Free DNS & email security scanner

Free DNS & Email Security Scanner

IntoDNS.ai is a free DNS and email security scanner. Enter any domain to check SPF, DKIM, DMARC, DNSSEC, MTA-STS, BIMI, CAA, DANE/TLSA, FCrDNS and blacklist status — 61 checks in under 3 seconds, free forever, no signup, no API key. You get a letter-grade score and copy-ready DNS fixes for every issue.

No account required. Results appear instantly at intodns.ai/scan/<domain>.

  • Free forever
  • No signup
  • No API key
  • 61 checks
  • Results in seconds
  • Letter-grade score
  • Copy-ready DNS fixes
  • Public REST API
  • Official MCP server

What is a DNS & email security scanner?

A DNS and email security scanner is a tool that inspects a domain's public DNS records, mail-server configuration and web security headers to find weaknesses that let attackers spoof your email or intercept traffic. It checks email authentication (SPF, DKIM, DMARC), transport security (MTA-STS, DANE/TLSA, DNSSEC), DNS health and HTTP security headers, then reports what is misconfigured and how to fix it.

IntoDNS.ai runs 61deterministic checks against live DNS over multiple public resolvers (Cloudflare, Google, Quad9), grades the result A+ to F, and returns a copy-ready DNS record for each failing check. It does not perform penetration testing or read email content — it only analyzes publicly available DNS records and HTTP headers.

The 61 checks, grouped

Every scan runs the same 61 deterministic checks across DNS, email authentication, transport security, reputation and the web layer. This is the full list.

DNS configuration

13 checks
  • A record present
  • AAAA record present
  • MX records present
  • NS records present
  • SOA record present
  • Multiple nameservers
  • SOA serial format
  • SOA timers valid
  • No lame nameservers
  • Glue records present
  • WWW record configured
  • MX servers have PTR records
  • MX servers have FCrDNS

DNSSEC

9 checks
  • DNSSEC signed
  • DNSSEC validation OK
  • Chain of trust complete
  • DNSKEY algorithm secure
  • Modern DNSSEC algorithm
  • DS digest algorithm modern
  • NSEC3 RFC 9276 compliant
  • RRSIG signatures valid
  • RRSIG TTL safe

IPv6 readiness

3 checks
  • Website reachable via IPv6
  • Mail servers reachable via IPv6
  • Nameservers reachable via IPv6

Email authentication

14 checks
  • SPF record present
  • SPF syntax valid
  • SPF policy strict (-all)
  • DKIM found
  • DMARC record present
  • DMARC policy quarantine or better
  • DMARC policy reject
  • BIMI record present
  • BIMI configuration valid
  • MTA-STS record present
  • MTA-STS policy enforced
  • MX records valid
  • MX domains use DNSSEC
  • MX DNSSEC validation OK

Reputation

2 checks
  • Mail servers not blacklisted
  • No critical blacklist listings

Web & transport security

20 checks
  • CAA records present
  • CAA policy strict
  • TLSA records (DANE)
  • DANE configuration valid
  • No sensitive info in TXT
  • Verification records reviewed
  • HTTPS available
  • Valid certificate
  • HTTP redirects to HTTPS
  • HSTS enabled
  • HSTS max-age ≥ 1 year
  • X-Frame-Options header
  • X-Content-Type-Options header
  • Content-Security-Policy header
  • Referrer-Policy header
  • security.txt present
  • security.txt valid
  • HTTP/3 (QUIC) supported
  • QUIC UDP reachable
  • HTTPS DNS record (SVCB)

Frequently asked questions

Is there a free DNS and email security scanner?

Yes. IntoDNS.ai is a free DNS and email security scanner. It runs 61 deterministic checks on any domain — SPF, DKIM, DMARC, DNSSEC, MTA-STS, BIMI, CAA, DANE/TLSA, FCrDNS, HTTP security headers and blacklist status — and returns a letter-grade score in under 3 seconds, free forever.

Does it require signup or an API key?

No. There is no signup, no account and no API key. Enter a domain and run the scan immediately. The same checks are also available through a free public REST API and an official MCP server, neither of which requires a key.

What does it check?

IntoDNS.ai runs 61 checks across five areas: DNS configuration (A/AAAA/MX/NS/SOA records, nameserver redundancy, glue, PTR and FCrDNS), DNSSEC (chain of trust, algorithms, RRSIG validity), IPv6 readiness, email authentication (SPF, DKIM, DMARC, BIMI, MTA-STS, MX DNSSEC), reputation (DNSBL blacklist status), and web and transport security (HTTPS, certificate, HSTS, CSP, X-Frame-Options, security.txt, CAA, DANE/TLSA, HTTP/3).

How long does a scan take?

A full scan completes in under 3 seconds. Checks run in parallel against multiple public DNS resolvers (Cloudflare, Google and Quad9) in real time, with no reliance on cached third-party results.

Is it really free?

Yes, it is free forever. There is no paywall, no trial limit and no credit card. IntoDNS.ai is built and maintained by Cobytes as a free public tool; the scanner, the REST API and the MCP server are all free to use.

Found issues you don't want to fix yourself?

Cobytes configures SPF, DKIM, DMARC, DNSSEC and MTA-STS for you — correctly, and verified against this scanner.