What does the DNS health score mean?

The DNS health score is a weighted percentage based on 25+ automated tests covering parent delegation, nameserver configuration, SOA records, mail routing, and security. A score of 100% means everything passed cleanly. If you see 85%, that usually means a few non-critical warnings (missing CAA records, non-standard SOA serial format) or one moderate issue like an invalid SPF record. Critical failures like lame delegations and missing NS records hit the score harder than informational items. The score gives you a quick read, but the real value is in the detailed breakdown underneath. Each test shows pass, warning, or fail status with a plain-language explanation of what went wrong and how to fix it. For a full audit, run a DNS Propagation Checker scan afterward to confirm your records are consistent across resolvers worldwide.

What is parent DNS and why does it matter?

Parent DNS refers to the TLD-level nameservers (like the .com servers run by Verisign) that form the delegation chain as defined in RFC 1034. When a recursive resolver looks up your domain, it first asks the parent TLD server which nameservers are authoritative for your zone. If the parent has no NS records for your domain or lists the wrong nameservers, your domain essentially does not exist on the internet. No website, no email, nothing resolves. DNSChkr verifies delegation by comparing NS records at the parent with those in your actual zone file. It also checks for glue records, the IP address hints embedded at the parent level. Glue records are required when your nameservers live within your own domain. For example, if example.com uses ns1.example.com as a nameserver, glue records must exist at the .com level. Without them, you get a circular dependency where the resolver needs to look up your nameserver but cannot find it without first reaching your nameserver.

What should I check after switching nameservers?

After migrating to Cloudflare, AWS Route 53, Google Cloud DNS, or any new provider, there are several things you need to verify. Start by confirming the parent TLD servers list your new nameservers. Then check that NS records match between the parent zone and your authoritative zone file, because mismatches cause intermittent resolution failures that are maddening to debug. Verify SOA serial numbers are consistent across all nameservers to confirm zone data is synchronized. Check that A and AAAA records resolve to the correct IP addresses at your new host. And critically, confirm MX records still point to your email provider. Mail routing breaks during migrations more often than people expect. DNSChkr tests all of these in a single scan. Pay special attention to the Mismatched NS Records and Lame Delegation tests, since these are by far the most common post-migration failures. Run a propagation check afterward to confirm the changes have reached resolvers worldwide.

Why are my MX records important?

MX (Mail Exchange) records tell other mail servers where to deliver email for your domain, as defined in RFC 5321. Get them wrong and incoming messages either bounce with errors like "550 No MX Record Found" or queue up until they time out. DNSChkr validates several aspects of your MX setup: that MX records exist and are consistent across all authoritative nameservers, that each mail server hostname resolves to a valid public IP address, that no MX record points to a CNAME (which violates RFC 2181), and that priority values make sense for failover. If you use Google Workspace, MX records need to point to aspmx.l.google.com and its alternates. For Microsoft 365, they should point to your tenant-specific mail.protection.outlook.com hostname. Even a single typo in an MX hostname causes silent email delivery failures. People often do not realize anything is wrong until someone mentions they never received an important message, which makes regular validation essential for any domain that receives email.

What are SPF, DKIM, and DMARC and why do they show up in my DNS check?

SPF, DKIM, and DMARC are email authentication standards stored as DNS TXT records. They work together to prevent spoofing and improve deliverability. SPF (RFC 7208) publishes which IP addresses and servers are authorized to send email for your domain. DKIM (RFC 6376) adds a cryptographic signature to outgoing emails that recipients verify using a public key in your DNS. DMARC (RFC 7489) ties them together by telling receiving mail servers what to do when authentication fails, whether to quarantine or reject the message. DNSChkr parses all three and flags common misconfigurations. The ones that come up most often are circular SPF includes that blow past the 10-lookup limit, overly permissive policies like +all that let anyone spoof your domain, missing DMARC records that leave you blind to authentication failures, and DKIM selectors that do not resolve. These three standards form the foundation of modern email security, and most deliverability problems trace back to getting one of them wrong.

What is DNSSEC and should I enable it?

