BETA
OSH.co.za - Email Deliverability and DMARC Specialists

πŸ” DNSSEC Checker

Validate the DNSSEC chain of trust β€” DS, DNSKEY, and RRSIG records

πŸ”§ Related Tools

ANALYSIS TOOLS
πŸ”’ Full Checker Complete email deliverability scan: SPF, DKIM, DMARC, MX, blacklists & more. πŸ“¨ SPF Check and visualise your SPF record including the full DNS lookup tree. πŸ”‘ DKIM Scan all known DKIM selectors and validate key strength for your domain. πŸ“§ Email Headers Analyse raw email headers to trace delivery path and authentication results. 🦁 BIMI Verify your BIMI logo record and VMC certificate status. πŸ” DNSSEC πŸ”’ MTA-STS Check your MTA-STS DNS record and TLS policy file for enforced encryption. πŸ“‹ TLS-RPT Validate your TLS-RPT reporting address for email transport encryption reports. 🌍 WHOIS Look up domain registration details via RDAP.
DIAGNOSTIC TOOLS
🚫 Blacklist / RBL Check IPs and domains against major email blacklists and RBLs. 🌐 DNS Propagation Check DNS record propagation across multiple global resolvers simultaneously.
BUILDER TOOLS
βœ… DMARC Builder Build a DMARC TXT record with the right policy, RUA/RUF and subdomain options. πŸ›  SPF Builder Generate a validated SPF record by selecting your email senders. πŸ“ Route 53 Splitter Split long DKIM or SPF TXT records for AWS Route 53's 255-character limit.

Try a known DNSSEC domain: cloudflare.com Β· bankofamerica.com Β· icann.org Β· verisign.com

Frequently Asked Questions

DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that responses haven't been tampered with. Without DNSSEC, attackers could perform "DNS cache poisoning" attacks β€” redirecting your domain's visitors to malicious servers without anyone noticing. DNSSEC creates a chain of trust from the root DNS zone down to your domain, ensuring every DNS response is authentic and unmodified.

Many security-conscious organisations have deployed DNSSEC. Good examples to check include: cloudflare.com, bankofamerica.com, nic.cz, icann.org, google.com, and verisign.com. Government and financial domains are often good candidates. You can use these to see what a healthy DNSSEC chain looks like.

Most domains do not have DNSSEC enabled β€” this is normal. It means your DNS records are served without cryptographic signatures. Visitors can still reach your site, but there is no protection against DNS cache poisoning. If you handle sensitive data or are a government or financial entity, enabling DNSSEC is strongly recommended.

A broken DNSSEC status means DNSSEC records exist but the cryptographic chain cannot be validated. This is worse than having no DNSSEC at all β€” some resolvers will actively refuse to resolve your domain, causing outages for users on DNSSEC-validating resolvers (like those using Cloudflare 1.1.1.1 or Google 8.8.8.8). Common causes: expired RRSIG records, DS record mismatch after key rollover, or missing DNSKEY records.

DNSSEC is enabled at two levels: (1) your DNS hosting provider must sign your zone and publish DNSKEY/RRSIG records, and (2) your domain registrar must publish a DS record in the parent zone. Most modern DNS providers (Cloudflare, Route 53, Google Cloud DNS) support DNSSEC. The exact steps vary by provider β€” check your DNS host's documentation. If you need help, contact OSH.co.za.

Data Collection: This DNSSEC Checker processes data to provide results. When you enter a domain name, we perform DNSSEC validation queries via trusted DNS resolvers (Google, Cloudflare). No domain names or results are stored on our servers. We do not store, log, or share the domain names or data you submit beyond what is necessary to return your results.

Data Usage: Your input is used solely to generate results. No data is saved, analysed for profiling, or shared with third parties. Each new check operates independently.

DNS Lookups: To check your domain, we perform DNS queries via Google's DNS-over-HTTPS (dns.google). These queries are subject to Google's Privacy Policy. Only the domain name is transmitted β€” no personally identifiable information.

Analytics: We may collect anonymized usage statistics (page views, tool usage frequency) to improve functionality. This does not include the domain names you check or any personally identifiable information.

Contact: For privacy enquiries or questions, please contact us at support@osh.co.za or visit osh.co.za/contact.