DNS Configuration Report

Domain:

Enter the zone apex, such as example.com; URLs are normalized to the hostname.

Resolver:

Switch resolver to compare public-cache answers or timing for the same domain.

TXT preview limit:

Use 60-400 characters to keep SPF, DMARC, and other TXT previews readable.

chars

Lookup	Status	Answer preview	TTL	Time	Copy
{{ row.label }} {{ row.name }}	{{ row.status }}	{{ row.preview }}	{{ row.ttl }}	{{ row.timeLabel }}

Check	Status	Notes	Copy
{{ row.label }}	{{ row.status }}	{{ row.note }}

Lookup	Target	Time	% of total	Copy
{{ row.label }}	{{ row.name }}	{{ row.timeLabel }}	{{ row.shareLabel }}

No TTL values were returned for charting.

No resolver timing values were returned for charting.

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

DNS configuration is the public contract between a domain name and the services that use it. Web traffic, inbound mail, sender authentication, delegated authority, and certificate-issuance policy can all be expressed through different DNS record families. A domain can therefore look healthy from one angle and broken from another, such as a website that resolves correctly while mail policy is missing or a delegated zone that answers but still publishes stale records.

The public answer a user sees usually comes from a recursive resolver, not directly from the DNS provider's control panel. Recursive resolvers cache answers for the time to live, or TTL, that was returned with each record. That cache behavior is useful for scale, but it also means a recent DNS change can appear complete in the provider console while a public resolver still serves the older answer.

Most operational checks start by separating record families instead of treating DNS as one pass or fail state:

Authority uses SOA and NS records to show that the zone has an authoritative source and delegated name servers.
Addresses use A and AAAA records to connect the apex name to IPv4 and IPv6 destinations.
Mail uses MX records for inbound routing and TXT records for SPF sender authorization.
Policy uses DMARC TXT and CAA records to express mail-handling and certificate-issuance intent.

Configuration mistakes often appear during moves between DNS providers, web launches, mail migrations, and certificate renewals. Missing A or AAAA records may be harmless for a mail-only domain but serious for a website launch. Missing MX may be intentional when a domain publishes a null-MX design, but it needs a clear reason. Duplicate SPF or DMARC records are different because receivers expect one effective policy record and can reject or ignore conflicting publication.

A DNS configuration snapshot cannot prove worldwide propagation. It can show what one public resolver returned at one moment, how old those answers may remain in cache, and which record families deserve attention. The best review compares that public view with the zone design you intended, then repeats the same check after the relevant TTL windows have passed.

How to Use This Tool:

Run one apex domain at a time so the inventory, posture notes, and timing charts all describe the same public resolver view.

Enter the zone apex in Domain, such as example.com. A full URL is normalized to the hostname, but spaces, paths, or invalid punctuation can trigger Enter a valid domain such as example.com.
Select Generate report. The summary changes from Ready DNS snapshot to Latest DNS snapshot after the eight planned lookups return.
Open Advanced only when you need a different public-cache view. Cloudflare DNS is the default first pass, and Google Public DNS gives a second resolver comparison for the same domain.
Change TXT preview limit when SPF, DMARC, or other TXT rows are hard to read in the tables. The accepted range is 60 to 400 characters and it changes previews, not the returned DNS answer.
Read Record Inventory before acting. Confirm the Lookup, Name, Status, Answer preview, TTL, and Time columns for the record family you care about.
Use Posture Notes for triage, then review Resolver Timing, DNS TTL Horizon, and Resolver Latency Bars when cache age or resolver response time affects the next step.

If a row looks missing, check the owner name before editing DNS. SOA, NS, MX, A, AAAA, TXT, and CAA are queried at the normalized domain, while DMARC is queried at _dmarc for that domain.

Interpreting Results:

Record Inventory is the evidence ledger for the run. Found means the selected resolver returned one or more answers for that lookup. Missing means no answer was visible. Review means the resolver returned a condition or comment that needs context before it becomes an action item.

Posture Notes separates likely configuration gaps from records that may be intentionally absent. Missing NS or SOA is Needs attention because a normal authoritative zone needs both. Missing A or AAAA is Review because not every apex serves a website. Missing CAA is also Review; absence does not block certificate issuance, but it matters when you intended to restrict authorized issuers.

