Frequently Asked Questions
What is a TXT record lookup?
A TXT record lookup queries the DNS for all TXT-type records published under a domain name. It returns the raw record values along with TTL data. This tool performs the lookup in real time using your choice of DNS resolver — Google, Cloudflare, or OpenDNS — and automatically classifies each record as SPF, DMARC, DKIM, or a verification record.
Can a domain have multiple TXT records?
Yes — a domain can have as many TXT records as needed. In practice, most domains have several: one SPF record, one DMARC record, one or more DKIM records (one per selector/sending service), plus domain verification records for Google, Microsoft, or other platforms. Note that a domain should only ever have one SPF record — multiple SPF records cause SPF to fail.
What does it mean if SPF, DKIM, or DMARC shows "Not Found"?
It means the record is not published in DNS for this domain. Missing SPF means receiving servers can’t verify your authorised senders — increasing spam likelihood. Missing DKIM means emails aren’t signed, reducing trust. Missing DMARC means you have no policy controlling what happens when SPF or DKIM fails, and you’re not receiving any abuse reports. All three should be present for good deliverability.
How often do TXT records update?
TXT record changes propagate based on the TTL (Time to Live) value of the record. A TTL of 3600 means resolvers cache the record for up to 1 hour before fetching a fresh copy. Changes typically take between a few minutes and 48 hours to propagate globally, depending on the TTL and downstream resolver cache times. During migrations, temporarily lowering your TTL to 300 seconds speeds up propagation.
What is the difference between a TXT record and other DNS records?
DNS record types serve different purposes: A records map a domain to an IP address, MX records define mail servers, CNAME records create aliases, and NS records define nameservers. TXT records store free-form text and are used for verification and policy publishing — they don’t affect how your domain resolves or routes traffic, but they’re read by mail servers and third-party services.
Why does my SPF record not show up in the lookup?
If SPF is missing from results, the most common causes are: the record hasn’t been added yet, it was added to the wrong subdomain (should be on the root domain
@), DNS changes haven’t propagated yet (wait up to 48 hours), or the record has a syntax error that prevents it being recognised. Try switching to a different DNS resolver in the dropdown — Google and Cloudflare sometimes reflect changes at different speeds.Try More Email Authentication Tools
Strengthen your domain security with our free lookup tools:
Monitor Your DNS Records & Email Authentication Automatically
PowerDMARC alerts you the moment your SPF, DMARC, or DKIM records change — before it affects your email deliverability.
Phishing URL Checker — Is This Link Safe?
Frequently Asked Questions
How do I check if a link is safe?
Paste the full URL or domain into the checker above and click Check URL. The tool queries two independent threat databases and runs structural heuristic checks. You’ll get a trust score, database results, and a full signal breakdown — no signup required.
What does it mean if a URL is listed on Spamhaus DBL?
Spamhaus DBL is one of the most authoritative domain block lists in the world, used by major ISPs and enterprises. A listing means the domain has been identified as associated with spam, phishing, or malware. Treat any listed domain as a confirmed threat and do not visit it.
Is a clean result a guarantee the site is safe?
No. A clean result means no known threat was found at the time of checking. New phishing pages are created constantly. Use this tool as a first line of defense, not the only one.
What are the signs of a phishing URL?
Key warning signs include HTTP without HTTPS, a risky TLD (.xyz, .tk, .gq), a newly registered domain, deep subdomain nesting, non-ASCII characters, and URL shorteners. Also see: How to check if a link is safe.
What should I do if I already clicked a suspicious link?
Act quickly: disconnect from the internet, run a malware scan, change passwords, and monitor for unusual activity. If you entered payment details, contact your bank. Read the full guide →
How does this tool differ from Google Safe Browsing?
Google Safe Browsing flags pages when you try to visit them. This tool lets you check a link before clicking — without risking a redirect. It combines two independent threat feeds with heuristic analysis for a more detailed breakdown.
Try More Email Authentication Tools
Strengthen your domain security with our free lookup tools:
Protect Your Organization from Phishing at the Source
PowerDMARC’s email authentication platform prevents attackers from spoofing your domain to send phishing emails to your customers and partners.
