DNS & Domain Guides

How to Run a Complete Domain Health Check

Learn how to check the technical health of a domain across DNS, email authentication, SSL, website status, blacklist reputation and server configuration.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 9 min read Beginner

Introduction

A domain can look simple from the outside, but several technical systems must work together for it to be reliable. DNS records must point to the right services, email authentication must be configured correctly, SSL certificates must be valid, and the website must respond as expected.

A complete domain health check reviews these signals together. Instead of checking only one record or one service, it helps identify issues that may affect website access, email delivery, security, reputation or domain ownership.

Quick answer

Quick answer

A complete domain health check reviews the key technical signals behind a domain, including DNS records, nameservers, WHOIS and expiry status, SPF, DKIM, DMARC, MX records, SSL certificates, website status, HTTP headers, blacklist status and reverse DNS. The goal is to find configuration issues before they affect users, email delivery or trust.

What is a domain health check?

A domain health check is a structured review of the technical configuration behind a domain. It checks whether the domain points to the right services, whether email authentication is configured, whether SSL is valid, and whether important records or signals are missing.

When to run it

A complete check is especially useful after:

New website launch

Confirm DNS, SSL and website routing before going live.

Hosting migration

Verify records point to the new server and old services are removed.

DNS or nameserver change

Confirm the live DNS zone matches where you edit records.

Business email setup

Check MX, SPF, DKIM and DMARC together.

Deliverability problems

Review authentication, MX, blacklist and reverse DNS signals.

SSL installation

Confirm certificate validity and HTTPS behavior.

Reputation recovery

Check blacklist status and related mail server signals.

What should be included

DNS records

Checks A, AAAA, CNAME, TXT, MX, NS, SOA and CAA records.

Why it matters: Wrong DNS records can break websites, email, SSL validation and domain verification.

Nameservers

Checks which DNS provider controls the live DNS zone.

Why it matters: Many DNS issues happen because records are edited at the wrong provider.

WHOIS and domain expiry

Checks registration information, expiry date and domain status where available.

Why it matters: Expired or locked domains can stop websites and email from working.

Email authentication

Checks SPF, DKIM and DMARC records.

Why it matters: Missing or incorrect authentication can reduce email trust and make spoofing harder to control.

Mail routing

Checks MX records and mail-related DNS configuration.

Why it matters: Wrong MX records can cause incoming email to fail.

SSL and HTTPS

Checks SSL certificate validity, expiry, issuer, domain match and HTTPS availability.

Why it matters: Expired or mismatched SSL certificates can trigger browser warnings.

CAA records

Checks whether certificate authority restrictions are configured correctly.

Why it matters: Incorrect CAA records can block SSL certificate issuance.

Website status

Checks whether the website responds, what HTTP status is returned and whether redirects behave correctly.

Why it matters: A domain can have correct DNS but still fail because the website or server is not responding.

HTTP headers

Checks useful security and technical headers.

Why it matters: Missing headers may not break the website, but they can indicate weak security configuration.

Blacklist and reputation signals

Checks whether the domain or related IPs appear on supported reputation sources.

Why it matters: Blacklist issues can affect email delivery and trust.

Reverse DNS

Checks PTR/rDNS records for relevant mail server IPs.

Why it matters: Missing or incorrect reverse DNS can affect mail server reputation.

Domain health checklist

AreaWhat to checkGood resultNeeds attention
DNS records A/AAAA/CNAME/TXT/MX/NS/CAA are present and expected Records match the intended providers Records are missing, duplicated or point to old services
Nameservers Active nameservers match the DNS provider being edited DNS changes apply from the correct provider Records are edited in the wrong DNS zone
Domain expiry Domain is active and not near expiration Renewal date is known Domain is expired, close to expiry or has risky status
Email authentication SPF, DKIM and DMARC are present and valid Email authentication passes basic checks SPF is broken, DKIM missing or DMARC not configured
MX records MX records point to the correct mail provider Incoming mail routes correctly MX records are missing or point to the wrong service
SSL / HTTPS Certificate is valid and matches the domain HTTPS loads without warnings Certificate is expired, mismatched or chain is invalid
Website status Website returns expected HTTP status Homepage loads and redirects are clean Website is down, returns 500/404 or has redirect loops
Blacklist / reputation Domain and IPs are not listed on checked sources No current listing found IP/domain appears on one or more blacklists
Reverse DNS Mail server IP has a sensible PTR record PTR matches expected mail identity PTR is missing or unrelated

How to run a domain health check

The fastest way is to use the Domain Health Checker, which combines the most important DNS, email, SSL, website and reputation checks in one report.

When reviewing the result, do not look only at the score. Pay attention to:

  • high-risk issues that can break website or email functionality
  • warnings related to email authentication or SSL
  • changes that may indicate an old provider or wrong DNS zone
  • recommendations that affect security, trust or deliverability

Run a complete domain health check

Check DNS, email authentication, SSL, website status and reputation signals in one report.

Run Domain Health Check →

Common domain health problems

DNS records point to old services

High

The domain may still point to an old hosting provider, mail server or CDN.

Next step: Compare DNS results with your current provider documentation.

Nameservers do not match where records are edited

High

You may be changing DNS in one panel while the live domain uses another DNS provider.

Next step: Check active nameservers before editing records.