SPF and DMARC count warnings carry more urgency than ordinary missing-record notes. One apex TXT value beginning with v=spf1 and one _dmarc TXT value beginning with v=DMARC1 are treated as healthy publication. More than one SPF or DMARC record becomes Needs attention because receivers expect one effective policy record.

Do not overread resolver timing as a permanent nameserver benchmark. A slow row can reflect cache state, the network path, resolver policy, or a transient failure. For change planning, compare reports made with the same domain and resolver, then use TTL values to decide when a stale answer should naturally age out.

Technical Details:

A DNS resource record is identified by owner name, class, type, answer data, and TTL. This report focuses on the common apex records that explain whether a domain is delegated, reachable, mail-ready, and expressing basic security policy. It does not inspect every possible DNS type, and it does not compare the selected resolver against each authoritative name server.

TXT records need special handling because resolvers can return quoted fragments. SPF and DMARC checks are based on the normalized joined TXT value, so a split SPF string still counts as one policy when it starts with the expected version prefix. The check is intentionally about publication presence and duplication, not the deeper syntax of mechanisms, alignment, reporting addresses, or DNS lookup limits.

Rule Core:

DNS configuration posture rules
Check	Healthy condition	Review or attention condition
Delegation baseline	At least one NS answer and one SOA answer are present.	Missing NS or SOA is Needs attention.
Address coverage	At least one A or AAAA answer is present.	No apex A or AAAA answer is Review.
Mail routing	At least one MX answer is present.	No MX answer is Review because some domains intentionally do not accept mail.
SPF publication	Exactly one apex TXT value begins with `v=spf1`.	No SPF is Review; more than one SPF record is Needs attention.
DMARC publication	Exactly one TXT value at `_dmarc` begins with `v=DMARC1`.	No DMARC is Review; more than one DMARC record is Needs attention.
CAA publication	At least one CAA answer is visible at the apex.	No CAA answer is Review, not a DNS failure.
TTL consistency	The maximum returned TTL is no more than four times the minimum returned TTL.	A wider spread is Review because coordinated changes may age out unevenly.

Lookup Set:

DNS record lookups included in the configuration report
Lookup	Owner name	Operational question
SOA	Domain apex	Does the zone expose authority and serial context?
NS	Domain apex	Which authoritative name servers are publicly delegated?
A / AAAA	Domain apex	Does the apex publish IPv4 or IPv6 address answers?
MX	Domain apex	Does the domain publish inbound mail exchangers?
TXT / DMARC TXT	Apex TXT and `_dmarc` TXT	Are SPF and DMARC policies present once each?
CAA	Domain apex	Is certificate-authority authorization intent visible?

Formula Core:

Resolver timing share is calculated from the measured lookup durations in the same run. It is useful for spotting which row consumed the largest part of one report, not for ranking domains across different networks or times.

S = \frac{t_{lookup}}{\sum_{i = 1}^{n} t_{i}} \times 100 %

Here, S is the displayed share of total, t_lookup is one lookup's measured time in milliseconds, and the denominator is the sum of all measured lookup times in the report. If MX takes 120 ms and all eight lookup rows total 800 ms, the MX share is 120 / 800 * 100 = 15.0%.

TTL and latency tiers are display aids. TTL values at or below 300 seconds are labeled Change-ready, values from 301 through 3600 seconds are Standard cache, and values above 3600 seconds are Long cache. Latency below 350 ms is the low band, 350 through 999 ms is the middle band, and 1000 ms or more is the high-latency band.

Accuracy and Privacy Notes:

DNS-over-HTTPS queries are sent from the browser to the selected public resolver. The checked domain and derived owner names, including the DMARC owner name, are visible to that resolver. The report does not need registrar credentials and does not read private zone files.

Resolver answers can be cached, stale, blocked, filtered, or different from another public resolver at the same moment.
The TXT preview limit can shorten table text. JSON output keeps the full normalized TXT answers returned to the browser.
SPF and DMARC checks verify publication count and expected prefixes. They do not lint the full policy syntax.
The report does not perform DNSSEC validation, authoritative-server comparison, certificate-transparency review, or mail-provider acceptance testing.