DNSSEC adds cryptographic signatures to DNS responses so resolvers can verify the data has not been tampered with in transit. It is defined across RFC 4033, RFC 4034, and RFC 4035. Without DNSSEC, an attacker can intercept DNS queries and return forged responses through cache poisoning or man-in-the-middle attacks. Enabling DNSSEC creates a chain of trust from the root zone down to your domain, with each level signing the delegation to the next. The good news is that most major DNS providers (Cloudflare, AWS Route 53, Google Cloud DNS) make activation straightforward. You typically just need to add a DS record at your registrar. While not strictly mandatory, DNSSEC is strongly recommended for domains handling sensitive traffic like banking, healthcare, e-commerce, or government services. DNSChkr checks whether your domain has valid DNSKEY and DS records and whether the signature chain validates correctly all the way from the root zone.

What does 'lame delegation' mean?

A lame delegation happens when the parent TLD servers list a nameserver as authoritative for your domain, but that nameserver either does not have your zone data or refuses to respond authoritatively. RFC 1912 specifically calls this out as problematic, and it is one of the most common DNS misconfigurations. It usually happens when you switch DNS providers but forget to update NS records at your registrar, when a secondary nameserver subscription lapses, or when a hosting provider decommissions a server without telling you. The symptoms are frustrating: roughly half of DNS queries reach the working nameserver while the other half hit the broken one. Users experience unpredictable timeouts where some page loads work fine and others hang for seconds before falling back. The intermittent nature makes it particularly hard to diagnose without the right tools. DNSChkr tests each listed nameserver individually with an authoritative query to detect lame delegations and flags exactly which server is non-responsive.

How do I interpret SOA record values?

The SOA (Start of Authority) record contains operational parameters that control how your DNS zone behaves, as defined in RFC 1035 with recommended values in RFC 1912. The serial number is a version counter that must increment with every zone update. The common YYYYMMDDNN format allows up to 100 changes per day. The refresh interval (typically 3600-86400 seconds) tells secondary nameservers how often to check the primary for updates. Retry (usually 900-3600 seconds) controls how long to wait after a failed refresh before trying again. The expire value (typically 604800-2419200 seconds) determines how long secondaries keep serving zone data if the primary goes completely unreachable. Then there is the minimum TTL field (300-86400 seconds), which sets negative caching duration per RFC 2308. This controls how long resolvers remember that a record does not exist, which matters more than people realize. DNSChkr validates each value against RFC 1912 recommended ranges and checks that serial numbers are consistent across all your nameservers.

Why does my domain show different results on different DNS tools?

DNS tools show different results because they query from different locations and use different resolution strategies. Some tools query your authoritative nameservers directly, showing the canonical source of truth for your zone data. Others query through recursive resolvers like Google Public DNS (8.8.8.8) or Cloudflare (1.1.1.1), which shows what end users actually see, including potentially stale cached responses. DNSChkr queries your authoritative nameservers for the most accurate current picture and also checks what the parent TLD servers report to catch delegation mismatches. If you see discrepancies between tools, caching is almost always the cause. Resolvers cache records for the duration specified by the TTL value. So a resolver that cached your old A record with a TTL of 86400 seconds will keep serving stale data for up to 24 hours regardless of what you changed. Running a DNS propagation check reveals exactly which resolvers worldwide have picked up your latest changes and which are still holding onto cached copies.

Can I use this tool to check my DNS before making it live?

DNSChkr inspects your live, publicly-accessible DNS configuration by querying real authoritative nameservers in real time. This makes it ideal for verifying changes right after applying them, catching misconfigurations, or auditing a domain before buying it. However, it cannot test unpublished changes because DNS is a public protocol and all queries go to production nameservers. If you want to test DNS changes before going live, you have a few options. Set up a staging zone on a separate subdomain like staging.example.com and configure it identically to your planned production setup. Cloudflare and AWS Route 53 also offer zone preview or import validation features. Another approach is to lower your TTL to 300 seconds well before the change, make the update, verify with DNSChkr, and roll back quickly if something looks wrong. The short TTL ensures resolvers worldwide pick up any correction within minutes rather than hours.

How is DNSChkr's DNS Inspector different from other DNS tools?

Most DNS tools — including dig, nslookup, MXToolbox, and IntoDNS — show raw DNS records and leave interpretation to you. DNSChkr goes significantly further. Every scan produces a scored health report that grades your DNS configuration across 25+ tests, then explains every finding in plain language with actionable fix recommendations. The report detects your CDN provider (Cloudflare, AWS CloudFront, Akamai), identifies your email provider (Google Workspace, Microsoft 365, Zoho), validates the full delegation chain from parent TLD servers through your authoritative nameservers, and checks email authentication (SPF, DKIM, DMARC) against their respective RFCs. Results are structured for both technical engineers who need precise diagnostic data and non-technical domain owners who need to understand what is wrong and how to fix it. No other free DNS tool combines this depth of automated analysis with clear, human-readable explanations in a single scan.

