We Scanned 1,500+ Dutch Organizations — Here Are the DNS Security Facts
We scanned 1,500+ domains. Here is what we found.
Using the IntoDNS.ai API, we programmatically scanned every organization listed on basisbeveiliging.nl — the Dutch government's digital security transparency platform. Banks, municipalities, cybersecurity firms, hospitals, internet exchanges, and critical digital infrastructure. Over 1,500 domains across every sector of the Dutch digital economy.
The results were sobering. Read the full sector-by-sector breakdown in the State of DNS Security 2026 report. Below, we explain how we did it — and how you can run the same analysis on your own domain portfolio in minutes.
How We Scanned 1,500+ Domains in Under an Hour
The entire audit was performed using the IntoDNS.ai REST API. Each domain was scanned for SPF, DKIM, DMARC, BIMI, MTA-STS, DNSSEC, and 67 blacklists. A single scan takes under 3 seconds; with parallel requests, the full 1,500+ domain audit completed in under an hour.
This is the kind of operation that would take weeks with manual tools. With an AI-powered scanner and API access, it becomes an afternoon project.
What We Check — And Why It Matters
DNS and email security configuration involves dozens of interdependent records — SPF, DKIM, DMARC, BIMI, MTA-STS, DANE, CAA — each with its own syntax, failure modes, and interaction patterns. Traditional scanners return raw data: a list of DNS records, a pass/fail indicator, maybe a severity label. The interpretation is left entirely to the operator.
This creates two concrete problems. First, junior engineers and non-DNS specialists cannot act on the results without researching each finding individually. A missing DKIM selector or a permissive SPF mechanism might be flagged, but understanding what that means in practice — and knowing the exact record to publish — requires reading through RFC documentation and provider-specific guides. Second, even experienced sysadmins spend time context-switching between the scanner output and documentation to construct the correct fix. Multiply this by dozens of domains and it becomes a significant operational cost.
An AI-powered DNS security scanner eliminates both bottlenecks by combining deterministic checks with machine-generated explanations and fixes. The scanner detects the issue; the AI tells you what it means and gives you the exact DNS record to copy into your provider.
What an AI DNS Security Scanner Actually Does Differently
The term "AI scanner" can mean different things. In the context of IntoDNS.ai, it means a two-layer architecture:
Layer 1: Deterministic Security Checks
Every scan runs the same reproducible checks against your domain's DNS configuration. These are not AI-generated opinions — they are structured validations:
- SPF record parsing — validates syntax, checks lookup limits (10 DNS lookups max), detects permissive
+allmechanisms - DKIM discovery — probes common selectors (default, google, k1, selector1, selector2, mailfilter) and validates key length
- DMARC policy analysis — checks policy strength (none/quarantine/reject), alignment modes, reporting configuration
- BIMI validation — verifies the
default._bimiTXT record and SVG logo accessibility - MTA-STS verification — checks the
_mta-stsTXT record and validates the/.well-known/mta-sts.txtpolicy file - DNSSEC validation — verifies the chain of trust from root to domain
- Blacklist scanning — queries 67 DNS-based blacklists (DNSBLs) for IP reputation issues
These checks produce structured, machine-readable results. The scan completes in under 3 seconds for a full domain analysis, with cached results returning in approximately 60ms.
Layer 2: AI-Assisted Explanation and Fix Generation
This is where the AI component adds genuine value. For every finding from Layer 1, the AI layer provides:
- Plain-language explanation — what the finding means, why it matters, and what the actual risk is
- Copy-paste DNS record configurations — not generic advice, but the specific TXT, CNAME, or MX records you need to add or modify
- Priority guidance — which issues to fix first based on impact to email deliverability and domain security
The AI explanations are generated by Claude, Anthropic's large language model, operating on the structured scan data. The key distinction: the checks themselves are deterministic. The AI assists with interpretation, not detection.
Anatomy of an AI-Powered Scan
Here is what happens when you enter a domain into IntoDNS.ai:
Phase 1: DNS Resolution (0-500ms)
The scanner resolves all relevant DNS record types in parallel using DNS-over-HTTPS (DoH) for reliability: A, AAAA, MX, NS, SOA, TXT, CAA, CNAME, and SRV. It also queries specific subdomains for email security records (_dmarc, _mta-sts, default._bimi, default._domainkey). Parallel resolution is critical for speed — querying 15+ record types sequentially would take 5-10 seconds. By dispatching all queries simultaneously, the total resolution time is bounded by the slowest single response.
