Log in
CaptainDNS

Propagation & diagnostics

Compare resolvers worldwide and inspect returned answers.

Email authentication

Tools to verify and validate your email authentication setup.

SPF syntax validator

Review include chains and DNS query limits before publishing changes.

SPF record inspector

Resolve the published TXT record, flag lookup limits and decode each mechanism.

DKIM syntax validator

Quickly check the syntax of your DKIM records.

DKIM record check

Resolve a selector and analyse the published DKIM TXT record.

DMARC syntax validator

Check rua/ruf destinations, alignment modes and the active policy before publishing.

DMARC record inspector

Resolve the published policy, surface diagnostics and confirm enforcement before switching to reject.

BIMI syntax validator

Validate BIMI tags, the logo fetch and the VMC certificate before publishing.

BIMI record inspector

Resolve the published BIMI record, inspect logo and VMC diagnostics in one place.

Email deliverability audit

Audit MX, SPF, DKIM and DMARC to confirm a domain is ready to send.

Mail header analyzer

Decode participants, authentication results and routing from raw headers.

DMARC record generator

Create compliant DMARC records with all policy and reporting options.

Text

Transform, encode and measure your content in seconds.

Text case converter

Convert any block of text to upper or lower case instantly.

Base64 encoder / decoder

Encode or decode any content in Base64 without leaving the browser.

Slug generator

Transform any sentence into an SEO-friendly slug in seconds.

Word & character counter

Measure the length of any text, with instant word and character counts.

Images

Preview and validate your BIMI logos before publishing.

BIMI logo lookup

Inspect a BIMI logo URL—format, metadata and live rendering—before rollout.

Certificates

Inspect CSRs, BIMI logos and VMC certificates before you deploy.

CSR parser

Inspect a CSR, extract subject details, fingerprints and requested SANs.

VMC inspector

Inspect a Verified Mark Certificate—issuer, validity and SAN coverage—before you publish BIMI.

IP

Look up addresses, owners, reverse records and ranges.

Reverse lookup

Resolve a PTR record and validate DNS consistency.

IP WhoIs

Identify the owner of an IP range and its contacts.

IPv4 netmask

Calculate network, broadcast and usable hosts for any IPv4 block.

My IP address

Detect your IPv4/IPv6 addresses and their geolocation.

Tools

A complete suite to explore and diagnose your DNS zones

A collection of tools to understand, test, and monitor your infrastructure. Start with the DNS suite to explore your records, measure latency, and track propagation worldwide.

DNS

Full DNS suite. A, AAAA, MX, TXT lookups over UDP, TCP, and DoH. Iterative trace from root to authoritative. Latency measurement and propagation tracking via public resolvers.

IP

All things IP in one place: PTR reverse lookups, IP WHOIS ownership details and a detector for your own IPv4/IPv6 address with geolocation and ISP.

Email authentication (SPF, DKIM, DMARC)

Analysis and assistant for your SPF, DKIM, and DMARC records: record discovery, key validation, alignment checking, policy (p=none/quarantine/reject), rua/ruf reports, and anti-spoofing best practices.

Text

Convert blocks of text to lower or upper case and track word or character counts in seconds.

Certificates

Inspect CSR requests, review VMC certificates, and audit trust chains before publishing changes.

Image tools

Validate BIMI logos and image assets to ensure they meet Tiny-PS and deliverability requirements before going live.

Why regularly analyze your DNS zones

What a DNS analysis really reveals

A DNS zone seems simple. In practice, many errors go unnoticed. A CNAME placed at the same label as an A breaks compliance. A CNAME at the apex blocks other essential records. Inconsistent NS between the parent zone and the zone itself create different answers depending on the resolver. An SOA with a frozen serial betrays a zone that's no longer updating.

The analysis lists what actually responds today-not theoretical values. We check A and AAAA for reachability. We confirm MX and their targets. We read TXT for SPF, DKIM, and DMARC. We verify CAA for certificate issuance. We review SVCB and HTTPS if you publish web-side parameters. We validate DS and DNSKEY when DNSSEC is active.

The TTL tells the real-life story of answers. A short TTL helps during a migration. A long TTL stabilizes traffic. Too short, it burdens authoritative servers and complicates caching. Too long, it delays a fix. The analysis puts these choices in front of their visible effects.

Finally, the analysis helps spot dead zones. A delegated subdomain without reachable name servers. A forgotten record pointing to a private address. A missing PTR on an address that sends mail. These small details often explain a long and costly outage.

Latency measurement and resolution trace

Looking at latency helps you understand differences perceived by users. An address that's reachable but slow is still a problem. Measuring by resolver and by region shows where the path gets heavier. A sudden increase may come from a saturated entry point or a distant relay chosen by mistake.

The iterative trace follows the usual path: root, then TLD, then authoritative servers. Each step returns an answer and adds latency. The trace highlights an authoritative server that responds poorly. It also reveals a public resolver that keeps an outdated view. You document the incident with facts. You avoid guesswork.

The query history completes the picture. You compare before and after a change. You show the time and the value received. You link a latency drop to a precise adjustment. You can roll back if needed, because you keep a reliable record of what was observed.

Why email authentication has become essential

SPF, DKIM, DMARC: how they work together

SPF describes who is allowed to send on behalf of the domain. Verification happens on the receiving server. The rule is read from a TXT at the apex. Too permissive, it lets abuse slip through. Too strict, it blocks legitimate flows. You need to strike the right balance.

DKIM signs the message. A private key signs. The public key is found in a TXT under the selector at _domainkey. A valid signature proves the message hasn't been altered. It also identifies the domain that signed it. Key quality matters. A truncated key breaks verification. A wrong selector makes the key unfindable.

DMARC brings identity and policy together. It links the visible address to SPF and DKIM via alignment. When one of the two passes and is aligned with the displayed domain, the message is considered compliant. The policy defines what to do on failure: none to observe, quarantine to throttle, reject to block. rua and ruf reports give a daily view of flows.

BIMI builds on DMARC with an active policy. It's not a security system in the strict sense. It's an identity signal in certain clients. It underscores a high level of hygiene. It doesn't exist without properly enforced DMARC. The tooling-side analysis checks for the presence of records and their consistency. It also shows whether the policy is truly applied.

Common mistakes and useful checks

Two SPF entries at the same name cancel each other out. They must be merged into a single value. An overly long record exceeds the allowed query limit and ends up failing. A misspelled DKIM selector makes the key invisible. A public key copied with an extra line break becomes unreadable. An MX pointing to a CNAME falls out of compliance. A sending address without a consistent PTR hurts deliverability.

Operational checks remain simple. Read TXT records as they respond from multiple resolvers. Verify SPF for uniqueness and number of mechanisms. Confirm the presence of DKIM keys and sufficient key length. Examine DMARC for alignment and the chosen policy. Enable reports and monitor them for a few days. Adjust without rushing.

TTL matters here too. A short TTL allows quick fixes to an overly strict SPF or a key error. A medium TTL stabilizes a healthy setup. During a transition, it's prudent to set a low TTL. After validation, raise it to ease traffic. The tool shows the real effect on the network. You see when new values are being served.

One last point concerns the team and the process. Document every change to avoid surprises. Record the date, the affected zone, and the reason. Keep the previous value. Test from multiple networks. Read a trace when a server responds strangely. With these habits, diagnosis becomes short and clear. Incidents are resolved with facts, not assumptions.