wiredepth
Run a check

Free tool · DNS

DNS health checker

Validate DNSSEC, audit CAA records, surface registration expiry, and sweep the major mail blacklists in one shot. No signup.

What this tool checks

We resolve every relevant DNS record type for the domain (NS, MX, A/AAAA, CAA, DNSSEC chain), then probe registration expiry via RDAP and check the resolved mail IPs against six major mail blocklists chosen for low false-positive rate and high signal weight at major receivers.

DNSSEC validation walks the chain from the root. We surface whether the zone is signed, whether the DS record at the parent matches the zone's KSK, and whether the chain terminates cleanly. Half-broken DNSSEC (signed zone, missing DS) is a common silent failure - resolvers either bypass it or hard-fail depending on configuration.

CAA tells CAs which issuers are authorized to mint certs for you. Missing CAA means any public CA can issue, which is the mis-issuance vector that bit several large companies in the past decade. We check both apex CAA and the inheritance chain up to the registered domain.

How to read the results

DNSSEC unsigned is fine if intentional - many major brands skip it. DNSSEC partially configured (signed zone with no DS at parent) is broken and worth fixing.

CAA missing is a posture gap. Add at minimum: 0 issue "letsencrypt.org" (or whoever your CA is) and 0 iodef "mailto:[email protected]" so attempted mis-issuance gets reported to you.

Blacklist hit on MX IP matters more than on apex - it's specifically about your mail's deliverability. If you're on a shared mail provider's IP and they get listed, the fix is provider-side; if it's your own MX, escalate via the blacklist's delisting flow.

Frequently asked questions

Why does the registration expiry matter?

Domains expire. Then they get sniped, sometimes by competitors, sometimes by phishing operators. We surface the expiry date so a 60-day reminder lands before it bites you. Wiredepth Pro fires alerts at 60/30/14/7/1 days out across all your monitored domains.

Is DNSSEC required?

Not required by any major receiver, but it materially raises the cost of DNS hijack attacks (cache poisoning, registrar account compromise propagating malicious records). Recommended for any domain where the cost of a hijack is meaningful - finance, healthcare, identity providers, anyone with privileged customer trust.

What's a CAA record?

A DNS record that whitelists which Certificate Authorities are allowed to issue TLS certs for your domain. CAs are required by the CA/Browser Forum to honor it. Setting one means an attacker who compromises a different CA cannot mint a valid cert for your domain.

Why six blacklists and not more?

We picked the six with the lowest false-positive rates and the highest signal weight at major receivers. Checking 30+ blacklists - which a lot of free tools do - just adds noise: most of them are run by individual operators with low rigor.

My MX is listed - what now?

First, identify whether you control the IP (self-hosted MX) or whether your provider does. Self-hosted: figure out what got you listed (open relay? compromised account? compromised user device?), fix it, then file a delisting request with the blacklist. Provider-controlled: contact your provider, they have established delisting workflows.

Related free tools

TLS / SSL checker

Cert validity, chain, protocols, HSTS.

Security headers checker

HSTS, CSP, X-Frame-Options, referrer policy.

DMARC analyzer

Inspect DMARC, SPF, and policy strength.

Visual infrastructure map

NS / MX / SPF / DKIM dependency graph.