Domain security records.
Check DNSSEC, CAA, MTA-STS, TLS-RPT and BIMI in one shot. The modern domain-security signals receivers and certificate authorities use to decide whether to trust you — and the ones most domains still don't have.
What this checks
DNSSEC
Cryptographic signing of DNS records, end to end from the root.
Without DNSSEC, anyone in the path can forge DNS responses for
your domain — including for SPF, DKIM, MX and CAA. We check the
AD
(Authenticated Data) flag from a validating resolver and look for
DS + DNSKEY records.
CAA — Certification Authority Authorization
DNS records that restrict which certificate authorities may
issue TLS certs for your domain. A missing CAA record means any
CA worldwide may issue — fine for most, but a real risk if a
third party with a CA's API key decides to issue
*.yourdomain.com.
We list the issuers you've authorised and any
iodef
email for misissuance reports.
MTA-STS — Strict Transport Security for SMTP
Tells receiving mail servers to require TLS when sending mail to
you, and to refuse delivery if the certificate is invalid.
Defends against active downgrade attacks on inbound mail. Needs
both a TXT record at
_mta-sts.{domain}
and an HTTPS-served policy file (we check the DNS half here).
TLS-RPT — TLS Reporting
Companion to MTA-STS. Tells the world where to send daily aggregate reports about TLS connection failures to your mail servers — so you find out when receivers are downgrading or failing to deliver to you.
BIMI — Brand Indicators for Message Identification
Lets your verified brand logo appear next to messages in
supported mail clients (Gmail, Yahoo, Apple Mail). Requires
DMARC at p=quarantine
or p=reject,
an SVG logo URL, and (for Gmail) a Verified Mark Certificate.
We check the DNS record only — the logo and VMC fetches happen
inside the receiver's mail client.
These records are the next layer up
SPF, DKIM and DMARC (which our email auth checker covers) are table stakes — every legitimate sender has them by 2026. DNSSEC, CAA, MTA-STS, TLS-RPT and BIMI are what separate "configured correctly" from "configured for the modern threat model". Most domains have none of them. Adding them takes 30 minutes per record, and once they're in place, they reduce the attack surface substantially.
Privacy
Lookups happen in your browser via Cloudflare's public DNS-over-HTTPS endpoint. Edos Solutions doesn't log the domains you check, doesn't run any analytics on this page, and doesn't capture your IP.
Frequently asked questions
- What is DNSSEC?
- DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify the response hasn't been tampered with. Without DNSSEC, anyone between a resolver and the authoritative nameserver can forge DNS responses — including forging your SPF record, your MX, or your CAA record. DNSSEC is enabled at your domain registrar.
- What is a CAA record and why does it matter?
- CAA (Certification Authority Authorization) is a DNS record that restricts which certificate authorities are permitted to issue TLS certificates for your domain. Without one, any CA worldwide may issue a certificate for your domain — a real risk if a CA is compromised or an attacker obtains a fraudulent certificate. Adding a CAA record pinning to your actual CA takes under 5 minutes.
- What is MTA-STS?
- MTA-STS (Mail Transfer Agent Strict Transport Security) tells sending mail servers to require valid TLS when delivering mail to you, and to refuse delivery if the TLS certificate is invalid or expired. Without MTA-STS, an active attacker can downgrade SMTP connections to plaintext and intercept inbound mail. It requires both a DNS TXT record and a policy file served over HTTPS at a specific path.
- What is TLS-RPT?
- TLS-RPT (TLS Reporting) is a companion to MTA-STS. It's a DNS TXT record that tells sending mail servers where to email daily aggregate reports about TLS connection failures to your mail infrastructure. Without TLS-RPT, you have no visibility into whether senders are successfully establishing TLS or silently failing and deferring your mail.
- What is BIMI and how do I enable it?
- BIMI (Brand Indicators for Message Identification) lets your brand logo appear next to messages in supported mail clients — Gmail, Yahoo Mail, and Apple Mail. It requires DMARC at p=quarantine or p=reject, an SVG logo at a public HTTPS URL, and a DNS TXT record at default._bimi.yourdomain.com. Gmail additionally requires a Verified Mark Certificate (VMC). This tool checks the DNS record only.