Zone health check
One click, one report: delegation, SOA, nameserver diversity, DNSSEC, MX, SPF, DMARC and CAA — pass, warn, fail.
Frequently asked
What does each check actually test?
NS delegation compares parent and authoritative NS records; SOA reads the zone's SOA and sanity-checks the expire timer; nameserver diversity flags zones where every NS shares one /24 subnet; DNSSEC looks for a DS at the parent and a DNSKEY at the zone; MX checks records exist and resolve; SPF validates there is exactly one record and no +all catch-all; DMARC flags p=none as monitor-only; CAA warns if any CA may issue certificates.
Why is my zone getting a warning when nothing looks broken?
Warnings are for working configurations that have weak defaults — DMARC p=none, a missing CAA record, a single-subnet NS set. They don't cause outages; they expand the blast radius when something else goes wrong.
Does this check the actual content of my zone?
No. It inspects records that sit on the public internet — nothing inside your DNScale account, no authenticated queries. Everything it checks is also visible to any DNS client on the internet, including attackers evaluating the zone.
What do I do with a failed check?
Click the row to inspect the raw records that drove the verdict. Every finding is a DNS configuration change; DNScale-hosted zones can fix most of them in the zone editor in under a minute.
Fix these on DNScale
Built and operated in the EU. The same anycast network that powers this tool serves every DNScale-hosted zone.
Fix these on DNScale