Guides

DNS

DNS Records Explained: A Complete Guide to Every Record Type — What DNS records are, how they work, and a plain-English breakdown of every record type: A, AAAA, MX, TXT, CNAME, NS and CAA.

• A vs AAAA Records: What's the Difference? — A records map a domain to an IPv4 address; AAAA records map it to IPv6. Here's what each does, when you need both, and how to check them.
• CAA Records Explained: Control Who Issues Your SSL Certificates — CAA records let you specify which certificate authorities may issue SSL/TLS certificates for your domain. A simple, powerful security control.
• CNAME vs A Records: When to Use Each — A records point a name to an IP address; CNAME records point a name to another name. Here's when to use each and the root-domain rule that trips people up.
• DNS Propagation: Why Changes Take Time (and How to Speed It Up) — DNS propagation is the delay before DNS changes are seen everywhere. Here's what really causes it, realistic timelines, and how to make migrations faster.
• How to Check DNS Records (3 Easy Ways) — Three ways to look up any domain's DNS records: a free online tool, the dig command, and nslookup, with the exact commands for each record type.
• MX Records Explained: How Email Routing Works — MX records tell the internet which mail servers accept email for your domain. Here's how priorities work, how to set them up, and how to verify them.
• NS Records Explained: Nameservers and Delegation — NS records declare which nameservers are authoritative for your domain. Here's how delegation works, why NS records matter, and how to check them.
• TXT Records Explained: SPF, DKIM, DMARC and Verification — TXT records hold free-form text used for domain verification and email authentication. Here's what SPF, DKIM and DMARC do and how to read them.

Email Authentication

Email Authentication Explained: SPF, DKIM, and DMARC — What SPF, DKIM, and DMARC are, how they work together to stop spoofing and land your mail in the inbox, and how to check them for any domain.

• BIMI Explained: Brand Logos in Email — BIMI shows your brand logo next to authenticated emails. Here's what it is, what it requires (a DMARC policy and often a VMC), and how to set it up.
• DKIM Explained: How Email Signing Works — DKIM adds a cryptographic signature to your email so receivers can verify it really came from your domain and was not altered. Here's how it works.
• DMARC Explained: Policies, Reports, and Setup — DMARC tells receivers what to do when an email fails SPF and DKIM, and sends you reports on who is mailing as your domain. Here's how it works and how to set it up.
• DMARC Policies: none, quarantine, and reject — The DMARC p= tag controls what happens to mail that fails authentication. Here's what none, quarantine, and reject do and how to move between them safely.
• How to Check SPF, DKIM, and DMARC for a Domain — Step-by-step ways to check a domain's SPF, DKIM, and DMARC records: a free online tool, the dig command, and reading an email's headers.
• SPF Records Explained: How to Set Up and Check SPF — An SPF record lists the mail servers allowed to send email for your domain. Here's how SPF works, how to read the syntax, and how to check yours.
• SPF vs DKIM vs DMARC: How They Work Together — SPF, DKIM, and DMARC are not alternatives, they are layers. Here's what each one checks, where each falls short, and how DMARC ties them together.
• Why Your Email Goes to Spam (and How Authentication Fixes It) — Missing or broken SPF, DKIM, and DMARC is one of the top reasons legitimate email lands in spam. Here's how to diagnose and fix deliverability problems.

Security Headers

HTTP Security Headers Explained: The Complete Guide — What HTTP security headers are, which ones matter (CSP, HSTS, X-Frame-Options and more), what each defends against, and how to check a site's headers.

• Content Security Policy (CSP) Explained — A Content-Security-Policy header whitelists the sources a page can load, which stops most cross-site scripting. Here's how CSP works and how to deploy it safely.
• Cookie Security: HttpOnly, Secure, and SameSite — The HttpOnly, Secure, and SameSite cookie attributes protect session cookies from theft and cross-site attacks. Here's what each one does and how to set them.
• How to Check a Website's Security Headers — Three ways to check any site's HTTP security headers: a free online scanner, browser developer tools, and the curl command, with what a good result looks like.
• HSTS Explained: Strict-Transport-Security — HSTS tells browsers to only ever connect to your site over HTTPS, closing the downgrade window. Here's how it works, the directives, and the preload list.
• Permissions-Policy Explained — The Permissions-Policy header controls which browser features (camera, microphone, geolocation) a page and its iframes can use. Here's how to configure it.
• Referrer-Policy Explained — The Referrer-Policy header controls how much of your URL is sent to other sites when users click away. Here's what each value does and which to choose.
• X-Content-Type-Options: nosniff Explained — The X-Content-Type-Options: nosniff header stops browsers from guessing a file's type, which closes a class of MIME-sniffing attacks. Here's what it does.
• X-Frame-Options Explained: Stopping Clickjacking — X-Frame-Options controls whether your site can be embedded in a frame, which stops clickjacking. Here's how it works and why CSP frame-ancestors is the modern way.

Reputation

Domain Reputation Explained: Blocklists, Spam, and Trust — What domain and IP reputation are, how blocklists like Spamhaus and Google Safe Browsing work, how to check if you're listed, and how to build and protect trust.

