DNS8 min read

How to Check Domain Health: Complete Checklist

A healthy domain has valid DNS, unexpired SSL, working email authentication, good security headers, and is not on any blacklists. This guide covers every check with tools and fixes.

A domain health check ensures that your website, email, and security configuration are all working correctly. Problems like an expired SSL certificate, a missing SPF record, or a blacklisted IP can silently hurt your website's performance, email deliverability, and visitor trust. This guide covers every dimension of domain health with tools to check each area.

Domain Health Checklist

CategoryWhat to CheckShowDNS Tool
DNSA, MX, NS, TXT, CNAME records correctCheck All DNS Records
DNS HealthNameservers responding, SOA validDNS Health Checker
SSLCertificate valid, chain complete, not expiredSSL Checker
SSL ExpiryCertificate expires in >30 daysSSL Expiration Checker
TLSTLS 1.2/1.3 enabled, TLS 1.0/1.1 disabledTLS Checker
Email AuthSPF, DKIM, DMARC configured and validEmail Health Check
BlacklistDomain/IP not on spam blacklistsBlacklist Checker
Security HeadersHSTS, CSP, X-Frame-Options, etc.Security Headers
Domain ExpiryDomain registered and not expiring soonDomain Expiry Checker
HTTPS RedirectHTTP redirects to HTTPS with 301HTTP to HTTPS Test

1. DNS Record Check

Verify all DNS records are correctly configured:

bash
# Check all record types dig example.com ANY # Key records to verify: dig example.com A +short # Website IP dig example.com MX +short # Mail servers dig example.com TXT +short # SPF, DKIM, DMARC, verification dig example.com NS +short # Nameservers dig _dmarc.example.com TXT +short # DMARC policy

Or use the ShowDNS Check All DNS Records tool for a single-page overview.

2. DNS Health Check

A DNS health check verifies that your nameservers are:

  • Responding to queries from multiple locations.
  • Returning consistent answers.
  • All serving the same SOA serial number (no sync issues).
  • Not returning SERVFAIL for your domain.
bash
# Test each nameserver dig example.com A @ns1.example-dns.com +short dig example.com A @ns2.example-dns.com +short # Both should return the same IP # Check SOA across nameservers (serial should match) dig example.com SOA @ns1.example-dns.com +short dig example.com SOA @ns2.example-dns.com +short

3. SSL Certificate Check

bash
# Check certificate expiry openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates # Check certificate chain openssl s_client -connect example.com:443 -showcerts 2>/dev/null | grep "BEGIN CERTIFICATE" | wc -l # Should return 2 or more # Check hostname coverage openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -text | grep "DNS:"

4. Email Authentication Check

Email authentication prevents your domain from being used in phishing and spam. Check all three:

bash
# SPF record dig example.com TXT +short | grep spf # Expected: "v=spf1 ... ~all" or "-all" # DKIM (replace 'selector' with your actual selector) dig selector._domainkey.example.com TXT +short # Expected: "v=DKIM1; k=rsa; p=..." # DMARC dig _dmarc.example.com TXT +short # Expected: "v=DMARC1; p=quarantine|reject; rua=mailto:..."
DMARC at p=none is insufficientA DMARC record with p=none provides monitoring but no protection. For full email security, move to p=quarantine or p=reject.

5. Blacklist Check

If your domain or server IP is on a spam blacklist, email delivery to major providers may be rejected or delayed:

bash
# Find your server's IP first dig example.com A +short # Then check reverse DNS dig -x YOUR_SERVER_IP +short # Check specific blacklists (example with nslookup) # If the IP is 192.0.2.1, reverse it to 1.2.0.192 nslookup 1.2.0.192.zen.spamhaus.org # NXDOMAIN = not listed (good) # Any IP response = listed (bad)

Use the ShowDNS Blacklist Checker to check your domain and IP against dozens of blacklists simultaneously.

6. Security Headers Check

bash
curl -I https://example.com 2>/dev/null | grep -iE "strict-transport|content-security|x-frame|x-content-type|referrer-policy" # Missing headers = security gaps to address

7. Domain Expiry Check

bash
whois example.com | grep -i "expir" # Check the expiry date is far enough in the future

Set up renewal reminders at least 60 days before expiry. Use the ShowDNS Domain Expiry Checker to monitor multiple domains.

Running a Full Domain Health Check

The ShowDNS Domain Health Check tool runs all the above checks in one place and provides a summary with recommendations for any issues found.

Frequently Asked Questions

How often should I audit domain health?

Quarterly audits are a minimum. High-traffic sites or sites handling sensitive data should audit monthly. Always run a full audit after any DNS, hosting, or SSL changes.

What is the most critical domain health issue to fix first?

SSL certificate expiry and domain expiry are the most urgent — either can take your website completely offline with no warning. Email blacklisting and missing email authentication (SPF/DKIM/DMARC) are next, as they directly affect revenue and brand trust.

Can a domain health issue affect SEO?

Yes. SSL certificate issues (no HTTPS or mixed content) can affect search rankings. Slow DNS resolution increases page load time. Blacklisted IPs can lead to lower crawl rates from search engines.

Related Articles