Missing DMARC record

Medium

The domain does not publish a DMARC policy, which can reduce email authentication visibility.

Next step: Add a basic DMARC record and review SPF/DKIM alignment.

SPF record is invalid or too complex

Medium

SPF may fail if the syntax is wrong or it exceeds DNS lookup limits.

Next step: Validate SPF and remove unnecessary includes.

SSL certificate expires soon

Medium

An expiring certificate can cause browser warnings if not renewed.

Next step: Renew or reissue the SSL certificate before expiry.

Website returns an unexpected status

High

The website may return 500, 404, timeout or redirect loop errors.

Next step: Check hosting, web server configuration and redirects.

IP or domain appears on a blacklist

High

Blacklist listings can affect email delivery or reputation.

Next step: Investigate the cause before requesting delisting.

Reverse DNS is missing for mail server IP

Medium

Mail servers often expect sending IPs to have sensible PTR records.

Next step: Configure rDNS with the hosting or VPS provider.

How to fix domain health issues

  1. Start with critical issues

    Fix problems that can break access first, such as wrong nameservers, wrong A records, expired domains, expired SSL certificates, website downtime or mail routing failures.

  2. Confirm the active provider

    Before changing DNS, confirm where DNS is actually hosted. If nameservers point to Cloudflare, cPanel DNS changes may not affect the live domain.

  3. Fix one area at a time

    Avoid changing DNS, email records, SSL and redirects all at once. Make focused changes so you can confirm what fixed the issue.

  4. Use provider-specific values

    DNS and email records must match your real provider setup. Do not copy example records blindly.

  5. Re-check after propagation

    After making DNS changes, re-run the check and allow for TTL/cache delays. Some resolvers may continue showing old values for a while.

  6. Document what changed

    Save the old value, new value, provider, date and reason for the change. This helps if the issue returns later.

Domain health review example
Domain: example.com

DNS:
- A record points to current hosting IP
- NS records match active DNS provider
- No duplicate SPF records

Email:
- MX records point to current mail provider
- SPF exists and validates
- DKIM selector found
- DMARC record exists

SSL:
- Certificate valid
- Certificate matches domain
- HTTPS loads correctly

Website:
- Homepage returns 200 or expected redirect
- No redirect loop detected

Reputation:
- Mail server IP not listed on checked blacklists
- Reverse DNS exists for sending IP

This example is only a review format. The correct records depend on your hosting, DNS, email and SSL providers.

How to read the health score

A domain health score is a summary, not a guarantee. A high score means the checked signals look healthy, but it does not prove that every part of the domain is perfect. A lower score means one or more checks need attention.

80–100 Generally healthy

Review warnings, but no major issue was detected by the checked signals.

60–79 Needs review

Some warnings or configuration gaps may affect email, SSL, DNS or website reliability.

Below 60 Needs attention

Critical issues may affect website access, email delivery, SSL trust or reputation.

Always review the individual findings, not only the score.

When to run a check

Before launch

Run a complete check before launching a new website.

After nameserver change

Confirm the live DNS zone matches your intended provider.

After hosting move

Verify DNS, SSL and website status on the new server.

After email setup

Check MX, SPF, DKIM and DMARC together.

After auth record changes

Re-check SPF, DKIM or DMARC after updates.

Before SSL issuance

Confirm DNS and CAA records support certificate validation.

After deliverability issues

Review blacklist, reverse DNS and authentication signals.

After an outage

Check website status, DNS and SSL after recovery.

Before client handoff

Document domain health before handing a site to a client.

Manual check vs complete report

You can check individual records manually with focused tools such as DNS Lookup, SPF Checker, MX Lookup or SSL Checker. This is useful when you already know what you are troubleshooting.

A complete report is better when you want a broader view or when the problem is unclear. For example, an email issue may involve MX records, SPF, DKIM, DMARC, reverse DNS and blacklist status at the same time.

Manual focused check

  • Best when you know the exact area
  • Example: check only SPF or SSL
  • Useful for quick validation

SPF Checker → DMARC Checker → SSL Checker

Complete domain health check

  • Best when the issue is unclear
  • Checks multiple technical areas together
  • Useful after migrations, launches or outages

Domain Health Checker → full report

Frequently asked questions

How often should I run a domain health check?

Run a check after major changes such as DNS edits, hosting migration, email setup or SSL renewal. For important business domains, checking monthly or after every provider change is a good habit.

Does a high score mean my domain is perfect?

No. A high score means the checked technical signals look healthy. It does not guarantee that every possible configuration or provider-specific setting is correct.

Can a domain health check fix issues automatically?

No. It can identify issues and recommend next steps, but DNS, email, SSL and hosting changes must be applied at the correct provider.

Why does the report show warnings if my website works?

Some warnings do not break the website immediately. For example, missing DMARC, weak headers or missing CAA may still deserve attention even when the website loads.

Can one DNS issue affect both website and email?

Yes. Nameserver mistakes, wrong DNS zones or incorrect TXT/MX records can affect multiple services connected to the same domain.

Should I check subdomains too?

Yes, especially important subdomains such as www, mail, app, panel, shop or client portals. Subdomains can have different DNS, SSL and website behavior.

Use these free tools to verify your configuration after applying changes.

Browse all DNS & Domain guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.