How to Run a Complete Domain Health Check
Learn how to check the technical health of a domain across DNS, email authentication, SSL, website status, blacklist reputation and server configuration.
Introduction
A domain can look simple from the outside, but several technical systems must work together for it to be reliable. DNS records must point to the right services, email authentication must be configured correctly, SSL certificates must be valid, and the website must respond as expected.
A complete domain health check reviews these signals together. Instead of checking only one record or one service, it helps identify issues that may affect website access, email delivery, security, reputation or domain ownership.
Quick answer
A complete domain health check reviews the key technical signals behind a domain, including DNS records, nameservers, WHOIS and expiry status, SPF, DKIM, DMARC, MX records, SSL certificates, website status, HTTP headers, blacklist status and reverse DNS. The goal is to find configuration issues before they affect users, email delivery or trust.
What is a domain health check?
A domain health check is a structured review of the technical configuration behind a domain. It checks whether the domain points to the right services, whether email authentication is configured, whether SSL is valid, and whether important records or signals are missing.
When to run it
A complete check is especially useful after:
New website launch
Confirm DNS, SSL and website routing before going live.
Hosting migration
Verify records point to the new server and old services are removed.
DNS or nameserver change
Confirm the live DNS zone matches where you edit records.
Business email setup
Check MX, SPF, DKIM and DMARC together.
Deliverability problems
Review authentication, MX, blacklist and reverse DNS signals.
SSL installation
Confirm certificate validity and HTTPS behavior.
Reputation recovery
Check blacklist status and related mail server signals.
What should be included
DNS records
Checks A, AAAA, CNAME, TXT, MX, NS, SOA and CAA records.
Why it matters: Wrong DNS records can break websites, email, SSL validation and domain verification.
Nameservers
Checks which DNS provider controls the live DNS zone.
Why it matters: Many DNS issues happen because records are edited at the wrong provider.
WHOIS and domain expiry
Checks registration information, expiry date and domain status where available.
Why it matters: Expired or locked domains can stop websites and email from working.
Email authentication
Checks SPF, DKIM and DMARC records.
Why it matters: Missing or incorrect authentication can reduce email trust and make spoofing harder to control.
Mail routing
Checks MX records and mail-related DNS configuration.
Why it matters: Wrong MX records can cause incoming email to fail.
SSL and HTTPS
Checks SSL certificate validity, expiry, issuer, domain match and HTTPS availability.
Why it matters: Expired or mismatched SSL certificates can trigger browser warnings.
CAA records
Checks whether certificate authority restrictions are configured correctly.
Why it matters: Incorrect CAA records can block SSL certificate issuance.
Website status
Checks whether the website responds, what HTTP status is returned and whether redirects behave correctly.
Why it matters: A domain can have correct DNS but still fail because the website or server is not responding.
HTTP headers
Checks useful security and technical headers.
Why it matters: Missing headers may not break the website, but they can indicate weak security configuration.
Blacklist and reputation signals
Checks whether the domain or related IPs appear on supported reputation sources.
Why it matters: Blacklist issues can affect email delivery and trust.
Reverse DNS
Checks PTR/rDNS records for relevant mail server IPs.
Why it matters: Missing or incorrect reverse DNS can affect mail server reputation.
Domain health checklist
| Area | What to check | Good result | Needs attention |
|---|---|---|---|
| DNS records | A/AAAA/CNAME/TXT/MX/NS/CAA are present and expected | Records match the intended providers | Records are missing, duplicated or point to old services |
| Nameservers | Active nameservers match the DNS provider being edited | DNS changes apply from the correct provider | Records are edited in the wrong DNS zone |
| Domain expiry | Domain is active and not near expiration | Renewal date is known | Domain is expired, close to expiry or has risky status |
| Email authentication | SPF, DKIM and DMARC are present and valid | Email authentication passes basic checks | SPF is broken, DKIM missing or DMARC not configured |
| MX records | MX records point to the correct mail provider | Incoming mail routes correctly | MX records are missing or point to the wrong service |
| SSL / HTTPS | Certificate is valid and matches the domain | HTTPS loads without warnings | Certificate is expired, mismatched or chain is invalid |
| Website status | Website returns expected HTTP status | Homepage loads and redirects are clean | Website is down, returns 500/404 or has redirect loops |
| Blacklist / reputation | Domain and IPs are not listed on checked sources | No current listing found | IP/domain appears on one or more blacklists |
| Reverse DNS | Mail server IP has a sensible PTR record | PTR matches expected mail identity | PTR is missing or unrelated |
How to run a domain health check
The fastest way is to use the Domain Health Checker, which combines the most important DNS, email, SSL, website and reputation checks in one report.
When reviewing the result, do not look only at the score. Pay attention to:
- high-risk issues that can break website or email functionality
- warnings related to email authentication or SSL
- changes that may indicate an old provider or wrong DNS zone
- recommendations that affect security, trust or deliverability
Run a complete domain health check
Check DNS, email authentication, SSL, website status and reputation signals in one report.
Common domain health problems
DNS records point to old services
HighThe domain may still point to an old hosting provider, mail server or CDN.
Next step: Compare DNS results with your current provider documentation.
