Log in
CaptainDNS

Propagation & diagnostics

Compare resolvers worldwide and inspect returned answers.

Email authentication

Tools to verify and validate your email authentication setup.

SPF syntax validator

Review include chains and DNS query limits before publishing changes.

SPF record inspector

Resolve the published TXT record, flag lookup limits and decode each mechanism.

DKIM syntax validator

Quickly check the syntax of your DKIM records.

DKIM record check

Resolve a selector and analyse the published DKIM TXT record.

DMARC syntax validator

Check rua/ruf destinations, alignment modes and the active policy before publishing.

DMARC record inspector

Resolve the published policy, surface diagnostics and confirm enforcement before switching to reject.

BIMI syntax validator

Validate BIMI tags, the logo fetch and the VMC certificate before publishing.

BIMI record inspector

Resolve the published BIMI record, inspect logo and VMC diagnostics in one place.

Email deliverability audit

Audit MX, SPF, DKIM and DMARC to confirm a domain is ready to send.

Mail header analyzer

Decode participants, authentication results and routing from raw headers.

DMARC record generator

Create compliant DMARC records with all policy and reporting options.

Text

Transform, encode and measure your content in seconds.

Text case converter

Convert any block of text to upper or lower case instantly.

Base64 encoder / decoder

Encode or decode any content in Base64 without leaving the browser.

Slug generator

Transform any sentence into an SEO-friendly slug in seconds.

Word & character counter

Measure the length of any text, with instant word and character counts.

Images

Preview and validate your BIMI logos before publishing.

BIMI logo lookup

Inspect a BIMI logo URL—format, metadata and live rendering—before rollout.

Certificates

Inspect CSRs, BIMI logos and VMC certificates before you deploy.

CSR parser

Inspect a CSR, extract subject details, fingerprints and requested SANs.

VMC inspector

Inspect a Verified Mark Certificate—issuer, validity and SAN coverage—before you publish BIMI.

IP

Look up addresses, owners, reverse records and ranges.

Reverse lookup

Resolve a PTR record and validate DNS consistency.

IP WhoIs

Identify the owner of an IP range and its contacts.

IPv4 netmask

Calculate network, broadcast and usable hosts for any IPv4 block.

My IP address

Detect your IPv4/IPv6 addresses and their geolocation.

SOA record lookup

In iterative trace mode, the resolver is ignored.
Query multiple public resolvers to compare answers.

How to use the DNS lookup engine options effectively

What is the iterative trace?

The trace performs resolution step by step. The resolver first queries the root servers, then the TLD (.com, .fr, .eu), and then the authoritative servers of the target zone. At each step, the page shows the queried server, the answer, the RCODE, and the latency.

  1. 1. Root

    Discovery of the TLD servers for the requested name.

  2. 2. TLD

    Reference to the zone's NS (delegation).

  3. 3. Authoritative

    Final answer (or error) with TTL and latency.

What is it for?

  • Compare answers across resolvers and regions
  • Detect a hot cache, an overly long TTL, or an incomplete delegation
  • Explain a latency difference or an unexpected RCODE

Tip: keep the trace disabled for quick checks; enable it when investigating or preparing a ticket/post‑mortem.

What is the classic trace?

The classic trace queries only the selected resolver (UDP or DoH) and displays the answer as it is perceived from that network vantage point. You get the RCODE, the response sections, and the latency for the client → resolver leg.

  1. 1. Chosen resolver

    Uses the preset or custom configuration to run the query exactly like your service would.

  2. 2. Protocol preserved

    Respects the selected transport (UDP, TCP, or DoH) so you reproduce the real behaviour.

  3. 3. Detailed answer

    Shows the question, answer, and authority/additional sections when present, together with TTL and useful metadata.

Why use it?

  • Check the view of a specific resolver before suspecting delegation issues
  • Confirm cached values and the impact of a TTL or a flush
  • Document a resolution exactly as a client or microservice sees it

Tip: keep the iterative trace option turned off when auditing a given resolver; enable it afterwards to compare with the root → TLD → authoritative path.

How does the propagation test work?

The test queries a set of public resolvers (Google, Cloudflare, Quad9, OpenDNS, ISPs…) in parallel and groups the answers by content and RCODE. You instantly see who already picked up the update.

  1. 1. Multi-point resolvers

    Enables the propagation presets to question several actors spread around the world.

  2. 2. Automatic comparison

    Groups identical answers and highlights divergences or resolver-specific errors.

  3. 3. Actionable summary

    Provides a clear recap, the resolver list, their latencies, and each group's status.

When to use it?

