πŸ“‘ DNS Lookup

Look up every DNS record for any domain β€” A, AAAA (IPv6), MX (mail), TXT (SPF/DKIM/DMARC), CNAME, NS, SOA, CAA, SRV. Also probes _dmarc.<domain> automatically and identifies third-party verification tokens.

Try: google.com github.com cloudflare.com stripe.com netflix.com
βš™οΈ
Resolving DNS records…
Copied

About DNS Lookup

The DNS Lookup tool queries every common DNS record type for any domain β€” A, AAAA, MX, TXT, CNAME, NS, SOA, CAA, SRV β€” plus the DMARC record at _dmarc.<domain> and reverse DNS (PTR) for the primary A record. Everything runs from our server's resolver, so results are what your server would see (not what your ISP might cache differently).

TXT records are automatically classified: SPF, DKIM hints, DMARC, and 15+ third-party verification tokens (Google Search Console, Microsoft 365, Facebook, Apple, Stripe, GitHub, OpenAI, Notion, Adobe, and more) each get a colored tag so you can identify them at a glance.

Record types explained

A & AAAA β€” IP address records

A maps a name to an IPv4 address (e.g., 93.184.216.34). AAAA maps it to an IPv6 address (e.g., 2606:2800:220:1:248:1893:25c8:1946). A domain can have multiple A/AAAA records for load balancing.

MX β€” mail exchangers

MX records list the servers that receive email for the domain, in priority order (lower priority number = tried first). If the top-priority server is down, mail servers fall back to the next.

TXT β€” text records

Free-form text β€” the workhorse for email authentication (SPF, DMARC, DKIM), domain verification (Google, Microsoft, Facebook, etc.), and various policy publishing. This tool highlights recognized formats.

CNAME β€” canonical name

An alias β€” www.example.com CNAME example.com means "www" resolves to whatever "example.com" resolves to." A domain with a CNAME cannot have any other record type at that name.

NS β€” nameservers

The authoritative DNS servers responsible for the domain's records. Should match the NS records you set at your registrar.

SOA β€” start of authority

One per zone. Contains the primary nameserver, contact email (with . instead of @), serial number (updated on every change), refresh/retry/expire timings, and the negative-cache TTL.

CAA β€” certificate authorities

Restricts which CAs may issue SSL certificates for the domain. Missing CAA means any CA can issue.

SRV β€” service records

Maps a service+protocol combo to a hostname and port. Used by SIP, XMPP, Minecraft servers, Microsoft AutoDiscover, and more.

Email authentication: SPF, DKIM, DMARC

Modern email requires all three for reliable deliverability:

  • SPF β€” a TXT record starting v=spf1 that lists which servers may send email from your domain. Missing SPF means most inboxes send your mail to spam.
  • DKIM β€” a public key at <selector>._domainkey.<domain> used to verify cryptographic signatures on outbound mail. Since selectors vary per sender, this tool only detects DKIM if the selector is a standard root β€” check with your email provider for exact selector names.
  • DMARC β€” a TXT record at _dmarc.<domain> starting v=DMARC1 that tells receiving servers what to do with mail that fails SPF or DKIM (none/quarantine/reject). The tool auto-probes this location for you.

The Email Authentication panel at the top of each result shows the status of all three at a glance.

Privacy & limits

Requests are rate-limited to 60 per minute per IP. The server's DNS resolver does the actual queries β€” nothing is stored.

Frequently asked questions

A DNS record maps a name to some data β€” an IP address (A/AAAA), a mail server (MX), a text value (TXT), a canonical alias (CNAME), a nameserver (NS), or more. The whole internet uses DNS to translate human names into machine addresses.
The three email authentication standards. SPF (TXT v=spf1) lists servers allowed to send mail. DKIM signs outbound mail. DMARC (TXT at _dmarc.<domain>) tells receivers what to do with mail that fails SPF or DKIM. Miss any of them and your email deliverability suffers.
TTL (Time To Live) is how many seconds resolvers may cache the record. Short TTLs mean fast propagation of changes but more DNS queries. Long TTLs mean lower query volume but slow propagation. 300 s (5 min) is common; 3600 (1 hr) or 86400 (1 day) for stable records.
CAA (Certification Authority Authorization) tells CAs which of them may issue SSL certificates for your domain. Missing CAA means any CA can issue. Set CAA to restrict to just Let\'s Encrypt, DigiCert, or whoever you actually use.
DKIM records live at <selector>._domainkey.<domain> where <selector> varies per sender (e.g. google, k1, selector1). Without knowing the selector we can\'t query it β€” check with your email provider for the exact selector name.