DNSSEC checker

DNSSEC signs DNS answers so resolvers can detect tampering. For email, it underpins DANE and gives confidence that MX and policy records were not forged in transit. Enter a domain to check its DNSSEC delegation and validation status.

Runs the full report, including this check.

What the DNSSEC check covers

Why DNSSEC matters for email

Without DNSSEC, an attacker who can spoof DNS answers could redirect mail by forging MX records or weaken policy by forging SPF and DMARC records. DNSSEC is also a prerequisite for DANE (TLSA records), which pins the TLS certificate of a mail server.

Frequently asked questions

Is DNSSEC required for good deliverability?
No. SPF, DKIM, and DMARC are the priorities. DNSSEC is a defense-in-depth layer that protects the DNS records those protocols rely on, and it is required if you want to deploy DANE. scan.mx reports it, but its absence does not by itself fail a domain.
How do I enable DNSSEC?
Turn on signing at your DNS provider, then add the resulting DS record at your registrar so the parent zone delegates trust. Both steps are needed for validation to succeed.