• Google Safe Browsing Explained — Google Safe Browsing powers the red malware and phishing warnings in major browsers. Here's how it works, why a site gets flagged, and how to recover.
• How to Check If Your Domain or IP Is Blacklisted — Step-by-step ways to check whether your domain or sending IP is on a blocklist, using a free online checker and manual DNS queries.
• How to Get Delisted from a Blocklist — Getting off a blocklist is a two-step job: fix the underlying cause, then request removal. Here's the process and how to keep from getting relisted.
• How to Improve Your Domain's Reputation — Domain reputation is earned slowly through authentication, clean sending, and good content. Here's a practical checklist to build and protect it.
• IP Reputation vs Domain Reputation — Email and security filters track two separate reputations: the sending IP and the domain. Here's how they differ, why both matter, and which you control.
• Spamhaus Explained: The SBL, XBL, and DBL — Spamhaus runs the most widely used blocklists in email. Here's what the SBL, XBL, PBL, and DBL are, how they work, and what being listed means.
• What Is a DNSBL (DNS Blocklist)? — A DNSBL is a DNS-based blocklist of IPs or domains known for spam and abuse. Here's how mail servers query them and what it means to be listed.
• What Makes a Domain Look Suspicious? — Security tools and people judge domains on signals like age, registration details, certificate setup, and content. Here's what raises red flags and why.

SSL/TLS

SSL/TLS Certificates Explained: How to Check and Read One — What an SSL/TLS certificate is, what it proves, the fields it contains, and how to check any site's certificate. A plain-English guide to HTTPS certificates.

• Common SSL/TLS Errors and How to Fix Them — The most common SSL/TLS browser errors, what each one means, and how to fix them: name mismatches, expired certs, incomplete chains, and untrusted issuers.
• How to Check a Website's SSL Certificate (3 Ways) — Three ways to check any website's SSL certificate: a free online checker, your browser, and the openssl command, with what to look for in each.
• SSL Certificate Chains and Intermediate Certificates Explained — A certificate chain links a site's certificate to a trusted root through intermediates. Here's how the chain of trust works and why incomplete chains break sites.
• SSL Certificate Expiration: How to Check It and Why It Matters — SSL/TLS certificates expire and must be renewed. Here's how to check the expiry date, what breaks when a certificate lapses, and how to avoid it.
• SSL vs TLS: What's the Difference? — SSL and TLS are often used interchangeably, but SSL is the deprecated predecessor and TLS is the modern protocol that actually secures HTTPS today.
• TLS Versions Explained: 1.0, 1.1, 1.2 and 1.3 — A guide to the TLS protocol versions, which ones are deprecated and insecure, which to support today, and how to check what version a site negotiates.
• What Is a Self-Signed Certificate? — A self-signed certificate is signed by its own key instead of a trusted CA. Here's what that means, why browsers warn about it, and when it's actually fine to use.
• Wildcard vs SAN Certificates: Which Do You Need? — A wildcard certificate covers all subdomains of one domain; a SAN (multi-domain) certificate covers a specific list of different names. Here's how to choose.

Developer Tools

DomainIntel MCP Server: Give Your AI Agent Live Domain Intelligence — Install the DomainIntel MCP server so Claude and other AI agents can run WHOIS, DNS, SSL, security-header, reputation and subdomain analysis on any domain.

WHOIS

WHOIS Explained: How to Look Up Who Owns a Domain — What WHOIS is, what data a lookup returns, why so much of it is now redacted, and how to read it. A plain-English guide to domain registration records.

• How to Check a Domain's Age — A domain's age is the time since its creation date in WHOIS. Here's how to check it, and an honest look at what domain age does and does not mean for trust and SEO.
• How to Find a Domain's Expiration Date — A domain's expiry date is in its WHOIS record. Here's how to find it, plus the grace, redemption, and pending-delete periods that decide what happens after it lapses.
• How to Find Who Owns a Domain — Five practical ways to find who owns a domain, including what to do when the WHOIS record is redacted by privacy protection.
• How to Read a WHOIS Record — A field-by-field guide to reading a WHOIS record, including registrar info, the key dates, name servers, and what the EPP status codes mean.
• Registrar vs Registrant vs Registry: What's the Difference? — The registry runs the TLD, the registrar sells the domain, and the registrant owns it. Here's how the three roles fit together and who to contact for what.
• WHOIS Privacy: What It Is and Whether You Need It — WHOIS privacy (also called domain privacy or a proxy service) hides your personal contact details from public WHOIS. Here's how it works and when to use it.
• WHOIS vs RDAP: What's Replacing WHOIS — RDAP is the structured, JSON-based successor to WHOIS. Here's how the two differ, why ICANN is moving to RDAP, and what it means for looking up domain data.
• Why Is WHOIS Data Redacted? GDPR and ICANN Explained — Since 2018, most personal WHOIS data is hidden by default because of GDPR and ICANN's Registration Data Policy. Here's what changed, what's still visible, and how to request data.