Worked Examples:

Provider migration check

A domain owner checks example.com after moving DNS providers. Record Inventory shows NS and SOA as Found, but both A and AAAA are Missing. Delegation baseline is Healthy and Address coverage is Review, which is acceptable for a mail-only domain but a blocker if the apex should serve a website.

Mail policy cleanup

A mail migration returns one MX answer, two apex TXT values that begin with v=spf1, and one DMARC TXT answer. Mail routing and DMARC publication are Healthy, while SPF publication becomes Needs attention. The practical fix is to merge sender authorization into one SPF record before calling the migration ready.

Certificate policy review

No CAA answer for example.com appears as Review, not Needs attention. That does not stop normal certificate issuance. If the organization expects only selected certificate authorities to issue certificates, the missing CAA row means the public DNS view is not expressing that restriction.

TTL planning window

DNS TTL Horizon shows DMARC at 300 seconds and NS at 86400 seconds. DMARC falls into Change-ready, while NS falls into Long cache. Rechecking after five minutes may be reasonable for DMARC, but delegation-related changes can remain cached for much longer.

Advanced Tips:

Keep Resolver fixed when comparing before-and-after reports. Switch resolvers only when you need to prove that public caches disagree.
Use the TTL chart before a planned migration. Records in Long cache may need earlier lowering if users must see a change quickly.
Treat Review rows as design questions, not automatic failures. A mail-only domain, parked domain, or certificate policy may intentionally omit some records.
Use row-level copies from Record Inventory or Posture Notes when opening provider tickets so the record type, owner name, status, and TTL stay together.
Raise TXT preview limit for long SPF or DMARC rows before exporting a human-readable report, but rely on JSON when the full TXT value matters.

FAQ:

Should I enter the root domain or a hostname?

Enter the apex domain whose core records you want to review, such as example.com. URLs are normalized to a hostname, but the report is built around apex checks rather than arbitrary subdomain discovery.

Why is missing MX only a review note?

Some domains do not accept inbound mail. If that is intentional, compare the row with your null-MX or provider design before treating the missing MX answer as harmless.

Why do Cloudflare DNS and Google Public DNS disagree?

Recursive resolvers cache independently and can refresh at different times. Recheck with the same Resolver for trend comparisons, then switch resolver only when you need a second public-cache viewpoint.

Does this fully validate SPF or DMARC syntax?

No. SPF publication and DMARC publication check for one effective published record with the expected prefix. Use a dedicated policy validator when mechanisms, alignment, reporting addresses, or lookup limits matter.

Why can resolver timing change between runs?

The measured Time depends on cache state, resolver availability, network path, and browser conditions. Use timing to compare rows inside one report, not as a permanent speed rating for the domain.

Glossary:

SOA: Start of Authority, the record that identifies core authority and serial information for a DNS zone.
NS: Name server records that identify authoritative servers for a zone.
TTL: Time to live, the number of seconds a resolver may keep an answer in cache.
MX: Mail exchanger records that route inbound mail for a domain.
SPF: Sender Policy Framework, a TXT-based policy that lists systems allowed to send mail for a domain.
DMARC: Domain-based Message Authentication, Reporting, and Conformance, a policy record checked at the _dmarc owner name.
CAA: Certification Authority Authorization, a DNS record that can restrict which certificate authorities may issue certificates for a domain.

References:

RFC 1035: Domain Names - Implementation and Specification, RFC Editor, November 1987.
RFC 7208: Sender Policy Framework (SPF), RFC Editor, April 2014.
RFC 7489: Domain-based Message Authentication, Reporting, and Conformance (DMARC), RFC Editor, March 2015.
RFC 7505: A Null MX No Service Resource Record for Domains That Accept No Mail, RFC Editor, June 2015.
RFC 8484: DNS Queries over HTTPS (DoH), RFC Editor, October 2018.
RFC 8659: DNS Certification Authority Authorization (CAA) Resource Record, RFC Editor, November 2019.