DNS, email and web security tools

Free tools to analyze, validate and strengthen your domain's security posture.

33 tools

SPF Record Generator

Build a valid SPF record for your domain. Add IP addresses, include third-party senders, and configure your SPF policy.

DKIM Record Generator

Generate a DKIM key pair and DNS record in your browser. The private key never leaves your device. 2048-bit recommended.

DMARC Record Generator

Create a DMARC policy to protect your domain from spoofing. Configure reporting, policy enforcement, and alignment modes.

MTA-STS Policy Generator

Generate MTA-STS TXT records and policy files to enforce TLS encryption for inbound email delivery.

BIMI Record Checker & Generator

Create default._bimi TXT records and verify logo, VMC/CMC, and DMARC readiness for supported email clients.

TLS-RPT Record Generator

Create an _smtp._tls TXT record so you can receive SMTP TLS failure reports before enforcing MTA-STS.

CAA Record Generator

Control which Certificate Authorities can issue TLS certificates for your domain. Set issue, issuewild, and iodef rules to prevent mis-issuance.

TLSA / DANE Record Generator

Paste a certificate or public key and compute the TLSA hash in your browser for SMTP DANE. Usage, selector, and matching-type controls.

Security Headers Generator

Generate HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, and COOP/COEP/CORP headers with ready-to-paste Nginx, Apache, Caddy, and Cloudflare snippets.

CSP Generator

Build a Content-Security-Policy directive by directive. Add sources, enable nonces and Report-Only rollout, and copy ready-to-paste server snippets.

DNS Lookup

Query A, AAAA, MX, TXT, NS, SOA, CNAME, CAA, or PTR and read type, value, and TTL.

DNS Propagation Checker

Check a record across public resolvers worldwide and see if the change has propagated.

DNSSEC Checker

Confirm a domain is signed and the chain of trust validates via the AD flag and DS record.

DANE / TLSA Checker

Validate the TLSA records published for a domain's mail servers and their usage profile.

NIS2 Readiness Checker

Check Article 21.2 (a-j) DNS and email readiness with a per-measure breakdown.

WHOIS / RDAP Lookup

Look up the registrar, dates, nameservers, and status of any domain, or the owner of any IP, over RDAP.

SPF Flattening Tool

Resolve your include/a/mx graph to literal ip4/ip6 addresses to fix "SPF too many DNS lookups".

SPF Checker

Validate SPF syntax, lookup count, includes, redirects, and flattening risk.

DMARC Checker

Check DMARC policy, reports, and alignment context.

DKIM Checker

Discover selectors and validate published DKIM records.

SMTP TLS Checker

Test STARTTLS, certificate trust, hostname match, expiry, and FCrDNS.

MTA-STS Checker

Validate the DNS record and HTTPS MTA-STS policy file.

BIMI Checker

Validate default._bimi, SVG logo, VMC/CMC URL, and DMARC readiness.

Blacklist Checker

Check domain and mail-server DNSBL status alongside email authentication context.

FCrDNS Checker

Check PTR and forward-confirmed reverse DNS for mail servers.

HTTP/3 (QUIC) Checker

Test Alt-Svc, the HTTPS DNS record, and a live QUIC probe to confirm HTTP/3 support.

CSP Scanner

Crawl your site, analyze your Content-Security-Policy for weaknesses, and get a generated starter CSP.

Full Deliverability Test

Run DNS, email authentication, TLS, sender, and blacklist checks in one flow.

Email Header Analyzer

Paste raw email headers to analyze SPF, DKIM, DMARC, the Received hop chain, and spam indicators.

DMARC Report Analyzer

Upload or paste a DMARC aggregate (RUA) XML report and read source IPs, alignment, and dispositions.

Email Deliverability Tester

Send a test email and get a full deliverability analysis with AI-assisted suggestions.

Google, Yahoo & Microsoft Requirements Checker

Check if your domain meets the latest Google, Yahoo, and Microsoft sender requirements.

Security Badge Generator

Generate an embeddable security score badge for your website or README.

Why use DNS record generators?

DNS records for email authentication (SPF, DKIM, DMARC, MTA-STS, BIMI) follow strict syntax rules. A single typo can break your email deliverability or leave your domain vulnerable to spoofing attacks.

Our free generators create syntactically correct records that you can copy directly into your DNS provider. Each tool includes validation, best-practice defaults, and links to our in-depth guides for further reading.

After generating your records, use our DNS scanner to verify they are correctly published and configured. For a complete email setup audit, try the Email Deliverability Tester.