What is a DNS checker?
A DNS checker queries the Domain Name System for a domain and reports every record type that domain publishes — which servers host it, which mail servers handle its email, and what security policies (SPF, DKIM, DMARC) it has in place. This tool does a full DNS lookup for any domain in one screen: A, AAAA (IPv6), MX (mail), TXT, CNAME, NS, SOA, CAA, SRV — plus an automatic _dmarc.<domain> probe and reverse DNS (PTR) for the primary A record.
TXT records are automatically classified: SPF, DKIM hints, DMARC, and 15+ third-party verification tokens (Google Search Console, Microsoft 365, Facebook, Apple, Stripe, GitHub, OpenAI, Notion, Adobe, and more) each get a colored tag so you can identify them at a glance.
How to look up a domain's DNS records
Paste any domain into the box at the top of this page and click Look up. That's it. The DNS records checker queries every record type at once from our server's resolver — so what you see is what a real DNS resolver on the public internet sees, not what your ISP might be caching. You can enter any of these formats:
example.comwww.example.com(we normalize the host)https://example.com/path(we extract the domain)- IDN / Unicode domain names — automatically converted to punycode
nslookup online — web version of the Unix nslookup command
If you're used to nslookup example.com from a terminal, this tool is nslookup online: same information, cleaner presentation, works on any device with a browser. Where the CLI nslookup gives you one record type at a time (and different behavior on Windows vs macOS vs Linux), this DNS checker queries every common record type in parallel and highlights the ones that matter for email deliverability and SSL.
dig online — web version of the Unix dig command
Same story for dig: this is dig online for anyone who doesn't have a Unix shell handy. The output is structured (typed sections per record type + auto-parsed TTL, priority, target) rather than the raw dig +short / +noall format, so you can quickly compare a domain's records without decoding zone-file syntax.
MX record lookup — check any domain's mail servers
The MX lookup shows all mail exchangers for the domain, sorted by priority. Lower priority number = tried first. If the primary MX is down, mail servers fall back to the next. Common patterns:
- MX records pointing at
*.google.comor*.googlemail.com→ Google Workspace - MX records pointing at
*.outlook.comor*.mail.protection.outlook.com→ Microsoft 365 - MX records pointing at the domain itself → self-hosted mail server
- MX records pointing at a mail-relay provider (Mailgun, SendGrid, Postmark, etc.) → transactional email service
Whatever the MX pattern says, cross-check the SPF record — the sending servers should match. If the MX says Google Workspace but the SPF doesn't include _spf.google.com, outbound email will fail authentication.
TXT record lookup — SPF, DKIM, DMARC, and verification tokens
The TXT record lookup pulls every TXT entry the domain publishes and auto-classifies each one. TXT is DNS's most versatile record — it carries email authentication (SPF, DKIM, DMARC), domain-ownership proof for third-party services (Google, Microsoft, Facebook, Apple, and dozens more), and various policy publishing.
Check SPF, DKIM, and DMARC in one shot
The Email Authentication panel at the top of each result gives you a single-glance view of your email security posture:
- SPF checker — the
v=spf1record at the root of your domain. Missing SPF means most inboxes route your outbound mail to spam. - DMARC checker — the
v=DMARC1record at_dmarc.<domain>. The tool auto-probes that location so you don't have to know the convention. It shows the DMARC policy (none / quarantine / reject) and anyrua=/ruf=aggregate report addresses. - Check DKIM — DKIM lives at
<selector>._domainkey.<domain>. Because selectors vary per email provider (Google usesgoogle, Mailgun usesk1, etc.), we detect the ones publishing at common root paths. For provider-specific selectors, ask your email provider.
Together, SPF + DKIM + DMARC form the modern email-authentication trilogy. Get all three right and your emails land in inboxes, not spam.
CNAME, NS, SOA, CAA lookup
Beyond the email-focused records, the DNS checker also queries the structural records that govern the domain:
- CNAME lookup — canonical name aliases (e.g.
www.example.com CNAME example.com). - NS lookup — the nameservers responsible for the domain, at the resolver level. Should match what your registrar shows.
- SOA lookup — one per zone: primary nameserver, contact email, serial number, refresh/retry/expire timings.
- CAA lookup — which Certificate Authorities may issue SSL/TLS certificates for the domain. Missing CAA means any CA can issue.
Record types explained
A & AAAA — IP address records
A maps a name to an IPv4 address (e.g., 93.184.216.34). AAAA maps it to an IPv6 address (e.g., 2606:2800:220:1:248:1893:25c8:1946). A domain can have multiple A/AAAA records for load balancing.
MX — mail exchangers
MX records list the servers that receive email for the domain, in priority order (lower priority number = tried first). If the top-priority server is down, mail servers fall back to the next.
TXT — text records
Free-form text — the workhorse for email authentication (SPF, DMARC, DKIM), domain verification (Google, Microsoft, Facebook, etc.), and various policy publishing. This tool highlights recognized formats.
CNAME — canonical name
An alias — www.example.com CNAME example.com means "www" resolves to whatever "example.com" resolves to." A domain with a CNAME cannot have any other record type at that name.
NS — nameservers
The authoritative DNS servers responsible for the domain's records. Should match the NS records you set at your registrar.
SOA — start of authority
One per zone. Contains the primary nameserver, contact email (with . instead of @), serial number (updated on every change), refresh/retry/expire timings, and the negative-cache TTL.
CAA — certificate authorities
Restricts which CAs may issue SSL certificates for the domain. Missing CAA means any CA can issue.
SRV — service records
Maps a service+protocol combo to a hostname and port. Used by SIP, XMPP, Minecraft servers, Microsoft AutoDiscover, and more.
Email authentication: SPF, DKIM, DMARC
Modern email requires all three for reliable deliverability:
- SPF — a TXT record starting
v=spf1that lists which servers may send email from your domain. Missing SPF means most inboxes send your mail to spam. - DKIM — a public key at
<selector>._domainkey.<domain>used to verify cryptographic signatures on outbound mail. Since selectors vary per sender, this tool only detects DKIM if the selector is a standard root — check with your email provider for exact selector names. - DMARC — a TXT record at
_dmarc.<domain>startingv=DMARC1that tells receiving servers what to do with mail that fails SPF or DKIM (none/quarantine/reject). The tool auto-probes this location for you.
The Email Authentication panel at the top of each result shows the status of all three at a glance.
DNS lookup vs DNS propagation checker — what's the difference?
These two get confused constantly. Quick clarification:
- DNS lookup / DNS checker (this tool) — queries authoritative DNS for a domain right now, from one server. Fast, definitive answer.
- DNS propagation checker — polls dozens of public DNS resolvers around the world in parallel to see whether a recent record change has "propagated" everywhere. Useful when you've just updated a record and want to know whether users in São Paulo, Tokyo, and Frankfurt are seeing the new value yet.
If you just changed a DNS record and want to know if it's reached everyone, use a global propagation checker (dnschecker.org and similar do this well). If you want to know what a domain's records actually are right now, you're in the right place — this DNS checker is what you want.
DNS lookup vs WHOIS lookup
Another common confusion: a WHOIS lookup shows who owns the domain — registrar, dates, contacts. A DNS lookup shows where the domain points — IPs, mail servers, security records. Both live at different layers. If you want the human/registration side, use the WHOIS Domain Lookup; for technical records, you're already here.
Privacy & limits
Requests are rate-limited to 60 per minute per IP. The server's DNS resolver does the actual queries — nothing is stored.