What is the best free DNS health check tool?

The best free DNS health check tool depends on what you need. For a comprehensive all-in-one audit, DNSChkr is the most thorough free option available — it runs 25+ automated tests across parent delegation, nameserver health, SOA validation, mail routing, email authentication, and security, producing a scored 0 to 100 report with prioritized fix recommendations. For email-specific diagnostics and blacklist checking, MXToolbox is the industry standard. For DNS propagation monitoring across global resolvers, DNSChecker is purpose-built for that. For quick delegation checks, IntoDNS provides solid basic analysis. For raw DNS queries with full control, dig is the professional command-line tool. No single tool is best at everything, but DNSChkr covers the widest range of checks in a single scan with the most actionable output.

Why does DNS misconfiguration cost businesses money?

DNS is the entry point for every interaction with your domain. When DNS is misconfigured, visitors cannot reach your website, emails bounce or disappear silently, and SSL certificates fail to issue. Each of these directly impacts revenue. A lame delegation causes roughly half of all DNS queries to fail, meaning half your potential visitors see timeout errors instead of your website. Broken MX records mean incoming sales inquiries, customer support emails, and partnership requests never arrive. Expired or incorrect SPF and DMARC records cause legitimate business emails to land in spam folders, reducing response rates. For e-commerce sites, even a few hours of DNS downtime during a peak period can mean thousands of dollars in lost sales. DNSChkr catches these issues proactively — before customers notice. Running a DNS health check after any infrastructure change, and periodically as a routine audit, is one of the simplest ways to protect the investment you have already made in your website and online presence.

DNS Checker(beta)

DNS Inspector Propagation Checker

DNSInspector

Comprehensive DNS analysis for your domains.
Check nameservers, records, and configuration in seconds.

DNSInspector

A DNS inspector is a diagnostic tool that analyzes every layer of a domain’s DNS configuration and produces a scored health report. DNSChkr runs 25+ automated tests — from parent delegation through email authentication — and explains every finding in plain language with fix recommendations.

Recent DNS Health Checks by the Community

Updated 2026-04-11 17:16:43 UTC

Domains recently inspected using the DNS health checker. Each score shows the percentage of DNS tests passed — covering nameservers, mail routing, DNSSEC, and more.

Recently Scanned

Top Scores

Needs Improvement

Written by Ishan Karunaratne · Last updated: March 14, 2026

What Is a DNS Inspector and Why Does It Matter?

A DNS inspector is a tool that examines a domain’s entire DNS configuration — the delegation chain, nameserver health, record consistency, mail routing, email authentication, and security settings — and reports what is working, what is broken, and what needs to be fixed. DNS is the foundation of every online interaction. If it is misconfigured, visitors cannot reach your website, emails bounce or land in spam, and SSL certificates fail to issue. Every one of those failures translates directly to lost revenue, lost customers, and wasted investment in the website and infrastructure you have already built.

The problem is that DNS misconfiguration is invisible. There is no error page, no alert, and no dashboard that tells you half your visitors are timing out because one of your nameservers is not responding. A broken MX record does not send you a notification — emails simply stop arriving. An invalid SPF record does not announce itself — your outbound emails quietly start landing in spam. By the time someone notices, the damage is done. A DNS inspector makes these invisible problems visible, and DNSChkr’s inspector does it more thoroughly than any other tool available.

What Makes DNSChkr’s DNS Inspector Different?

Most DNS tools — including dig, nslookup, MXToolbox, and IntoDNS — show raw DNS records and leave you to figure out what they mean. If you know what a SOA serial mismatch looks like or can spot a lame delegation in a dig trace, those tools work. But for the vast majority of people managing domains — business owners, marketers, developers who are not DNS specialists — raw records are not actionable. DNSChkr was built to bridge that gap.

