DNSSEC - proof your DNS answers are genuine

DNSSEC signs your DNS records so receivers can tell a real answer from a forged one, protecting the very records SPF, DKIM and DMARC rely on.

d SPF DKIM DMARC MTA-STS TLS-RPT DNSSEC Blacklist

What it is

DNSSEC (DNS Security Extensions) adds a chain of cryptographic signatures to your domain's DNS. When a receiver looks up your records, it can verify the answer genuinely came from you and wasn't altered along the way.

Why it matters

Every email control - SPF, DKIM, DMARC - lives in DNS. If an attacker can forge a DNS answer, they can undermine all of them at once. DNSSEC closes that door by making forged answers detectable.

What "good" looks like

A properly signed zone with a valid chain of trust up to the registry, keys rotated on schedule, and no broken signatures - because a misconfigured DNSSEC setup can take your whole domain offline. It's powerful and unforgiving, which is exactly why we keep watch on it.

Related: SPF · DKIM · DMARC · MTA-STS · TLS-RPT · Blacklist monitoring

See whether your DNSSEC is sound

DMARCER checks your DNSSEC continuously and warns you the moment a signature breaks.

Get started

Free domain check

Check your domain security

See how your domain's security compares to your competitors.