Phase 2: Validation and Scoring (500ms-2s)
Each record is parsed and validated against the relevant RFC specifications. The scoring engine applies weighted checks across categories:
| Category | What's Checked | Weight in Score |
|---|---|---|
| Email Authentication | SPF, DKIM, DMARC | High |
| Email Security | MTA-STS, BIMI, TLS | Medium |
| DNS Infrastructure | NS redundancy, SOA, DNSSEC | Medium |
| Reputation | 67 DNSBL blacklist queries | High |
| Advanced | CAA, DANE/TLSA, IPv6 | Low |
The result is a numeric score from 0 to 100 with per-category breakdowns.
Phase 3: AI Analysis (on demand)
When you click "Explain" or "Fix" on any finding, the AI generates a contextual response based on the actual scan data for your specific domain. This is not a canned response — it references your domain's records, identifies the specific misconfiguration, and generates the exact DNS record you need.
Practical Use Cases
Use Case 1: Email Deliverability Troubleshooting
An email marketer notices declining open rates. Using the email deliverability test, they discover their SPF record exceeds the 10-lookup limit due to nested includes from multiple SaaS providers. The AI explains the "too many DNS lookups" error and generates a flattened SPF record that stays within the limit.
Use Case 2: Meeting Google and Yahoo Sender Requirements
Since February 2024, Google and Yahoo require bulk senders to have properly configured SPF, DKIM, and DMARC with at least a p=none policy. The sender requirements checker validates all requirements in a single scan and flags any gaps with specific remediation steps.
Use Case 3: BIMI Implementation Validation
A brand wants their logo displayed next to emails in supporting clients. BIMI requires a valid DMARC policy at p=quarantine or p=reject, a correctly formatted SVG Tiny 1.2 logo, and a properly structured default._bimi TXT record. The BIMI guide walks through each requirement, and the scanner validates the complete chain.
Use Case 4: DevOps DNS Configuration Auditing
A DevOps team manages DNS for 50+ domains across multiple environments. Using the IntoDNS.ai API, they integrate automated security scanning into their CI/CD pipeline. Any DNS change that degrades the security score triggers an alert before the change reaches production.
Use Case 5: Security Compliance Auditing
A security professional needs to document the email authentication posture of all company domains for a SOC 2 or ISO 27001 audit. Running each domain through the scanner produces a structured report with pass/fail results for every check, a numeric score, and specific findings. The AI-generated explanations translate technical DNS issues into language that auditors and management can understand without requiring DNS expertise.
Use Case 6: Domain Acquisition Due Diligence
Before acquiring a domain or onboarding a new client domain, checking its blacklist status and DNS configuration health provides critical information. A domain listed on multiple blacklists or with misconfigured email authentication may have deliverability problems that take weeks to resolve. The 67-blacklist scan provides this visibility in a single query.
Use Case 7: Large-Scale Security Audits
In a large-scale audit, IntoDNS.ai was used to scan over 1,500 organizations from basisbeveiliging.nl — the Dutch government transparency platform for digital security. The scan covered banking, government, cybersecurity, healthcare, and vital digital infrastructure sectors. Read the full analysis in the State of DNS Security 2026 report.
How AI Fix Generation Works
The most practical feature of an AI-powered scanner is fix generation. Here is a concrete example:
Finding: DMARC policy is set to p=none (monitoring only)
Traditional scanner output: "DMARC policy is not enforcing. Consider changing to quarantine or reject."
AI-generated fix:
- Explanation of the three DMARC policy levels and when to use each
- A migration path:
p=none→p=quarantine→p=rejectwith recommended timelines - The exact TXT record to publish:
v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100 - Warning about setting
p=rejectbefore reviewing DMARC aggregate reports
This level of specificity saves 15-30 minutes per finding compared to researching the fix manually. For a domain with 5-8 findings, that is 1-3 hours saved per audit.
Another Example: SPF Record Exceeding Lookup Limit
Finding: SPF record requires 14 DNS lookups (exceeds RFC 7208 limit of 10)
Traditional scanner output: "SPF record has too many DNS lookups."
AI-generated fix:
- Identification of which
include:mechanisms are contributing the most lookups - A flattened SPF record that replaces nested includes with direct IP ranges where safe to do so
- Guidance on using SPF macro syntax or splitting mechanisms across subdomains for complex setups
- The exact replacement TXT record ready to publish
- Warning about re-flattening when upstream providers change their IP ranges
The AI understands the full context of SPF mechanics — the 10-lookup limit, void lookup limits, and how mechanisms are evaluated left-to-right — and produces a fix that accounts for all of these constraints. Use the SPF generator to build a new record from scratch, or run a scan to get AI-assisted fixes for your existing record.
