Methodology

How our checks work

CheckDomainHealth queries public DNS, registration, certificate and reputation data, then summarizes findings in plain language. Results are diagnostic and informational — not a guarantee of deliverability, security or uptime.

Last reviewed: July 5, 2026 · See also Data Sources, Editorial Policy and Privacy Policy

What we check at a glance

Six diagnostic areas combined in the Domain Health Checker, or available as focused tools.

DNS & nameservers

A, AAAA, MX, NS, TXT, CAA, CNAME and SOA records plus delegation checks.

DNS Lookup

Email authentication

SPF syntax, DKIM selectors, DMARC policy and MX routing from public DNS.

SPF · DKIM · DMARC · MX

SSL & HTTPS

Live TLS handshake, certificate expiry, hostname match and chain issues.

SSL Checker · CAA

Reputation signals

DNSBL listings for mail and web IPs plus PTR / forward-confirmed rDNS.

Blacklist · Reverse DNS

DNS and nameserver checks

DNS lookups query authoritative and recursive resolvers for record types such as A, AAAA, MX, NS, TXT, CAA, CNAME and SOA. We normalize the domain, follow standard DNS semantics, and flag missing records, conflicting values, long TTLs or obvious misconfigurations.

Nameserver checks compare delegation (NS at the parent zone) with the records returned by those nameservers. Propagation delays and split DNS can cause temporary differences between what you see in a registrar panel and what public resolvers return. Use the DNS Lookup tool for record-level detail.

Email authentication checks

SPF, DKIM and DMARC tools fetch and parse TXT records from public DNS. SPF validation includes syntax checks, mechanism analysis and DNS lookup counting against the 10-lookup limit. DKIM checks resolve the selector you provide (or common selectors when scanning). DMARC checks read the policy, alignment settings and reporting addresses.

MX lookups list mail exchangers and priorities. These checks do not send email or log into your mail provider — they only inspect published DNS configuration. For focused checks, use the SPF Checker, DKIM Checker, DMARC Checker and MX Lookup.

SSL, website and header checks

SSL checks connect to the host on port 443, inspect the certificate chain, expiry, hostname match and common chain issues. The SSL Checker and CAA Record Checker provide certificate-only and issuance-policy detail.

Website status and HTTP header checks perform HTTP(S) requests and review response codes, redirects, security headers and mixed-content signals where applicable. See the Website Status Checker and HTTP Header Checker for single-purpose tests.

Blacklist and reverse DNS

Blacklist checks query configured DNSBL and reputation providers against related IPv4 addresses and mail targets derived from MX and A records. The Blacklist Checker shows which lists returned a match when providers are connected.

Reverse DNS checks resolve PTR records and compare forward-confirmed rDNS where possible via the Reverse DNS Checker. Listing status can change quickly — a clear result at lookup time does not guarantee future reputation.

Domain registration (RDAP / WHOIS)

Registration, expiry, registrar, status codes and nameserver fields come from RDAP services with WHOIS fallback where RDAP is unavailable. Privacy services may redact registrant contact fields while expiry and status remain visible.

The WHOIS Lookup shows full registration context; the Domain Expiry Checker focuses on renewal urgency bands.

Domain health scoring

The Domain Health Checker combines individual check outcomes into a 0–100 score with passed, review, warning and not-connected states. Scoring weights critical issues (such as missing MX, invalid SSL or blacklist listings) more heavily than informational gaps.

Scores are meant to prioritize what to review first — not to replace provider dashboards or professional assessment. A domain can score well on DNS while still failing email authentication checks if SPF, DKIM or DMARC are incomplete.

Limitations

  • Results reflect public data at lookup time and may differ by resolver or region.
  • Tools do not access private mailboxes, hosting panels or registrar accounts.
  • Some providers block or rate-limit automated lookups.
  • Privacy-protected WHOIS/RDAP data may hide registrant fields while still showing expiry and status.
  • Blacklist and reputation checks depend on connected providers — unavailable sources are marked not connected.

See Data Sources for the systems we query and Editorial Policy for how guides are maintained.

Common questions

Results reflect public DNS, registration, certificate and reputation data at lookup time. Propagation delays, regional resolvers and provider rate limits can cause temporary differences. Treat results as diagnostic snapshots, not guarantees.
No. Email authentication checks read published DNS records only. The tools do not send mail, log into mailboxes or connect to SMTP servers.
Failed means a check ran and found a definite problem. Warning means something should be reviewed but may not block delivery or access. Not connected means a required provider is unavailable, so no verdict is shown — treat it as unknown, not passing.
The domain health report combines individual outcomes into a 0–100 score. Critical issues such as invalid SSL, missing MX or blacklist listings are weighted more heavily than optional hardening gaps.
See the Data Sources page for the public DNS, RDAP/WHOIS, TLS, HTTP and reputation systems we query. This methodology page explains how those sources are interpreted.
We review methodology when check logic, scoring or data sources change. The last reviewed date is shown at the top of this page.

Ready to check a domain?

Run a free domain health report covering DNS, email authentication, SSL, website response and reputation in one scan.