  • Track how a DNS change propagates worldwide
  • Spot stale caches and decide on a targeted flush
  • Share a propagation snapshot in a ticket or post-mortem

Tip: while the propagation test is active, the resolver selector is frozen. Disable the mode to return to single-resolver diagnostics.

Additional information about DNS SOA records

A SOA record describes the authority of a DNS zone. It indicates the primary authoritative server and the contact address. It provides a serial number as well as timing values for secondary server synchronization.
A SOA record contains a name, a type, a primary server, a contact, a serial number and five durations. The TTL indicates how long the response remains cached in the local resolver.

Example of SOA type DNS record

NameTypePrimary Server MNAMEContact RNAMESerialRefreshRetryExpireMinimum TTLTTL in seconds
@SOAns1.example.net.hostmaster.example.com.20250903017200900120960036003600

In this example, the name @ targets the zone apex. The primary server must resolve to A or AAAA. The contact is written like an email address with a dot instead of the at sign. For example, hostmaster.example.com corresponds to hostmaster@example.com. The serial progresses with each zone modification. The refresh, retry, expire and minimum TTL values are in seconds.

Role of fields in brief

The primary server MNAME designates the reference host for the zone.
The contact RNAME receives messages related to the zone.
The serial allows secondaries to know if a more recent version exists.
Refresh indicates when a secondary checks the primary.
Retry indicates the wait time between two attempts after a failure.
Expire indicates after how long a secondary abandons a zone that has become impossible to update.
Minimum TTL serves negative caching. It sets the duration during which an absence of response remains cached. The default TTL of records is set elsewhere in the zone.

Good to know
There is only one SOA per zone. It is published at the apex alongside NS records. The minimum TTL field does not define the default TTL of other records. It serves negative caching.

TTL explained clearly

The SOA's TTL controls the cache duration of the SOA response on the resolver side. A TTL that is too long can delay the recognition of a serial change. A reasonable TTL improves responsiveness without overloading authoritative servers.

Where to use a SOA record

At the zone apex. Always. Delegated subdomains have their own SOA in their dedicated zone. A CNAME must not appear at the apex because the zone must already publish SOA and NS.

To avoid
Forgetting to increase the serial after a zone modification.
Setting a primary server that doesn't resolve to A or AAAA.
Inverting refresh and retry.
Using an expire that is too short which causes the zone to drop at secondaries.

Check online

An online DNS lookup allows you to enter a domain name. The result displays the SOA as it is seen from the Internet. You can read the primary server, the contact, the serial and the timing values. Then perform a local test from your machine.

Check under Windows

Windows provides nslookup. You can use it in interactive mode.

Local resolver
nslookup
set q=soa
example.com
Specific resolver
nslookup
set q=soa
server 1.1.1.1
example.com

The first part queries, according to the machine's network configuration. The second forces the use of a third-party resolver, here Cloudflare's.

Check under Linux and Mac

On these systems, the dig command is practical and easy to use.

Local resolver
dig SOA example.com
Specific resolver
dig SOA example.com @1.1.1.1

Quick reading of responses

An older serial on a secondary server indicates a transfer delay.
A very long refresh delays the propagation of changes.
An expire that is too short can cause a secondary to abandon the zone.
A malformed contact prevents receiving useful messages.

Simple migration procedure

  1. Prepare the zone update.
  2. Increase the serial.
  3. Reload the zone on the primary server.
  4. Let the secondaries update or trigger a transfer if the tool allows it.
  5. Check the new serial from several networks then validate.

Practical tip
Adopt a predictable serial format. A date format followed by a counter facilitates tracking. For example, 2025090301 for the first modification of the day.

Common cases

DNS provider change

Set up the zone on the new service. Check SOA and NS. Switch delegation when everything is ready.

Adding a secondary server

Allow zone transfer on the primary. Check that the secondary properly retrieves the zone and displays the correct serial.

Contact address correction

Update RNAME. Test that messages reach the correct recipient.

Quick troubleshooting

  1. If the SOA differs according to authoritative servers, wait for a refresh cycle then check again.
  2. If a secondary remains stuck on an old serial, check network access and zone transfer rights.
  3. If the zone disappears at a secondary, increase expire and check the primary's health.
  4. If the response remains old despite the update, wait for TTL expiration and purge the local resolver cache if possible.

In summary, a SOA record defines the authority of a zone. It indicates the primary server, the contact, the serial and the timing values that regulate synchronization. Only one SOA at the apex. Consistent values ensure reliable propagation. Verification goes through an online tool, then through nslookup and dig.
With these references, management remains clear. Changes proceed without stress. DNS services respond as expected.