What validation tools do you use?

Guides
1

Hi all,

We often recommend checking that boxes are set up correctly using live validation tools that have been developed by other people. What tools do you use? Here are some:

I’ve updated this post to include all of the tools mentioned in the comments below as of July 2020.

Server Status/Uptime

https://pingability.com/zoneinfo.jsp
IPv6 test - web site reachability IPv6 test

Outgoing Mail (i.e. Will your emails be received?)

https://www.mail-tester.com (checks SPF, DKIM, DMARC, blacklists, etc.)
http://mxtoolbox.com
https://dnsbl.info
https://dkimvalidator.com (DKIM, SPF validator)
https://talosintelligence.com/reputation_center/lookup IP reputation ckeck
http://isnotspam.com

Other DNS record checks

DMARC Check, Generator & Record - Test Tool | Proofpoint US SPF Check
DKIM Key Checker – protodave DKIM Key Check
Free DMARC Check & Record Test - DMARC Inspector DMARC Inspector
DKIM Core Tools

TLS

Check that your TLS certificates and settings are secure:

https://www.ssllabs.com/ssltest/analyze.html
https://www.whynopadlock.com
https://www.htbridge.com/ssl
CAA Record Generator and https://caatest.co.uk (CAA record helpers)

DNS

https://dnschecker.org DNS Propagation Checker
https://dnsviz.net

DNSSEC & DANE

If you have DNSSEC enabled, check that senders will be able to validate your DNS entries:

https://dnssec-analyzer.verisignlabs.com
http://viewdns.info/dnssec/
https://www.huque.com/bin/danecheck-smtp
https://dane.sys4.de/

Web

https://www.htbridge.com/websec
https://tools.geekflare.com/tools/http-header-test

Professional Tools

https://www.tenable.com/products/nessus/nessus-professional

7 Likes
2

Hi Josh - thanks for all your work!

I use:
https://dnssec-analyzer.verisignlabs.com/
https://dkimvalidator.com/
https://www.ssllabs.com/ssltest/
https://www.whatsmydns.net/
https://pingability.com/zoneinfo.jsp

Peculiar as with the tools I use, DNSSEC checks come out ok, but with your tools it tells me everything is insecure and that my domains aren’t in a zone!?

I also get regular errors with DKIM

1 Like
3

I’ll periodically do credentialed scans on the box with Nessus.

4

Here my collection:

Validation Tools:

FREE WEB Services:

Hope this helps.

4 Likes
5

I once was rejected by AT&T for being on a blacklist that the more popular blacklist providers did not have me listed on.

I discovered it was a blacklist that blocks IP addresses that have never before been used for sending mail, though now I’ve forgotten which one it was (it was very easy to get off of).

The way I found it was with this site:

https://dnsbl.info

6

Very helpful, all.

Maybe someone can making a nice list with some descriptions of each service and prioritize the ones that are most helpful. We can add it to our setup guide / website.

7

Very good for DNSSEC: https://dnsviz.net/

8

This topic was automatically closed after 61 days. New replies are no longer allowed.

10

IP Blacklist Check

11

I find GWhois.org useful for certain DNS and WHOIS checks. The site does not cache any records, so every lookup is resolved from root servers. It was created before RFC 8482 was published and I don’t think the developer is going to rewrite the code (which is on GitHub) to work around this limitation.

Most of the popular DNS providers do not answer to ANY requests, but MiaB does, and this is where it is a very useful tool to quickly view most of the records of concern when troubleshooting, and since everything is resolved there is no need to wait for records to “propagate”.

When I don’t have access to command line or want a quick second opinion from a different IP address, I use DNSQueries because it has almost every lookup I’ve ever needed built into a PHP interface.

12

internet.nl is another nice tool for checking both web servers and mail servers are meeting modern standards, IPv6, secure TLS, DANE, etc.

1 Like
13

I like Zonemaster for ipv4 and ipv6 dns server checking.