Every scan produces a scored health report that grades your DNS configuration on a 0 to 100 scale, then walks through every finding with a clear explanation of what it means and a specific recommendation for how to fix it. The report is designed to be useful whether you are a network engineer debugging a complex delegation issue or a business owner who just needs to know if your domain is set up correctly. Here is what that looks like in practice:

Scored Health Report

A single health score from 0 to 100 tells you immediately whether your DNS needs attention. Below the score, every test is categorized and color-coded — green for pass, yellow for warning, red for failure. Critical issues like lame delegations and missing NS records are weighted more heavily than informational items like non-standard SOA serials.

Plain-Language Explanations

Every test result includes a human-readable explanation of what was checked and why it matters. If your NS records do not match between the parent zone and your authoritative servers, the report does not just say “NS mismatch” — it explains that this means some DNS queries will fail unpredictably and tells you exactly which records need to change.

Actionable Fix Recommendations

Every warning and failure comes with a specific, step-by-step recommendation. Not “fix your SPF record” but “your SPF record exceeds the 10-lookup limit — remove the unused include for _spf.google.com or flatten your includes.” Recommendations are prioritized so you know which fixes will have the biggest impact.

CDN and Provider Detection

The report automatically identifies whether your domain is behind Cloudflare, AWS CloudFront, Akamai, Fastly, or another CDN. It detects your email provider — Google Workspace, Microsoft 365, Zoho, ProtonMail — from MX records. This means you do not need to run dig commands or trace headers to answer basic questions like “is my site on Cloudflare?”

Full Delegation Chain Analysis

DNSChkr traces the entire resolution path from the parent TLD servers (the .com servers at Verisign, for example) through your authoritative nameservers. It compares what the parent says with what your zone actually contains. This catches delegation mismatches, missing glue records, and lame delegations — the issues that cause the most damaging intermittent failures.

25+ Automated Tests in One Scan

A single scan covers parent delegation, glue records, nameserver health, lame delegation detection, NS record consistency, SOA validation, A/AAAA records, MX routing, mail server reachability, SPF parsing, DKIM validation, DMARC policy checks, DNSSEC chain of trust, CAA records, zone transfer restrictions, and CDN detection. No need to jump between multiple tools.

How DNSChkr Compares to Other DNS Tools

Most DNS tools specialize in one area — MXToolbox focuses on email diagnostics, DNSChecker on propagation, dig on raw queries. DNSChkr is the only free tool that combines all of these capabilities into a single scored health report with prioritized fix recommendations. Here is a feature-by-feature comparison with the most commonly recommended alternatives.

Feature	DNSChkr	MXToolbox	IntoDNS	dig	DNSChecker
Scored health report (0–100)	Yes	No	Partial	No	No
Parent delegation chain analysis	Yes	No	Yes	Manual	No
Lame delegation detection	Yes	No	Yes	Manual	No
Email auth (SPF/DKIM/DMARC)	Yes	Yes	Partial	Manual	No
CDN and proxy detection	Yes	No	No	No	No
Email provider identification	Yes	Yes	No	No	No
DNSSEC chain validation	Yes	Yes	Yes	Manual	No
Prioritized fix recommendations	Yes	Some	RFC links	No	No
Blacklist (DNSBL) checking	50+ lists	100+ lists	No	No	No
SMTP diagnostics	Yes	Yes	No	No	No
Email deliverability tester	Yes	No	No	No	No
Global propagation testing	Separate tool	No	Limited	No	Yes
Number of automated tests	25+	Varies	~15	1 per query	1 per query
Cost	Free	Free (limited)	Free	Free (CLI)	Free

DNSChkr is the only platform that combines delegation chain analysis, nameserver health, email authentication, blacklist monitoring, SMTP diagnostics, email deliverability testing, security checks, and CDN detection — all in a single scored report with prioritized fix recommendations. MXToolbox focuses narrowly on email. IntoDNS provides basic delegation analysis. dig requires command-line expertise. DNSChecker specializes in propagation only.

DNSChkr vs MXToolbox: Which Should You Use?

MXToolbox is a well-known DNS tool focused primarily on email deliverability. It offers blacklist checks and SPF/DKIM/DMARC lookups — but DNSChkr provides all of those capabilities and more. DNSChkr includes a dedicated Blacklist Checker that scans 50+ DNSBL lists, individual SPF, DKIM, and DMARC record checkers with RFC-level validation, an SMTP Diagnostics tool that tests live mail server connections, an Email Tester for end-to-end deliverability testing, an Email Header Analyzer, and an MX Record Lookup tool. MXToolbox does not offer an email tester, does not check parent delegation, does not detect lame delegations, does not validate SOA records against RFC 1912, does not identify CDN providers, and does not produce a scored health report. DNSChkr covers every email diagnostic MXToolbox offers while also providing a complete DNS infrastructure audit — making it the more comprehensive choice for domain administrators who want a single platform for both email and DNS health.

