Skip to main content
ShieldMarc
100% free, no sign-up needed✦ AI-powered explanation

Free DNSSEC Checker

Enter any domain below to check whether DNSSEC (Domain Name System Security Extensions) is enabled. We check for DNSKEY records, DS delegation at the parent zone, and whether responses are validated with the Authenticated Data (AD) flag.

New to DNSSEC? Read our What is DNSSEC? guide for a full explanation.

What Is DNSSEC?

DNSSEC (Domain Name System Security Extensions) adds a layer of cryptographic authentication to DNS responses. It allows resolvers to verify that DNS answers (IP addresses, MX records, etc.) have not been tampered with in transit. Without DNSSEC, attackers can forge DNS responses (cache poisoning) to redirect traffic to malicious servers.

Why Should You Enable DNSSEC?

  • Prevent DNS Spoofing: DNSSEC makes it cryptographically impossible for attackers to forge DNS responses, protecting your users from being redirected to phishing or malware sites.
  • Foundation for Other Protocols: DANE (DNS-based Authentication of Named Entities) requires DNSSEC. DANE allows you to publish TLS certificate constraints in DNS.
  • Email Security: DNSSEC protects MX, SPF, DKIM, and DMARC records from being spoofed, strengthening your entire email authentication chain.
  • Trust Signal: DNSSEC is increasingly expected by security-conscious organisations and is a requirement in many government procurement frameworks.

How DNSSEC Works

The zone owner generates cryptographic key pairs (DNSKEY records) and signs each DNS record set. A hash of the public key (DS record) is placed in the parent zone, creating a chain of trust up to the root. Validating resolvers check signatures on every response and set the AD (Authenticated Data) flag when validation succeeds.

What This Tool Checks

  • DNSKEY records: Whether the zone publishes signing keys
  • DS records: Whether the parent zone has a delegation signer record
  • AD flag: Whether a validating resolver (Cloudflare) confirms DNSSEC validation

Need Automated Monitoring?

This free tool is great for one-off checks. If you need continuous monitoring of DNSSEC, CAA, SSL, DMARC, and more across all your domains, join the early access list for up to 90 days free.

Want the full picture?

Our Security Grade checks DNSSEC alongside DMARC, SPF, MTA-STS, CAA, SSL, and domain registration in one scan.

Frequently Asked Questions

Does my registrar support DNSSEC?

Most major registrars and DNS providers now support DNSSEC, including Cloudflare (automatic), Google Domains, Namecheap, and GoDaddy. If you use a third-party DNS host, you may need to export DS records and add them at your registrar.

Can DNSSEC break my domain?

If DNSSEC is misconfigured (e.g. expired signatures, missing DS records, or key rollover failures), validating resolvers will return SERVFAIL, making your domain unresolvable. This is why monitoring DNSSEC status is important after enabling it.

Is DNSSEC required for DMARC?

DNSSEC is not required for DMARC to function, but it strengthens the chain of trust. Without DNSSEC, an attacker who can poison DNS could modify your SPF, DKIM, or DMARC records. DNSSEC prevents this by cryptographically signing DNS responses.

Does DNSSEC affect my Security Grade?

Yes. DNSSEC is a check in the Security Grade framework. Enabling DNSSEC is required to reach a strong Security Grade and above.

Related Tools

Related Guides