Email security & DNS tools
Everything you need to audit, build, and fix the DNS records that protect your brand from spoofing: DMARC, SPF, DKIM, BIMI, MTA-STS, and TLS-RPT. Paste a domain, get a verdict. No account required.
Free Domain Scan
Scan your brand for active lookalike domains across 150 typosquat, bitsquat, TLD-swap, and homoglyph variants in one pass. The flagship tool. No signup.
DMARC
DMARC Record Checker
Look up and validate the DMARC record on any domain. Spot policy, reporting address, and alignment mode in seconds.
DMARC Record Generator
Build a correct DMARC TXT record with the right policy, alignment, and reporting address for your domain.
DMARC Report Analyzer
Paste or upload a DMARC aggregate report (XML) and get a parsed view: per-source IP volume, SPF/DKIM results, alignment, and the receiver's failure reason for each row. No signup, no upload to third parties.
ARC Chain Analyzer
Paste an email's full headers and we walk the ARC (Authenticated Received Chain, RFC 8617) seal chain: each hop's i= instance, validator's verdict (cv=), and the final auth-results bundle that DMARC validators use to honour forwarded mail.
ARF Report Analyzer
Parse an ARF (Abuse Reporting Format, RFC 5965) feedback-report attachment. Surfaces the report-type (auth-failure, abuse), the original message details, and the signing identity so you can act on the report instead of just deleting it.
SPF
SPF Record Checker
Look up the SPF record on any domain, count DNS lookups, and flag the 10-lookup limit that causes authentication to fail.
SPF Record Generator
Build an SPF TXT record from the senders you use (Google Workspace, Microsoft 365, SendGrid, Mailgun, and custom IPs).
SPF Flattener
Recursively expand every include:, redirect=, a, and mx in your SPF record down to raw IP4 / IP6 ranges. Solves the RFC 7208 10-lookup PermError without changing your authorised senders.
DKIM
DKIM Record Checker
Look up the DKIM public key on any selector. Confirm the record is published correctly, parse the key type and algorithm, and spot common misconfigurations.
DKIM Record Generator
Get the exact DKIM CNAME (or TXT) records to publish for any major email service provider. Pre-loaded selector patterns for Google Workspace, Microsoft 365, Amazon SES, SendGrid, Mailgun, Postmark, Resend, Brevo, Mailchimp, and Klaviyo.
Threats
Blacklist Check
Check whether a domain or IP is on the six core public DNS blacklists (RBLs) used by mail receivers to filter spam and phishing: Spamhaus DBL, SURBL, URIBL Black (domains), Spamhaus Zen, SpamCop, Barracuda (IPs). Queried in parallel.
Email Header Analyzer
Paste the raw headers from a suspicious email. Parse the Received chain, SPF / DKIM / DMARC results, and spot spoofing in seconds.
Phishing Link Checker
Paste a suspicious URL to inspect it without clicking. Checks domain age, registrar, hosting, and known-bad-URL databases (PhishTank verified entries, Google Safe Browsing) and reports a verdict with the evidence behind it.
BIMI
BIMI Record Checker
Look up the BIMI record on any domain and see whether your brand logo will render in Gmail, Apple Mail, and Yahoo inboxes.
BIMI Record Generator
Build a BIMI TXT record linking to your SVG logo and optional VMC certificate. Required for your brand logo to appear in supporting inboxes.
MTA-STS
MTA-STS Record Checker
Look up the MTA-STS TXT record and fetch the policy file. Confirm your inbound mail servers enforce TLS and block downgrade attacks.
MTA-STS Policy Generator
Build the DNS record and policy file MTA-STS needs to force TLS on all inbound mail to your domain.
TLS-RPT Record Checker
Look up the TLS-RPT record to confirm receivers know where to send TLS failure reports for your domain.
TLS-RPT Record Generator
Build a TLS-RPT TXT record so you receive daily reports of TLS-related delivery failures from major inbox providers.
DNS
DNS Record Lookup
Look up any DNS record type (A, AAAA, MX, NS, TXT, CNAME, SOA, CAA) for any domain. Fast, server-side, no signup.
Reverse DNS Lookup
Paste an IPv4 or IPv6 address to get the PTR record. Useful for verifying mail-server rDNS, tracing suspicious connections, and confirming hosting providers.
MX Record Lookup
Show the MX (mail-exchange) records for any domain. The mail servers that accept inbound email. Lists each host with its priority.
CNAME Lookup
Resolve the CNAME (alias) record on any DNS name. Useful for checking custom-domain wiring on hosting providers, ESP CNAME-based DKIM, and CDN aliasing.
TXT Record Lookup
List every TXT record on a domain. Surfaces SPF, DMARC verification keys, domain-ownership tokens, and the long tail of TXT-based config.
WHOIS / RDAP Lookup
Look up registration data for any domain via RDAP (the modern, structured replacement for WHOIS). Returns registrar, creation/expiry dates, name servers, and abuse contact.
DNSSEC
DNSSEC Checker
Verify the DNSSEC signing chain end-to-end on any domain. Checks DS records at the parent zone, DNSKEY at the child, signing algorithm, and the AD (authenticated-data) bit from a validating resolver.
DANE / TLSA Checker
Look up the DANE (DNS-based Authentication of Named Entities) TLSA records on a domain's MX hosts. Confirms the cert hash receivers will check against, the usage / selector / matching-type triple, and whether DNSSEC is in place to make DANE meaningful.
DANE / TLSA Generator
Generate the TLSA record to publish at _25._tcp.<mx-host> from your existing certificate. Outputs the standard DANE-EE / SPKI / SHA-256 (3 1 1) record, which is the recommended profile for SMTP DANE.
Security
Beyond one-shot checks: monitor your brand continuously
These tools give you a snapshot. PhishFence catches new lookalike registrations, DMARC drift, and spoofing campaigns the moment they happen. Sign up free, monitor one domain forever.