Nameservers do not match where records are edited
HighYou may be changing DNS in one panel while the live domain uses another DNS provider.
Next step: Check active nameservers before editing records.
Missing DMARC record
MediumThe domain does not publish a DMARC policy, which can reduce email authentication visibility.
Next step: Add a basic DMARC record and review SPF/DKIM alignment.
SPF record is invalid or too complex
MediumSPF may fail if the syntax is wrong or it exceeds DNS lookup limits.
Next step: Validate SPF and remove unnecessary includes.
SSL certificate expires soon
MediumAn expiring certificate can cause browser warnings if not renewed.
Next step: Renew or reissue the SSL certificate before expiry.
Website returns an unexpected status
HighThe website may return 500, 404, timeout or redirect loop errors.
Next step: Check hosting, web server configuration and redirects.
IP or domain appears on a blacklist
HighBlacklist listings can affect email delivery or reputation.
Next step: Investigate the cause before requesting delisting.
Reverse DNS is missing for mail server IP
MediumMail servers often expect sending IPs to have sensible PTR records.
Next step: Configure rDNS with the hosting or VPS provider.
How to fix domain health issues
-
Start with critical issues
Fix problems that can break access first, such as wrong nameservers, wrong A records, expired domains, expired SSL certificates, website downtime or mail routing failures.
-
Confirm the active provider
Before changing DNS, confirm where DNS is actually hosted. If nameservers point to Cloudflare, cPanel DNS changes may not affect the live domain.
-
Fix one area at a time
Avoid changing DNS, email records, SSL and redirects all at once. Make focused changes so you can confirm what fixed the issue.
-
Use provider-specific values
DNS and email records must match your real provider setup. Do not copy example records blindly.
-
Re-check after propagation
After making DNS changes, re-run the check and allow for TTL/cache delays. Some resolvers may continue showing old values for a while.
-
Document what changed
Save the old value, new value, provider, date and reason for the change. This helps if the issue returns later.
Domain: example.com
DNS:
- A record points to current hosting IP
- NS records match active DNS provider
- No duplicate SPF records
Email:
- MX records point to current mail provider
- SPF exists and validates
- DKIM selector found
- DMARC record exists
SSL:
- Certificate valid
- Certificate matches domain
- HTTPS loads correctly
Website:
- Homepage returns 200 or expected redirect
- No redirect loop detected
Reputation:
- Mail server IP not listed on checked blacklists
- Reverse DNS exists for sending IP
This example is only a review format. The correct records depend on your hosting, DNS, email and SSL providers.
How to read the health score
A domain health score is a summary, not a guarantee. A high score means the checked signals look healthy, but it does not prove that every part of the domain is perfect. A lower score means one or more checks need attention.
Review warnings, but no major issue was detected by the checked signals.
Some warnings or configuration gaps may affect email, SSL, DNS or website reliability.
Critical issues may affect website access, email delivery, SSL trust or reputation.
Always review the individual findings, not only the score.
When to run a check
Before launch
Run a complete check before launching a new website.
After nameserver change
Confirm the live DNS zone matches your intended provider.
After hosting move
Verify DNS, SSL and website status on the new server.
After email setup
Check MX, SPF, DKIM and DMARC together.
After auth record changes
Re-check SPF, DKIM or DMARC after updates.
Before SSL issuance
Confirm DNS and CAA records support certificate validation.
After deliverability issues
Review blacklist, reverse DNS and authentication signals.
After an outage
Check website status, DNS and SSL after recovery.
Before client handoff
Document domain health before handing a site to a client.
Manual check vs complete report
You can check individual records manually with focused tools such as DNS Lookup, SPF Checker, MX Lookup or SSL Checker. This is useful when you already know what you are troubleshooting.
A complete report is better when you want a broader view or when the problem is unclear. For example, an email issue may involve MX records, SPF, DKIM, DMARC, reverse DNS and blacklist status at the same time.
Manual focused check
- Best when you know the exact area
- Example: check only SPF or SSL
- Useful for quick validation
SPF Checker → DMARC Checker → SSL Checker
Complete domain health check
- Best when the issue is unclear
- Checks multiple technical areas together
- Useful after migrations, launches or outages
Domain Health Checker → full report
Frequently asked questions
How often should I run a domain health check?
Run a check after major changes such as DNS edits, hosting migration, email setup or SSL renewal. For important business domains, checking monthly or after every provider change is a good habit.
Does a high score mean my domain is perfect?
No. A high score means the checked technical signals look healthy. It does not guarantee that every possible configuration or provider-specific setting is correct.
Can a domain health check fix issues automatically?
No. It can identify issues and recommend next steps, but DNS, email, SSL and hosting changes must be applied at the correct provider.
Why does the report show warnings if my website works?
Some warnings do not break the website immediately. For example, missing DMARC, weak headers or missing CAA may still deserve attention even when the website loads.
Can one DNS issue affect both website and email?
Yes. Nameserver mistakes, wrong DNS zones or incorrect TXT/MX records can affect multiple services connected to the same domain.
Should I check subdomains too?
Yes, especially important subdomains such as www, mail, app, panel, shop or client portals. Subdomains can have different DNS, SSL and website behavior.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all DNS & Domain guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!