Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.spotzee.com/llms.txt

Use this file to discover all available pages before exploring further.

A DNS security health check audits a domain against a set of security controls and returns a weighted A–F grade. It evaluates DNSSEC, DANE, CAA records, registry lock, and up to 10 other categories, surfacing the gaps that carry the most risk and the specific steps needed to close them.
Run a one-off check at spotzee.com/tools/dns-health-check. Choose Quick for essential controls or Full for all 13 categories. Use this guide for understanding what each category tests and how to interpret the grade.

Why this matters

DNS is the entry point to your domain. An attacker who controls your DNS can redirect email, intercept web traffic, and obtain fraudulent TLS certificates — all without touching your servers. Controls like DNSSEC prevent record tampering in transit, CAA records prevent unauthorised certificate issuance, and registry lock prevents registrar-level hijacking through social engineering. For financial services firms, DNS security posture is an operational resilience requirement. The FCA PS21/3, PRA supervisory statements, and the EU DORA regulation each require demonstrable evidence of domain security controls. An auditor asking for DNS security evidence expects DNSSEC, CAA records restricting certificate issuance, and registry lock on critical domains. The tool produces an A–F grade with evidence-ready subscores for each control. Calls to the Extended API version of this tool deduct a small per-call amount from your Spotzee credit balance. See the Spotzee pricing page for live figures.

How it works

1

Submit the domain

Pass domain and an optional check_mode (quick or full, default quick) as form fields in a POST request to /generic/dns/dns-health-check.
2

Resolve DNS records

The API resolves the domain’s DNS records across the required namespaces — DS records for DNSSEC, TLSA records for DANE, CAA records, and NS/A records for infrastructure checks.
3

Score each category

Each of the 13 categories earns points based on which controls are present and correctly configured. Categories are weighted by risk severity. DNSSEC carries the highest weight (25 points max in quick mode).
4

Calculate the grade

Scores are combined into a weighted average from 0 to 100. The grade maps as: A = 85–100, B = 70–84, C = 55–69, D = 40–54, F = 0–39.
5

Return recommendations

The response includes the overall grade, per-category subscores, and prioritised recommendations for the gaps with the highest impact on the score.

What to watch for

Five result patterns require immediate action.
  • Grade F or D. A failing grade means critical controls like DNSSEC are absent. Start with the top recommendation — typically enabling DNSSEC and publishing CAA records — as these carry the highest score weight.
  • DNSSEC score: 0. DNSSEC is not enabled. Enable it at your DNS registrar or provider and verify propagation with an SPF lookup or DNS lookup.
  • CAA score below maximum. Your CAA record exists but is missing the issuewild or iodef tags, or does not restrict to specific CAs. Add the missing tags. A minimal CAA record with only the issue tag partially covers mis-issuance risk.
  • Registry lock: 0. Contact your registrar to enable registry lock. It adds an out-of-band verification step before nameserver changes or domain transfers can proceed — protecting against social engineering attacks targeting the registrar.
  • Authentication and infrastructure: low. These categories often fail when SPF, DKIM, or DMARC are absent, or when nameserver redundancy requirements are not met. Use the SPF lookup, DMARC lookup, and MX lookup tools to address these in sequence.

FAQs

It grades up to 13 categories: DNSSEC, DANE, CAA records, registry lock, DNS cookies, NSEC3, infrastructure, authentication, monitoring, privacy, abuse prevention, operational controls, and third-party risk. Each category is scored and weighted to produce an overall A–F grade. Quick mode focuses on the highest-weight categories.
DNSSEC (DNS Security Extensions) adds cryptographic signatures to DNS records. Resolvers can verify the records have not been tampered with in transit. Without DNSSEC, an attacker can poison a DNS cache and redirect your domain’s traffic — including email — to a server they control. It is the single highest-impact control in the score.
A Certification Authority Authorisation (CAA) record specifies which certificate authorities are permitted to issue TLS certificates for your domain. Publishing one prevents a CA from issuing a certificate for your domain to a third party, even if the CA has been compromised or deceived. A complete CAA record includes issue, issuewild, and iodef tags.
Registry lock prevents changes to your domain’s registration — nameserver changes, transfers, deletions — without an out-of-band verification step with the registrar. It protects against social engineering attacks that target registrar staff directly. Not all registrars offer it; check with your registrar for availability and the process to enable it.
Quick checks the highest-weight categories only. Full assesses all 13 categories including lower-weight controls like DNS cookies and third-party risk. The grade can differ between modes because full mode includes more categories in the weighted average. Use quick for rapid checks and full before a compliance audit.
Read the in-depth DNS security health check guide for what each of the 13 categories tests, how the scoring is weighted, and a prioritised remediation sequence for common grade patterns. Pair it with the SPF lookup and DMARC lookup tools for a complete authentication audit.

Try it

Run a check at spotzee.com/tools/dns-health-check. For automated monitoring or batch assessment of multiple domains, call the Extended API endpoint directly with your Spotzee API key.