Free Tools for DNS Record Generation
Beyond scanning, IntoDNS.ai provides free generators that create correctly formatted DNS records:
- SPF Record Generator — builds a valid SPF record based on your mail infrastructure (Google Workspace, Microsoft 365, Amazon SES, custom SMTP servers)
- DMARC Record Generator — creates a DMARC policy with proper reporting addresses and alignment settings
- MTA-STS Generator — generates both the
_mta-stsTXT record and the/.well-known/mta-sts.txtpolicy file
Each generator produces copy-paste output that you can add directly to your DNS provider. No account required.
API Access for Automation
For teams that need programmatic access, IntoDNS.ai exposes a REST API with the same scanning capabilities as the web interface. Common integration patterns include:
- CI/CD pipeline checks — scan domains after DNS changes and fail the build if the security score drops below a threshold
- Monitoring dashboards — poll domain scores periodically and graph trends over time
- Compliance reporting — generate automated security reports for audit documentation
- Multi-domain management — scan all domains in a portfolio and rank by security posture
API responses return structured JSON with individual check results, scores, and metadata. Rate limiting is applied per IP, and cached results are served when available for faster response times.
Example API Response Structure
A typical API response includes the overall score, per-category breakdowns, individual check results with pass/fail status, and the raw DNS records discovered. This structured format makes it straightforward to build alerting rules (e.g., "alert if DMARC policy changes from reject to none") or threshold-based monitoring (e.g., "page if score drops below 70").
AI Email Security Analysis: Beyond Basic Record Checks
Email security analysis is more than checking whether SPF, DKIM, and DMARC records exist. The records need to be correctly configured, mutually consistent, and aligned with your actual mail infrastructure. Here is what a thorough AI email security analysis covers:
SPF: Sender Policy Framework
SPF defines which IP addresses are authorized to send email for your domain. Common issues the AI catches and explains include: exceeding the 10 DNS lookup limit, using the deprecated ptr mechanism, having a permissive +all or ?all default, and missing includes for third-party senders (marketing platforms, CRM systems, ticketing software). The SPF generator helps you build a correct record from scratch.
DKIM: DomainKeys Identified Mail
DKIM cryptographically signs outgoing emails so receiving servers can verify the message was not tampered with in transit. The scanner probes multiple common selectors and validates key length — 1024-bit keys are still accepted but 2048-bit is recommended. The AI explains why key rotation matters and how to set up DKIM with your specific mail provider.
DMARC: Domain-based Message Authentication, Reporting, and Conformance
DMARC ties SPF and DKIM together with a policy that tells receiving servers what to do with messages that fail authentication. The three policy levels — none, quarantine, and reject — represent increasing levels of protection. The AI explains the safe migration path from monitoring to enforcement and generates the correct DMARC record for each stage.
BIMI, MTA-STS, and Advanced Standards
Beyond the core trio, modern email security includes BIMI (Brand Indicators for Message Identification) for displaying your logo in email clients, MTA-STS (Mail Transfer Agent Strict Transport Security) for enforcing TLS on incoming mail connections, and DANE/TLSA for certificate pinning. These are checked as part of every scan and explained by the AI when findings are generated. See the BIMI implementation guide and MTA-STS generator for detailed setup instructions.
How IntoDNS.ai Compares to Traditional Scanners
Legacy tools were built for a different era — one where checking a single record type was sufficient and the operator already knew what to look for. Here is how the approach differs:
| Capability | Traditional Scanners | AI-Powered Analysis (IntoDNS.ai) |
|---|---|---|
| Scan scope | Single record type per query | All DNS and email records in one scan |
| Result format | Raw records, pass/fail | Scored results with explanations |
| Fix guidance | Generic documentation links | Domain-specific DNS records to copy |
| Blacklist coverage | 10-20 lists typically | 67 DNSBLs checked per scan |
| Speed | 5-30 seconds per check | Full scan in under 3 seconds |
| BIMI validation | Rarely included | Full chain validation included |
| MTA-STS check | Rarely included | TXT record and policy file validated |
| API access | Often paid tier only | Free API available |
For a detailed feature-by-feature breakdown, see the tool comparison hub.
Understanding Your DNS Security Score
The DNS security score is calculated from weighted checks across all categories. Here is what the ranges indicate:
- 90-100: All critical authentication (SPF, DKIM, DMARC) is properly configured with enforcing policies. Advanced standards (BIMI, MTA-STS) are implemented. No blacklist hits.