IP & Domain Blacklist Checker — Free DNSBL Lookup Tool
Frequently Asked Questions
What is a DNS blacklist (DNSBL)?
A DNS blacklist (DNSBL) is a real-time database of IP addresses or domain names known to be associated with spam, malware, or other abusive activity. Mail servers query DNSBLs during every incoming connection — if the sender’s IP or domain appears in a list the receiving server trusts, the email may be rejected or flagged as spam.
How long does it take to get off a blacklist?
It depends on the blacklist. Spamhaus listings can be removed within hours once you submit a delisting request with a resolved root cause. Barracuda typically processes requests within 12–24 hours. Some lists have automatic expiry after 30–90 days if no further violations occur. Reputation-based lists like Sender Score update continuously based on recent sending behaviour and don’t have a formal delisting process.
How do blacklists relate to email authentication (SPF, DKIM, DMARC)?
Email authentication and blacklists work in parallel. SPF, DKIM, and DMARC tell receiving servers that your emails are legitimate — missing or broken authentication is one of the most common reasons domains get blacklisted. Many blacklist operators require authentication to be in order before they’ll process a delisting request. A domain with passing DMARC is significantly less likely to be listed in the first place.
What is the difference between a DNSBL and an RBL?
DNSBL (DNS-based Blackhole List) and RBL (Real-time Blackhole List) refer to the same concept — a DNS-based list of IP addresses or domains used to block spam. RBL is an older term that originated with the first such list. Today, DNSBL is the more common term and covers both IP-based and domain-based lists, while RBL is sometimes used specifically for IP-based lists.
How often should I check my blacklist status?
For low-volume senders, a weekly manual check is sufficient. For businesses that rely on email for customer communication, transactional messages, or marketing, continuous automated monitoring is recommended — a new listing can affect deliverability within hours of appearing. PowerDMARC’s Reputation Monitoring checks your IP and domain against blacklists in real time and sends an immediate alert if a listing is detected.
What is the difference between an IP blacklist and a domain blacklist?
An IP blacklist lists specific IP addresses associated with spam or abuse — typically the IP of the sending mail server. A domain blacklist lists domain names that appear in spam messages, either as the sender domain or as links in the message body. Both affect deliverability but for different reasons: an IP listing affects all email from that server, while a domain listing affects emails containing or sent from that specific domain.
Why is my IP or domain blacklisted?
Common reasons include: sending unsolicited or bulk email, high spam complaint rates, compromised server sending spam without your knowledge, missing or broken SPF/DKIM/DMARC records, sending to spam traps (abandoned or honeypot addresses), a previously blacklisted owner of your IP range, or links in your emails pointing to blacklisted domains. The first step is always to diagnose the root cause before requesting removal.
What is a blacklist checker?
A blacklist checker is a tool that queries multiple DNS blacklists simultaneously and reports whether a given IP address or domain appears on any of them. This tool checks 40+ major DNSBLs in real time using DNS A-record lookups — the same mechanism mail servers use — and shows you a categorised breakdown of every result.
Try More Email Authentication Tools
Strengthen your domain security with our free lookup tools:
Get Real-Time Blacklist Alerts with PowerDMARC
Stop finding out about blacklist listings after they’ve already hurt your deliverability. PowerDMARC monitors your IP and domain around the clock and alerts you the moment a new listing appears.
DNS Record Lookup – Free DNS Checker Tool
Frequently Asked Questions
What is a DNS record lookup?
A DNS record lookup queries the Domain Name System to retrieve records associated with a domain or IP address. Records include routing instructions (A, AAAA, MX), aliases (CNAME), authentication data (TXT), reverse DNS (PTR), nameserver information (NS), and zone administration details (SOA). This tool performs live lookups in real time using your choice of DNS resolver.
How do I check DNS records for a domain?
