public DNS resolvers around the world in parallel to see whether a recent record change has "propagated" everywhere. Useful when you've just updated a record and want to know whether users in São Paulo, Tokyo, and Frankfurt are seeing the new value yet.

If you just changed a DNS record and want to know if it's reached everyone, use a global propagation checker (dnschecker.org and similar do this well). If you want to know what a domain's records actually are right now, you're in the right place — this DNS checker is what you want.

DNS lookup vs WHOIS lookup

Another common confusion: a WHOIS lookup shows who owns the domain — registrar, dates, contacts. A DNS lookup shows where the domain points — IPs, mail servers, security records. Both live at different layers. If you want the human/registration side, use the WHOIS Domain Lookup; for technical records, you're already here.

Privacy & limits

Requests are rate-limited to 60 per minute per IP. The server's DNS resolver does the actual queries — nothing is stored.

Frequently asked questions

A DNS checker queries the Domain Name System for a domain and reports every record type: A, AAAA, MX, TXT, CNAME, NS, SOA, CAA, plus SPF/DKIM/DMARC email-authentication records. It's the web version of the Unix nslookup and dig commands.
Paste the domain in the box above. The MX lookup section shows all mail exchangers sorted by priority (lower priority = tried first) plus target hostnames.
This tool is nslookup online — a web version of the Unix nslookup / dig command. Paste the domain; we query every record type at once and present them cleanly, with automatic SPF/DKIM/DMARC classification.
Paste your domain and look at the Email Authentication panel at the top of the result. SPF checker reads the v=spf1 TXT record at the root. DMARC checker auto-probes _dmarc.your-domain. DKIM is detected for common selectors; provider-specific ones need the exact selector name.
A DNS lookup queries authoritative DNS right now from one server — the definitive current answer. A DNS propagation checker polls dozens of public resolvers globally to see if a recent change has reached everyone. If you just changed a record, use a propagation checker; for current records, use this DNS lookup.
A DNS record maps a name to some data — an IP address (A/AAAA), a mail server (MX), a text value (TXT), a canonical alias (CNAME), a nameserver (NS), or more. The whole internet uses DNS to translate human names into machine addresses.
The three email authentication standards. SPF (TXT v=spf1) lists servers allowed to send mail. DKIM signs outbound mail. DMARC (TXT at _dmarc.<domain>) tells receivers what to do with mail that fails SPF or DKIM. Miss any of them and your email deliverability suffers.
TTL (Time To Live) is how many seconds resolvers may cache the record. Short TTLs mean fast propagation of changes but more DNS queries. Long TTLs mean lower query volume but slow propagation. 300 s (5 min) is common; 3600 (1 hr) or 86400 (1 day) for stable records.
CAA (Certification Authority Authorization) tells CAs which of them may issue SSL certificates for your domain. Missing CAA means any CA can issue. Set CAA to restrict to just Let\'s Encrypt, DigiCert, or whoever you actually use.
DKIM records live at <selector>._domainkey.<domain> where <selector> varies per sender (e.g. google, k1, selector1). Without knowing the selector we can\'t query it — check with your email provider for the exact selector name.