Utilora

DNS & SPF/DMARC Security Inspector

Zero-Trust Utilities

What is DNS & SPF/DMARC Security Inspector?

DNS & SPF/DMARC Security Inspector is an OSINT and domain reconnaissance tool designed to evaluate the email security posture of any domain. It fetches and analyzes DNS records to check for configurations that make a domain vulnerable to email spoofing, phishing, and impersonation. Crucially, the tool utilizes DNS-over-HTTPS (DoH) to query Google and Cloudflare DNS directly from the client. This architecture keeps your domain investigations completely private from intermediate SaaS tracking or logging.

How it works

The tool sends standard JSON queries to Google and Cloudflare's public DNS-over-HTTPS endpoints. It requests MX, TXT, A, AAAA, and NS records. When the TXT records are received, it searches for text beginning with 'v=spf1' (SPF) and checks the '_dmarc.' subdomain for records beginning with 'v=DMARC1' (DMARC). It then parses these strings to analyze the policy rules (e.g. reject vs. quarantine policies, include domains, and catch-all flags) and runs security checks on them client-side.

Features & Benefits

  • Zero-Logging: DNS queries are performed browser-to-DoH-provider, avoiding third-party logging of scanned targets
  • Email Spoofing Assessment: Instantly flags missing SPF, weak DMARC policies (p=none), or invalid MX records
  • Raw DNS data: View resolved records (MX, TXT, A, AAAA, NS) in a clean, developer-friendly interface
  • Educational: Explains SPF mechanisms and DMARC alignment rules in plain English

Frequently Asked Questions

How does DNS-over-HTTPS (DoH) preserve privacy?

By querying public DoH APIs directly from your browser, your query is mixed with trillions of other daily DNS resolutions. No middleman website logs your target domains.

Why is a missing DMARC policy dangerous?

Without a DMARC policy (or if the policy is set to p=none), servers receiving mail from your domain will not reject spoofed messages, even if they fail SPF or DKIM checks.

What SPF mechanisms are checked?

We analyze the catch-all mechanism (e.g., -all vs ~all vs +all) and warn you if it's set to +all or missing, which allows anyone to send mail on your behalf.

Related Tools

Popular Utilities