Enter the domain name in the tool above, select a record type (or All), and click Lookup DNS — results appear instantly grouped by type. Alternatively, you can use
nslookup -type=MX example.com in a terminal, though this tool queries all record types at once and displays results in a structured format without needing command-line access.
What is the difference between an A record and an AAAA record?
An A record maps a domain name to an IPv4 address (e.g.
93.184.216.34). An AAAA record maps a domain to an IPv6 address (e.g. 2606:2800:220:1:248:1893:25c8:1946). Most domains publish both — A records for IPv4 connectivity and AAAA records for IPv6. If only an A record exists, IPv6-only clients may not be able to reach the domain.What DNS records affect email deliverability?
Three record types directly affect email: MX records define which servers receive your email; TXT records publish SPF, DKIM, and DMARC for authentication; PTR records map your sending IP to a hostname, which is checked as a trust signal by receiving mail servers. Missing or misconfigured records in any of these types can cause email to be rejected or land in spam.
What is the difference between a DNS lookup and nslookup?
nslookup is a command-line tool built into Windows, macOS, and Linux that performs DNS queries from your terminal. This tool provides the same functionality in a browser — no terminal access needed. It also queries multiple record types simultaneously and displays results grouped by type with TTL values, which would require multiple separate nslookup commands to replicate manually.Why do results differ between DNS resolvers?
Different DNS resolvers (Google, Cloudflare, OpenDNS) may return slightly different results due to caching — each resolver caches records for the duration of the TTL and may not yet reflect recent changes. If you’ve recently updated a DNS record and it’s not showing up, try switching resolvers or wait for the TTL to expire. Google and Cloudflare typically refresh faster than older resolvers.
Try More Email Authentication Tools
Strengthen your domain security with our free lookup tools:
Monitor Your DNS Records & Email Security Automatically
PowerDMARC alerts you the moment your DNS records change — before misconfiguration affects your email deliverability or domain security.
DANE Record Checker
Frequently Asked Questions
What is a TLSA record?
A TLSA record is a DNS record type (type 52) used by DANE to associate a TLS certificate or public key with a specific domain, port, and protocol. It stores a certificate fingerprint secured by DNSSEC, so connecting clients can verify the certificate during the TLS handshake without relying on a certificate authority.
What is DANE in DNS?
DANE (DNS-Based Authentication of Named Entities) is a security protocol that publishes TLS certificate information directly in DNS using TLSA records, protected by DNSSEC. It removes the dependency on third-party certificate authorities by letting domain owners specify exactly which certificate should be trusted for their services.
What port and protocol should I use for email DANE?
For SMTP email delivery between mail servers, use port 25 with TCP. The TLSA record is published at _25._tcp.[mx-hostname]. Note that for email, TLSA records must be on the MX hostname — not the root domain. Use port 443 / TCP for HTTPS.
Can I use DANE and MTA-STS together?
Yes, and it’s recommended. DANE enforces TLS using DNSSEC-pinned certificates while MTA-STS enforces TLS via an HTTPS-hosted policy. Using both maximises coverage — DANE protects against rogue CAs, while MTA-STS covers sending servers that don’t support DANE.
Do I need DNSSEC for DANE to work?
Yes — DNSSEC is a hard requirement for DANE. Without DNSSEC, anyone could publish a fake TLSA record pointing to a malicious certificate, making the whole validation pointless. DNSSEC cryptographically signs your DNS records so resolvers can verify they haven’t been tampered with.
What is the difference between DANE-TA (usage 2) and DANE-EE (usage 3)?
DANE-TA (Trust Anchor, usage 2) matches an intermediate or root CA certificate — any certificate signed by that CA will pass validation. DANE-EE (End Entity, usage 3) matches the server’s own certificate or public key directly. For SMTP, usage 3 with selector 1 (public key) and matching type 1 (SHA-256) is the recommended configuration per RFC 7672.
Try More Email Authentication Tools
Strengthen your domain security with our free lookup tools:
Monitor Your DANE Records & Email Security 24/7
PowerDMARC automatically monitors your TLSA records, DNSSEC status, and TLS certificates — alerting you the moment something breaks or expires.
