DNSSEC cryptographically signs your DNS records so a recipient can confirm they came from you and weren't tampered with in transit. We verify the structural chain (DS records at the parent, DNSKEY at the child, RRSIG signatures), check the signing algorithm, and ask a validating recursive resolver whether the AD (authenticated-data) bit comes back set. SMB security audits frequently ask for this evidence.
This tool is a one-shot check. PhishFence watches your domain 24/7 for DMARC changes, new lookalike registrations, and spoofing attempts.