DNSChkr vs IntoDNS: Key Differences

IntoDNS is a respected free DNS checker that provides solid delegation and nameserver analysis. Both IntoDNS and DNSChkr check parent delegation, NS record consistency, and SOA validation. Where they differ: DNSChkr produces a weighted 0–100 health score while IntoDNS uses basic pass/fail icons with no overall grade. DNSChkr validates SPF, DKIM, and DMARC records in depth while IntoDNS checks SPF only partially. DNSChkr detects CDN providers and email providers automatically. And DNSChkr provides prioritized fix recommendations explaining what to fix first and how, while IntoDNS links to relevant RFCs but leaves interpretation to the user. For quick delegation checks, IntoDNS works well. For a comprehensive audit with actionable guidance, DNSChkr provides more depth and clearer explanations.

Backed by Real DNS Data at Scale

DNSChkr is not just a lookup tool — it is built on top of one of the largest DNS datasets publicly available. The platform analyzes over 247 million domains daily from TLD zone files, maintains 220 million WHOIS/RDAP records covering 1,900+ TLDs, and tracks 1,500+ DNS providers with market share data. This dataset powers the inspector’s ability to identify your CDN provider, email provider, and nameserver provider instantly — because DNSChkr already knows which providers serve which infrastructure patterns across the global DNS ecosystem.

247M+

Domains analyzed daily

220M+

WHOIS records maintained

1,933

TLDs in the directory

1,500+

DNS providers tracked

What Problems Does a DNS Health Check Catch?

DNS misconfigurations range from catastrophic (your domain does not resolve at all) to subtle (emails intermittently land in spam). Many of these issues are invisible to the domain owner until they cause real damage. Here are the most common problems DNSChkr detects, what they mean, and why they matter.

Problem	What It Means	Impact
Lame delegation	A listed nameserver does not respond authoritatively for your domain	~50% of DNS queries fail — intermittent timeouts for visitors
NS record mismatch	Parent TLD servers and your zone file list different nameservers	Unpredictable resolution failures, especially after provider migrations
Missing glue records	Nameserver IPs not embedded at the parent level when required	Circular dependency — domain cannot resolve at all
Broken MX records	Mail server hostnames do not resolve or point to invalid IPs	Incoming emails bounce silently — senders may not retry
Invalid SPF record	Too many DNS lookups, permissive +all, or syntax errors	Outbound emails land in spam or get rejected entirely
Missing DMARC	No DMARC record published for the domain	No visibility into email spoofing — attackers can send as your domain
SOA serial mismatch	Different nameservers report different serial numbers	Zone data is out of sync — some servers serve stale records
No DNSSEC	Domain is not signed with DNSSEC	Vulnerable to cache poisoning and DNS spoofing attacks

Each of these issues appears in the scored report with a severity level, explanation, and fix recommendation. The most dangerous problems — lame delegations, missing NS records, broken MX — are weighted most heavily in the health score.

What Does the DNS Inspector Check?

Every scan follows the DNS resolution chain from top to bottom. Tests are ordered by dependency — if delegation is broken at the top, everything below it will fail too. Here is what each category covers.

Parent DNS & Delegation

Queries the TLD servers (like the .com servers at Verisign) to confirm your domain is properly delegated. Checks that nameservers are listed at the parent, glue records are present when needed, and delegation matches your actual zone. A broken delegation means your domain is unreachable — no website, no email, nothing.

Nameserver Health

Tests each nameserver individually: are they responding, are they authoritative, do they agree on the same records? Checks for lame delegations, open recursive queries (a security risk), mismatched NS records between servers, and whether you have enough nameserver redundancy per RFC 2182.

SOA Record Validation

The SOA record controls zone operations — serial numbers, refresh intervals, retry timing, and cache behavior. Validates each value against RFC 1912 recommended ranges, checks serial consistency across all nameservers, and flags misconfigurations that could cause zone transfer failures or stale data.

