Domain security records.
Run a free domain security check on any domain in one shot. This tool runs a DNSSEC check, a CAA record check, and validates MTA-STS, TLS-RPT and BIMI — the modern domain-security signals receivers and certificate authorities use to decide whether to trust you, and the ones most domains still don't have.
No signup · runs in your browser · also try our security headers check, SPF/DKIM/DMARC checker and DNS lookup.
How to check your domain's security posture in 3 steps
- 1
Enter the domain in the box above (e.g.
example.com.au) and click Check records. - 2
Read the score. The summary shows how many of the five records — DNSSEC, CAA, MTA-STS, TLS-RPT and BIMI — are configured, each marked PASS, WARN or FAIL.
- 3
Close the gaps. Fix anything flagged WARN or FAIL — enable DNSSEC at your registrar, add a CAA record pinning your CA, and publish an MTA-STS policy for inbound mail.
Domain security controls we check
Each control closes a specific gap in how the world trusts your domain's mail and certificates. Here's what each one does and why it matters.
| Control | What it does | Why it matters |
|---|---|---|
| DNSSEC | Cryptographically signs your DNS records end-to-end from the root. | Without it, anyone in the network path can forge your DNS — including your SPF, MX and CAA records. |
| CAA | Restricts which certificate authorities may issue TLS certs for your domain. | No CAA means any CA worldwide can issue a cert for you — a real risk if a CA is compromised. |
| MTA-STS | Tells sending servers to require valid TLS for inbound mail, or refuse delivery. | Stops active attackers from downgrading inbound SMTP to plaintext and reading your mail. |
| TLS-RPT | Publishes where receivers should email daily TLS-failure reports. | Gives you visibility when senders silently fail to establish TLS and defer your mail. |
| BIMI | Publishes your verified brand logo for display in supported mail clients. | Improves recognition and trust in Gmail, Yahoo and Apple Mail — and requires strict DMARC first. |
| SPF / DMARC | Authenticate who may send as your domain and what to do with failures. | Table stakes for deliverability and anti-spoofing — checked by our companion email auth checker. |
What this checks
DNSSEC
Cryptographic signing of DNS records, end to end from the root.
Without DNSSEC, anyone in the path can forge DNS responses for
your domain — including for SPF, DKIM, MX and CAA. We check the
AD
(Authenticated Data) flag from a validating resolver and look for
DS + DNSKEY records.
CAA — Certification Authority Authorization
DNS records that restrict which certificate authorities may
issue TLS certs for your domain. A missing CAA record means any
CA worldwide may issue — fine for most, but a real risk if a
third party with a CA's API key decides to issue
*.yourdomain.com.
We list the issuers you've authorised and any
iodef
email for misissuance reports.
MTA-STS — Strict Transport Security for SMTP
Tells receiving mail servers to require TLS when sending mail to
you, and to refuse delivery if the certificate is invalid.
Defends against active downgrade attacks on inbound mail. Needs
both a TXT record at
_mta-sts.{domain}
and an HTTPS-served policy file (we check the DNS half here).
TLS-RPT — TLS Reporting
Companion to MTA-STS. Tells the world where to send daily aggregate reports about TLS connection failures to your mail servers — so you find out when receivers are downgrading or failing to deliver to you.
BIMI — Brand Indicators for Message Identification
Lets your verified brand logo appear next to messages in
supported mail clients (Gmail, Yahoo, Apple Mail). Requires
DMARC at p=quarantine
or p=reject,
an SVG logo URL, and (for Gmail) a Verified Mark Certificate.
We check the DNS record only — the logo and VMC fetches happen
inside the receiver's mail client.
These records are the next layer up
SPF, DKIM and DMARC (which our email auth checker covers) are table stakes — every legitimate sender has them by 2026. DNSSEC, CAA, MTA-STS, TLS-RPT and BIMI are what separate "configured correctly" from "configured for the modern threat model". Most domains have none of them. Adding them takes 30 minutes per record, and once they're in place, they reduce the attack surface substantially.
Privacy
Lookups happen in your browser via Cloudflare's public DNS-over-HTTPS endpoint. Edos Solutions doesn't log the domains you check, doesn't run any analytics on this page, and doesn't capture your IP.
Common domain-security gaps we fix
A domain-security check almost always surfaces the same handful of gaps. The ones we see most:
No DNSSEC
Unsigned DNS can be forged by anyone in the path — including your SPF, MX and CAA records. Enabling DNSSEC at the registrar closes it.
Missing CAA record
With no CAA, any certificate authority in the world can issue a cert for your domain. A CAA record pins issuance to the CA you actually use.
Weak or missing DMARC
A policy of p=none — or no DMARC at all — leaves your domain spoofable. Run the SPF/DKIM/DMARC check →
No MTA-STS
Without MTA-STS, an active attacker can downgrade inbound SMTP to plaintext and read your mail. A policy forces senders to require valid TLS.
Want your domain locked down end-to-end?
Edos Solutions configures and monitors the full domain-security stack for Australian organisations — DNSSEC, CAA, MTA-STS, TLS-RPT, BIMI and aligned SPF/DKIM/DMARC, done right and kept that way.
Frequently asked questions
- What is DNSSEC?
- DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify the response hasn't been tampered with. Without DNSSEC, anyone between a resolver and the authoritative nameserver can forge DNS responses — including forging your SPF record, your MX, or your CAA record. DNSSEC is enabled at your domain registrar.
- What is a CAA record and why does it matter?
- CAA (Certification Authority Authorization) is a DNS record that restricts which certificate authorities are permitted to issue TLS certificates for your domain. Without one, any CA worldwide may issue a certificate for your domain — a real risk if a CA is compromised or an attacker obtains a fraudulent certificate. Adding a CAA record pinning to your actual CA takes under 5 minutes.
- What is MTA-STS?
- MTA-STS (Mail Transfer Agent Strict Transport Security) tells sending mail servers to require valid TLS when delivering mail to you, and to refuse delivery if the TLS certificate is invalid or expired. Without MTA-STS, an active attacker can downgrade SMTP connections to plaintext and intercept inbound mail. It requires both a DNS TXT record and a policy file served over HTTPS at a specific path.
- What is TLS-RPT?
- TLS-RPT (TLS Reporting) is a companion to MTA-STS. It's a DNS TXT record that tells sending mail servers where to email daily aggregate reports about TLS connection failures to your mail infrastructure. Without TLS-RPT, you have no visibility into whether senders are successfully establishing TLS or silently failing and deferring your mail.
- What is BIMI and how do I enable it?
- BIMI (Brand Indicators for Message Identification) lets your brand logo appear next to messages in supported mail clients — Gmail, Yahoo Mail, and Apple Mail. It requires DMARC at p=quarantine or p=reject, an SVG logo at a public HTTPS URL, and a DNS TXT record at default._bimi.yourdomain.com. Gmail additionally requires a Verified Mark Certificate (VMC). This tool checks the DNS record only.
- How do I check my domain's security?
- Type your domain into the box above and click "Check records". This free domain security checker queries live DNS in your browser and reports on DNSSEC (signed and validating), CAA (which certificate authorities may issue certs for you), MTA-STS and TLS-RPT (TLS protection and reporting for inbound mail) and BIMI (brand logo display) — no signup, no command line. For SPF, DKIM and DMARC, pair it with our email auth checker; for HTTP response headers, use the security headers check.