How can you test DNSSEC deployment?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

You've enabled DNSSEC on your domain. Now how do you know it's actually working? A misconfigured DNSSEC setup can silently break email delivery, so testing right after deployment (and again after any DNS changes) is worth the few minutes it takes.

The quickest starting point is a visual tool. DNSViz draws out your full DNSSEC chain as a diagram, from your domain records all the way up to the root. Green nodes mean things are signed and valid. Red or orange nodes tell you exactly where the chain breaks. It's the fastest way to spot problems without reading raw DNS output.

If you prefer something more structured, the Verisign DNSSEC Analyzer walks through each part of your setup and flags specific errors with clear descriptions. Good for methodical checking when you want to know not just that something is broken, but why.

For command-line testing, dig is your friend. Run this against your domain:

dig +dnssec TXT yourdomain.com

In a healthy setup, you'll see RRSIG records alongside your TXT records in the response. An RRSIG is the cryptographic signature that proves the record hasn't been tampered with. If you run that command and there's no RRSIG in the answer section, DNSSEC either isn't enabled or isn't publishing correctly.

You should also check that your DS record at your registrar matches your DNSKEY. The DS record is what links your domain into the chain of trust from the root. If the two don't match (which can happen after a key rotation), resolvers that validate DNSSEC will refuse to resolve your domain entirely. That means DNS lookups fail, which means email can stop flowing.

Here's what healthy DNSSEC output looks like versus broken:

  • Healthy: RRSIG records present, DS at registrar matches DNSKEY, signatures not expired, chain resolves cleanly through to the root
  • Broken: No RRSIG in dig output, SERVFAIL errors when querying with a validating resolver, DS mismatch warning in DNSViz, or a red chain node anywhere in the diagram

Still one specific thing to check is signature expiry. DNSSEC signatures have an expiration date baked in, and if your DNS provider doesn't automatically re-sign records before they expire, you'll get SERVFAIL errors for validating resolvers. Most managed DNS providers handle this automatically. If you're running your own DNS software, it's something you need to monitor actively.

The rule of thumb is to test right after enabling DNSSEC, right after any DNS changes (new SPF, DKIM, or MX records), and after any key rotation. It only takes a minute with DNSViz, and catching a broken chain early is a lot easier than diagnosing a delivery failure later.

If something looks wrong and you're not sure what to do next, our SOS hotline is free. We don't pitch, we just help.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Walk me through testing DNSSEC for my domain

I want to test whether DNSSEC is correctly set up on my domain. Based on the tools and checks described here, can you walk me through what I should run or check for my domain, what healthy output looks like, and what I should do if I see a broken chain or a DS mismatch?

Edit the yellow boxes, then send to the AI of your choice.