Loading…
Loading…
Free tool
DNS is where a surprising amount of security and deliverability lives: the MX records that route your mail, the TXT records that hold SPF and DMARC, the CAA record that controls who can issue your certificates, and the NS records that delegate the whole zone. A single stale or missing record breaks email, blocks a certificate, or quietly leaves you spoofable, and you cannot fix what you cannot see.
Enter any domain. The DNS checker resolves its A, AAAA, MX, TXT, NS, CNAME, and CAA records and lists them in plain text so you can confirm what is published right now. The same DNS and email signals feed Scorifya's full 0 to 100 hardening score, which adds the security read on top of the raw records.
This page is written for people searching for DNS checker—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A: domain with no email authentication
A and MX records resolve fine, but there is no SPF or DMARC in the TXT records, so the domain can be spoofed. The DNS and email category takes the hit on the full scan.
No SPF record
Publish a TXT record starting with v=spf1 that lists your authorized senders, ending in -all or ~all.
No DMARC record
Publish _dmarc TXT with at least v=DMARC1; p=none to start collecting reports, then move toward enforcement.
Example B: clean, fully configured zone
MX, SPF, DKIM, and DMARC are all present and aligned, and a CAA record restricts certificate issuance. The records resolve quickly with sensible TTLs.
DMARC at p=none
Everything is published correctly. The last step is advancing the DMARC policy to quarantine or reject so spoofed mail is actually blocked.
Publish SPF and DMARC if they are missing
An SPF TXT record plus a _dmarc TXT record are the two records that stop other people sending mail as your domain.
Add a CAA record
A CAA record names which certificate authorities may issue certificates for your domain, closing off mis-issuance.
Remove stale records
Old A, CNAME, or TXT records pointing at decommissioned services are clutter at best and subdomain-takeover risk at worst.
Confirm MX after any mail migration
A wrong or missing MX record silently bounces inbound mail. Re-check it after switching email providers.
For weights and penalties behind each category, see How Scorifya works.
Background explainers for what this tool checks.
Yes. Enter a domain and it resolves the common DNS record types (A, AAAA, MX, TXT, NS, CNAME, CAA) and lists what is published right now, the same as a DNS lookup or DNS record checker.
Yes. The MX section shows the mail servers your domain points at, with their priorities, so you can confirm where inbound mail is routed.
A and AAAA (addresses), MX (mail), TXT (SPF, DMARC, verification strings), NS (name servers), CNAME (aliases), and CAA (certificate authority authorization).
It may be on a subdomain rather than the root, it may not be published, or a recent change may not have propagated yet. DNS changes can take time to appear everywhere.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on config or deploying changes, you'll likely run multiple checks as you tighten things up. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.