Documentation

Everything you need to run reports, read results, set up Pro monitoring, and use the API.

Getting Started

Running your first report

  1. Go to dnssnuff.com
  2. Enter any domain in the search box (e.g. yourcompany.com)
  3. Press Run Report or hit Enter
  4. Results appear in under 5 seconds

No account required. No installation. No configuration.

Reading your results

Your report is divided into 8 categories:

  • Parent Zone — delegation from the TLD registry
  • Nameservers — configuration, redundancy, and consistency
  • Start of Authority — zone health and timing parameters
  • Mail Servers — MX records and SMTP configuration
  • Email Authentication — SPF, DKIM, DMARC, and BIMI
  • Web Presence — HTTP/HTTPS, SSL, and redirects
  • DNSSEC — chain of trust and signing
  • Blacklists — 50+ RBL lookups

Each check shows one of three statuses:

  • ✅ Pass — Correctly configured
  • ⚠️ Warning — Configured but not to best-practice standard
  • ❌ Fail — Misconfigured or missing; action required

Understanding health scores

Your health score (0–100) and letter grade (A+ through F) reflect the weighted aggregate of all 72 checks. Critical checks (such as DMARC policy and blacklist status) carry more weight than best-practice recommendations.

"Fix This First" priority stack

The priority stack shows all failed checks ordered by severity. Start at the top. Critical items (❌) should be addressed before Warnings (⚠️).

Sharing a report

Every report has a permanent URL. Copy it from your browser's address bar or use the Share button in the report header. Recipients do not need a DNSSnuff account to view a shared report.

Email Authentication

SPF (Sender Policy Framework)

SPF authorises specific mail servers to send email on behalf of your domain.

Common SPF issues

  • Multiple SPF records — Only one TXT record starting with v=spf1 is permitted. Multiple records cause immediate authentication failure.
  • Exceeding the 10-lookup limit — SPF allows a maximum of 10 DNS lookups during evaluation. Exceeding this causes a PermError, which some receivers treat as a failure.
  • Softfail (~all) instead of Fail (-all)~all means unauthorised senders are not outright rejected. Use -all to reject them.

Example valid SPF record:

v=spf1 include:_spf.google.com include:sendgrid.net -all

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to outgoing email, allowing receivers to verify it hasn't been tampered with.

Minimum requirements:

  • Key length: 1024 bits minimum; 2048 bits recommended
  • Record format: TXT record at <selector>._domainkey.<domain>

DMARC

DMARC builds on SPF and DKIM to specify what receivers should do with email that fails authentication.

Policy levels:

  • p=none — Monitor only. No action taken. Provides no spoofing protection.
  • p=quarantine — Failing email is sent to spam.
  • p=reject — Failing email is rejected entirely.

Recommended starting point:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=100;

Move to p=reject once you've confirmed legitimate email is passing authentication.

BIMI

BIMI allows your brand logo to appear in supporting email clients when a message passes DMARC with p=quarantine or p=reject. Requires a Verified Mark Certificate (VMC) for full Gmail and Apple Mail support.

Pro — Monitoring & Alerts

Setting up monitoring

  1. Sign up for Pro at dnssnuff.com/pricing
  2. Add domains to your dashboard from the Domains tab
  3. Each domain is checked automatically every 24 hours
  4. Configure alert recipients under Settings → Alerts

Alert types

DNSSnuff sends an email alert when:

  • Any check result changes (pass → warn, warn → fail, or any change in direction)
  • A new blacklist listing appears
  • An SSL certificate drops below your configured expiry threshold (default: 30 days)
  • A DMARC or SPF policy change is detected

Historical tracking

The History tab on any monitored domain shows the health score over time. Click any point on the timeline to see the full report from that date.

API Reference Agency

Authentication

All API requests require a Bearer token. Obtain your API key from Settings → API in your Agency dashboard.

Authorization: Bearer YOUR_API_KEY

Run a report

GET /v1/report?domain={domain}

Parameters:

  • domain (required) — The domain to check (e.g. yourcompany.com)
  • format (optional) — json (default) or summary

Example response:

{
  "domain": "yourcompany.com",
  "score": 84,
  "grade": "B",
  "generated_at": "2026-06-28T09:00:00Z",
  "checks": [
    {
      "category": "email_authentication",
      "name": "dmarc_policy",
      "status": "warn",
      "severity": "critical",
      "message": "DMARC policy is set to none. Domain can be spoofed.",
      "remediation": "Change p=none to p=quarantine or p=reject."
    }
  ]
}

List monitored domains

GET /v1/domains

Get domain history

GET /v1/domains/{domain}/history?days=30

Rate limits

  • Free: 10 requests per minute per IP
  • Agency: 100 requests per minute per API key

White-label Reports Agency

Configuring white-label branding

  1. Go to Settings → White Label in your Agency dashboard
  2. Upload your logo (PNG or SVG, minimum 200px wide)
  3. Set your brand colour (hex value)
  4. Enter your company name
  5. Optionally set a custom report header and footer

All reports generated from your account will carry your branding. The DNSSnuff name and logo will not appear on white-label reports.

Sharing white-label reports

Shareable report URLs for white-label reports use your branding when opened by the recipient. No DNSSnuff login required to view. Agency plan URLs never expire.

Troubleshooting

My report shows no DKIM records

DNSSnuff checks for DKIM records at common selectors (google, selector1, selector2, default, mail, k1, smtp, dkim). If your DKIM selector is non-standard, the check may not find it. This does not necessarily mean DKIM is absent — check your email platform for the correct selector name.

My SPF record looks correct but the check is failing

The most common cause is exceeding the 10-lookup limit. Use a tool like dmarcian's SPF Surveyor to count your lookups. Flattening your SPF record (replacing include: with explicit IP addresses) resolves this.

My domain is listed on a blacklist — what do I do?

  1. Identify which list(s) from the report
  2. Visit the block list's website and use their lookup tool to confirm
  3. Follow their delisting process (most have a web form)
  4. Monitor your listing status — some de-listings take 24–48 hours to propagate

Why does my health score differ from yesterday?

Scores change when any check result changes — a new listing, an expiring certificate moving into a warning threshold, or a DNS record update. Check the History tab to see exactly which check changed and when.