Maxinames
All articles
Security6 min read

Free DNS Health Check: Catch Domain Issues Before Visitors Do

We built a free DNS health check that diagnoses nameserver, web, mail, and security issues in seconds — works on any domain, no account needed.

Network monitoring dashboard with charts on a dark screen

DNS issues are some of the most expensive bugs in tech because they're invisible until they aren't. A misconfigured SPF record sends six months of marketing email to spam folders. A missing AAAA on the apex blocks IPv6-only mobile users from your shop. An expired DNSSEC signature takes the whole domain offline overnight. The visible symptom — an angry ticket, a missed renewal email, a dropped sales call — arrives long after the cause.

We just launched a free DNS Health Check that surfaces these issues in seconds, on any domain — registered with us or anywhere else. This post covers what it checks, how to read the results, and the most common failures we see in the wild.

What it checks

Ten focused checks across four impact areas. We picked the set that catches outages and broken email, not the long tail of cosmetic warnings older tools flag.

DNS

  • Nameservers — at least two for redundancy. Single-NS setups are one outage away from disappearing.
  • SOA record — refresh, retry, expire, and minimum TTL within sane ranges. Bad expire values cause silent zone unavailability after a primary outage.

Web

  • Apex A record — the bare domain must resolve. We also detect the classic CNAME-at-apex mistake (forbidden by RFC, breaks email).
  • www — most visitors still type or paste the www form. If it doesn't resolve, half your traffic 404s.
  • IPv6 (AAAA) — informational. ~40% of global traffic now arrives over IPv6.

Mail

  • MX records — each MX host must itself have an A record. A missing A is the silent killer that bounces incoming mail.
  • SPF — exactly one TXT record starting with v=spf1, ending in ~all or -all. Multiple SPF records are a permanent error per RFC 7208.
  • DMARC_dmarc TXT with a real policy (p=quarantine or p=reject). p=none is monitor-only and won't actually defend against spoofing.

Security

  • DNSSEC — DS at the parent registry plus a successful AD-bit validation. A DS without validation is worse than no DNSSEC at all (broken signatures take you offline).
  • CAA records — restrict which certificate authorities can issue SSL for your domain. Optional but a real defence against rogue issuance.

How to read the results

Every check returns one of four statuses, sorted by severity within each category:

  • Error (red) — actively breaking something. Fix today. Examples: NXDOMAIN, missing SOA, MX without A, multiple SPF records, broken DNSSEC.
  • Warn (orange) — works for now but fragile or under-protected. Examples: single nameserver, missing SPF, DMARC p=none, www doesn't resolve.
  • OK (green) — healthy.
  • Info (grey) — optional best-practice that isn't strictly broken. IPv6, CAA, DNSSEC on a hobby site.

The five issues we see most often

  1. Multiple SPF records after adding a new email service (Mailchimp, Postmark, Google) without merging into the existing one. Receiving servers reject it as a permanent error and your mail starts going to spam.
  2. MX hosts without A records after a provider migration. Mail to the domain queues at the sender for days, then bounces.
  3. DMARC stuck on p=none — published months ago to start collecting reports, never moved to enforcement. Spammers can still spoof your From address.
  4. www doesn't resolve after migrating to a new host. The apex was updated; the www CNAME or A record was forgotten.
  5. DNSSEC enabled at the registrar but DS not yet propagated to the parent — site appears to work for some resolvers and SERVFAIL for others. A red flag we always surface.

How it works (and what it doesn't store)

All lookups go through Cloudflare's public DNS-over-HTTPS resolver directly from your browser. The domains you check never touch Maxinames servers — we don't log, store, or analyse them. The tool itself is a single static page; there's no backend, no API key, no rate limit. Use it as often as you like.

There are a few checks we deliberately don't run because they need server-side capabilities the browser can't reach safely: parent-NS-vs-zone-NS comparison, reverse DNS for MX hosts, and SMTP banner checks. If you need those, our support team can run a deeper audit on request — open a ticket with the domain.

Try it

The tool is live now at maxinames.com/dns-tools. Run it against your own domain, your client's, your competitor's. The 10 checks complete in under two seconds against most authoritative nameservers, and the report tells you not just what's wrong but why it matters.

If you find errors and want help fixing them — particularly around SPF/DMARC consolidation or DNSSEC rollouts — get in touch. These are the kind of changes that look one-line trivial in a tutorial and surprisingly easy to break under load.

Ready to put this into practice?

Search for your domain, pick a hosting plan, or talk to our team.

Search a domainView hosting plans

More from the blog

Domains

How to Choose a Domain Name in 2026: A Practical Guide

Your domain is the front door to everything you build online. Here's how to pick one that's memorable, brandable, and won't paint you into a corner two years from now.

Hosting

Shared Hosting vs VPS: Which Hosting Plan Is Right for You?

Shared hosting is cheap and easy. VPS is fast and flexible. The right choice depends less on your traffic today and more on what you're planning for next quarter.

Email

Why You Need a Custom Domain Email (and How to Set One Up)

Sending business email from a Gmail or Yahoo address quietly costs you sales. A custom-domain inbox is one of the cheapest credibility upgrades available — and it takes about an hour.