Mail Routing (MX)

Email delivery depends entirely on correct MX records. Verifies that all nameservers report identical MX configurations, each mail server hostname resolves to a valid public IP, priorities are set correctly, and no MX record points to a CNAME (violates RFC 2181). Identifies your mail provider — Google Workspace, Microsoft 365, Zoho — so you can confirm it matches expectations.

Email Authentication (TXT)

Parses TXT records to find and validate SPF, DKIM, and DMARC entries. Flags circular SPF includes, too many lookups, overly permissive policies, and missing DMARC records. For a deep dive, see our guide on SPF, DKIM, and DMARC email authentication.

Security & Infrastructure

Checks DNSSEC status, CAA records (which Certificate Authorities can issue certs), and zone transfer restrictions. Detects CDN and proxy configurations — Cloudflare, AWS CloudFront, Akamai, Fastly — and explains what that means for your setup. Also available: HTTP Security Headers and Reputation Check.

When Should You Run a DNS Health Check?

A DNS health check is not something you run every day, but there are critical moments where a full inspection prevents hours of troubleshooting or catches a problem before it costs you traffic and revenue. The most important time to run one is immediately after any infrastructure change — switching hosting providers, migrating DNS to Cloudflare or Route 53, changing email providers, or updating nameservers. These are the moments when misconfigurations are most likely to be introduced.

After switching hosting or DNS providers

Verify that delegation, glue records, A/AAAA records, and MX records all survived the migration intact. Then confirm worldwide resolution with the Propagation Checker.

When emails are not being delivered

Check MX records, SPF, DKIM, and DMARC in one scan. Most email delivery issues trace back to DNS misconfigurations — broken MX routing, invalid SPF syntax, or missing DMARC policies.

When your site is intermittently unreachable

Lame delegations, mismatched NS records, or expired zones cause random resolution failures that are nearly impossible to diagnose without inspecting each nameserver individually — which is exactly what this tool does.

Before or during a security audit

Check DNSSEC chain of trust, CAA records, zone transfer exposure, open recursive queries, and email authentication in one pass. The scored report serves as documentation for compliance reviews.

When evaluating a domain to acquire

Understand the current DNS setup, identify technical debt, and check for issues that could affect the transfer or require immediate work after purchase.

As a periodic health check

DNS records drift over time — deprecated TXT records from old verification attempts, stale MX entries from email trials, forgotten subdomains. A quarterly inspection catches problems before they affect users.

How Do You Read Your DNS Report?

The report breaks down into categories that follow the natural DNS resolution chain. Each test gets a pass, warning, or fail status with a plain-language explanation. Here is how to read the results and prioritize fixes.

The health score

A weighted percentage where critical issues (lame delegations, missing NS records, broken MX) impact the score more heavily than informational items (missing CAA, non-standard SOA serials). Focus on tests marked as critical first — these are the ones causing real-world problems right now.

Categories are ordered by dependency

Parent DNS is checked first because if delegation is broken, nothing else matters. Then nameservers, since they serve all your records. Then SOA (zone configuration), followed by individual record types and security checks. Failures high in the chain often cause cascading failures below.

Recommendations are prioritized

The top recommendations highlight the most impactful issues — the ones where a fix will have the greatest effect on your domain’s reliability, email deliverability, or security. Address these first before worrying about lower-priority warnings.

Related DNS Tools

DNS Propagation Checker

After fixing issues found in the inspector, verify your changes have reached DNS resolvers worldwide with real-time TTL countdowns.

SPF Record Checker

Deep-dive into your SPF record with lookup counting, mechanism parsing, and RFC 7208 compliance validation.

MX Record Lookup

Focused mail routing analysis with SMTP connectivity testing and mail provider identification.

Frequently Asked Questions

Built and maintained by Ishan Karunaratne — software engineer and infrastructure architect with 20+ years of experience in DNS, networking, and cloud infrastructure. CompTIA A+, Network+, and Security+ certified.

DNSInspector

Comprehensive DNS analysis for your domains.
Check nameservers, records, and configuration in seconds.

DNSInspector

Recent DNS Health Checks by the Community

Updated 2026-04-11 17:16:43 UTC

Domains recently inspected using the DNS health checker. Each score shows the percentage of DNS tests passed — covering nameservers, mail routing, DNSSEC, and more.