Security Live Data stays in your browser

DNS / DKIM Inspector

Fetch live DNS records (A, MX, TXT, CNAME) and validate SPF, DKIM, and DMARC email authentication — instantly in your browser via DNS-over-HTTPS.

DKIM Selector Check

Disclaimer: Free tool provided “as is” by MonitorGiant. No warranty or liability for any data loss, security issues, or infrastructure problems arising from use of this tool. Results are for informational purposes only. · A Free Tool by MonitorGiant

What is DNS / DKIM Inspector?

The DNS / DKIM Inspector fetches live DNS records for any domain using Cloudflare's DNS-over-HTTPS API — no server required. It retrieves A, MX, TXT, CNAME, NS, and SOA records, then automatically parses your TXT records to validate SPF, DKIM, and DMARC email authentication configuration. Properly configured SPF, DKIM, and DMARC records are essential for email deliverability and protecting your domain from being spoofed in phishing attacks.

How to use this tool

  1. 1 Enter a domain name (e.g. example.com) into the input field and click 'Inspect'.
  2. 2 The tool fetches all major DNS record types and displays them in organised tabs.
  3. 3 Check the SPF tab to see whether your Sender Policy Framework record is correctly structured and lists all authorised sending IPs.
  4. 4 For DKIM, enter your DKIM selector (usually found in your email provider's settings) to verify the public key TXT record exists.
  5. 5 Review the DMARC tab — a missing or permissive DMARC policy (p=none) means spoofed emails from your domain may not be rejected.

When would you use this?

  • Diagnosing email deliverability problems — emails landing in spam are often caused by missing or misconfigured SPF, DKIM, or DMARC records.
  • Verifying DNS changes have propagated after updating records at your registrar or DNS provider.
  • Auditing a domain you've taken over to understand its current DNS configuration before making changes.

Want to monitor your domain's DNS health continuously? MonitorGiant tracks DNS changes, SSL expiry, and email authentication in real time — with instant alerts when something breaks.

Related tools

SPF Record Creator Build a valid SPF TXT record for your domain. DKIM Key Generator Generate an RSA-2048 DKIM key pair in your browser. SSL Certificate Checker Full SSL/TLS audit including CAA and DNSSEC.

How DNS / DKIM Inspector works

The DNS / DKIM Inspector queries public DNS resolvers directly from your browser using the DNS-over-HTTPS (DoH) protocol. No data is routed through MonitorGiant servers — every lookup happens client-side.

  1. 1

    Enter a domain name

    Type the domain you want to inspect (e.g. example.com). Subdomains and FQDNs are supported.

  2. 2

    Live DNS records fetched via DNS-over-HTTPS

    The tool queries the Cloudflare DoH resolver (1.1.1.1/dns-query) from your browser. It retrieves A, AAAA, MX, TXT, CNAME, and NS records using the standard DoH JSON API — no plugins required.

  3. 3

    SPF record parsed and validated

    TXT records are scanned for an SPF entry (v=spf1). The tool parses mechanisms (include, ip4, ip6, a, mx, redirect) and qualifiers (~all, -all, +all), highlighting common misconfigurations.

  4. 4

    DKIM public key fetched for your selector

    Enter a DKIM selector (e.g. "google", "s1") and the tool constructs selector._domainkey.domain, fetches the TXT record, and parses the key type, size, and policy flags.

  5. 5

    DMARC policy evaluated and summarised

    The tool auto-fetches _dmarc.domain, parses the p= policy, sp=, pct=, and rua=/ruf= reporting tags, and shows a human-readable enforcement summary.

All DNS queries go directly from your browser to the Cloudflare DoH endpoint (cloudflare-dns.com/dns-query). Domain names are sent to Cloudflare as part of the DNS lookup. No data is ever sent to MonitorGiant servers.

Searching for a free online tool to check DKIM records in DNS? Verifying DKIM means looking up the TXT record at a selector-prefixed subdomain (e.g. google._domainkey.example.com) to confirm the public key is present and correctly formatted. This tool queries Cloudflare's public DNS resolver directly from your browser — returning the raw DKIM TXT record alongside MX, SPF, DMARC, and DNSSEC results in one lookup. No dig, no command line, no API key needed.

Frequently asked questions — DNS / DKIM Inspector

How do I check a DKIM record for my domain?

Enter your domain name and the DKIM selector (found in your email provider's settings — commonly "google", "mail", "s1", or "default") in the DKIM selector field, then run the lookup. The tool constructs the correct TXT record name (selector._domainkey.domain), fetches it via DNS-over-HTTPS, and displays the public key along with the key type and bit length.

Why is my email failing DKIM verification?

The most common causes are: (1) the DKIM DNS record does not yet exist or has not propagated — DNS changes can take up to 48 hours; (2) the selector name used by your mail server does not match the record in DNS; (3) the p= public key in DNS does not match the private key configured on your mail server. Use this inspector to verify the record exists and matches your expected selector.

What is an SPF record and how do I check if mine is correct?

An SPF (Sender Policy Framework) TXT record tells receiving mail servers which IP addresses and services are authorised to send email from your domain. A typical record looks like: v=spf1 include:_spf.google.com ~all. This tool fetches your domain's TXT records and highlights the SPF entry, showing the parsed mechanisms and the policy qualifier (-all for strict reject, ~all for softfail).

What is a DMARC record and why does it matter?

DMARC (Domain-based Message Authentication Reporting & Conformance) instructs receiving servers what to do when an email fails SPF and DKIM checks — none (monitor only), quarantine (send to spam), or reject (block). It also lets you receive aggregate reports about email sent from your domain. Without DMARC, even a correctly configured SPF/DKIM setup may not protect against spoofing in the From: header.

How long does DNS propagation take?

New DNS records typically propagate within 5–30 minutes when using modern DNS providers, though the DNS standard allows up to 48 hours depending on the TTL (Time to Live) of the old record and the caching behaviour of resolvers. This tool queries Cloudflare's 1.1.1.1 resolver, which has very low cache times — if your record shows here, most email servers worldwide will see it.

Can I look up DNS records for any domain?

Yes — the tool uses the public DNS-over-HTTPS (DoH) protocol and can look up any publicly resolvable domain. It supports A, AAAA, MX, TXT, CNAME, and NS record types, as well as DMARC and SPF parsing from TXT records. Internal or private DNS zones that are not exposed to the public internet cannot be queried.

Comments & Feedback

Found a bug? Have a suggestion? We'd love to hear from you.

0 / 2000

Your email (if provided) is never displayed publicly.

Related Tools

Security

SPF Record Creator

Build a valid SPF TXT record for your domain
Security

DKIM Key Generator

Generate RSA public/private keys for DKIM signing
Security

Email Address Validator

Validate format, MX records, and disposable domains

From the makers of this tool

Need deeper observability?

MonitorGiant tracks real-time AI performance, infrastructure health, and system reliability — far beyond what free utilities can show.

Explore MonitorGiant