- 70-89: Core email authentication is in place. Some advanced standards may be missing or policies may not be at full enforcement.
- 50-69: Significant gaps exist. Common issues include missing DKIM, DMARC at
p=none, or SPF with permissive mechanisms. - Below 50: Critical authentication is missing or misconfigured. Immediate action recommended.
You can display your current score on your website using the DNS security badge, which updates automatically with each scan.
Who Benefits from AI-Powered DNS Analysis
System Administrators
Sysadmins managing email infrastructure across multiple domains benefit from the consolidated view — every DNS and email security check in one scan, with AI-generated fix commands they can execute immediately. No more bouncing between five different tools to diagnose a deliverability issue.
DevOps Engineers
The API-first approach fits DevOps workflows. Integrate domain scanning into Terraform pipelines, post-deployment validation, or scheduled monitoring jobs. The structured JSON responses work with any alerting stack — PagerDuty, OpsGenie, Slack webhooks, or custom tooling.
Email Marketers
Non-technical users who need to ensure their sending domains are properly authenticated benefit most from the AI explanation layer. Instead of raw DNS records and RFC numbers, they get plain-language guidance: "Your SPF record is missing an include for Mailchimp. Add include:servers.mcsv.net to authorize their servers."
Security Professionals
For penetration testers and security auditors, the comprehensive scan provides a quick baseline of a domain's email security posture. The 67-blacklist check, DNSSEC validation, and MTA-STS verification cover the full attack surface relevant to email-based threats including phishing, spoofing, and man-in-the-middle attacks on mail delivery.
Managed Service Providers
MSPs managing domains for multiple clients can use the API to build customer-facing dashboards showing each domain's security score. The DNS security badge provides an embeddable widget that updates automatically, giving clients visibility into their domain's health.
Frequently Asked Questions
What is an AI DNS security scanner?
An AI DNS security scanner combines traditional DNS record validation with artificial intelligence to explain findings in plain language and generate specific fix configurations. Instead of returning only raw data, it provides actionable guidance tailored to your domain's actual DNS records.
How does AI email security analysis work?
The analysis runs deterministic checks against your domain's SPF, DKIM, DMARC, BIMI, and MTA-STS records. When issues are found, an AI model (Claude by Anthropic) generates explanations and produces the exact DNS records needed to resolve each issue, based on your domain's specific configuration.
Is IntoDNS.ai free to use?
Yes. Basic scans including all DNS and email security checks, blacklist scanning, and the AI-powered explanations are free with no account required. Free record generators for SPF, DMARC, and MTA-STS are also available without signup.
How fast is the DNS analysis?
A full scan covering all DNS record types, email authentication, and 67 blacklists completes in under 3 seconds. Cached results for previously scanned domains return in approximately 60 milliseconds.
What blacklists does IntoDNS.ai check?
IntoDNS.ai queries 67 DNS-based blacklists (DNSBLs) including Spamhaus, Barracuda, SORBS, SpamCop, and other major reputation databases. All 67 lists are checked in every scan at no additional cost.
Can I use IntoDNS.ai in my CI/CD pipeline?
Yes. The REST API returns structured JSON and can be integrated into any CI/CD pipeline, monitoring system, or automation workflow. Use it to validate DNS changes before deployment or monitor domain security scores over time.
Does IntoDNS.ai check Google and Yahoo sender requirements?
Yes. The sender requirements page validates all requirements introduced by Google and Yahoo for bulk senders, including SPF, DKIM, DMARC, and one-click unsubscribe headers.
What email security standards does IntoDNS.ai check?
IntoDNS.ai validates SPF, DKIM, DMARC, BIMI, MTA-STS, DANE/TLSA, and TLS configuration for mail servers. It also checks the overall email deliverability posture including blacklist status and DNS record correctness.
Key Takeaways
- AI-powered scanning combines deterministic checks with intelligent explanations — the checks are reproducible, the AI adds interpretation and fix generation
- Full DNS and email security analysis completes in under 3 seconds — covering SPF, DKIM, DMARC, BIMI, MTA-STS, DNSSEC, and 67 blacklists
- AI-generated fixes produce copy-paste DNS records — specific to your domain, not generic documentation links
- No account required for basic scans — run a scan, get results, generate fixes immediately
- API access enables automation — integrate DNS security checks into CI/CD pipelines and monitoring systems
- Free tools for record generation — SPF, DMARC, and MTA-STS generators produce correctly formatted DNS records
Start Scanning
Enter any domain at intodns.ai to get a complete DNS and email security analysis with AI-powered explanations in under 3 seconds. No signup required.