DNS Lookup
Tool

Missing or misconfigured email authentication records are the most common cause. This tool checks four things: SPF (does a v=spf1 TXT record exist that includes your mail provider?), DKIM (is a signing key published?), DMARC (is there a _dmarc TXT record?), and MX (are mail exchange records pointing to the right servers?). If any of these show as "Not Found" in the Email Health section, that's likely your problem.

Your DNS records are probably still pointing to the old server. Enter your domain into this tool and check the A record. If the IP address shown belongs to your old host, the DNS hasn't been updated or hasn't propagated yet. DNS changes can take up to 48 hours depending on the TTL (Time To Live) of the existing records. If you lowered the TTL before migrating, it will be faster.

Check your MX records first. MX records tell the internet where to deliver email for your domain. If they're missing or pointing to the wrong mail server, no email can reach you. Enter your domain here and look at the MX section. Also check the SPF and DMARC sections. Missing SPF means your outbound emails get rejected by recipients. Google Workspace, Microsoft 365, and other providers publish setup guides for each record.

SPF (Sender Policy Framework) is a DNS TXT record that lists which servers are allowed to send email from your domain. Without it, anyone can forge emails from your address. Mail providers like Gmail and Outlook check SPF to decide if incoming email is legitimate. A missing or incorrect SPF record often causes your emails to land in spam or be rejected entirely. This tool checks your SPF record and flags issues like missing entries or too many DNS lookups.

Google and Yahoo now require DMARC for bulk senders, but even small domains benefit from having one. DMARC builds on SPF and DKIM to tell receiving servers what to do with emails that fail authentication: accept, quarantine, or reject them. It also sends reports back to you so you can monitor abuse. This tool checks whether a DMARC record exists at _dmarc.yourdomain.com and validates its configuration.

Your subdomain needs its own DNS records. Enter the full subdomain (e.g. shop.yourdomain.com) into this tool and check whether an A record or CNAME exists pointing to the correct server. If no records are returned, the subdomain DNS hasn't been configured yet at your DNS provider.

Anywhere from minutes to 48 hours, depending on the TTL of the existing records. A TTL of 300 (5 minutes) means changes propagate quickly. A TTL of 86400 (24 hours) means some resolvers cache the old value for up to a day. This tool shows the current TTL for every record. If you're planning a migration, lower the TTL a day or two in advance so changes take effect faster.

An A record maps a domain directly to an IP address (e.g. example.com → 93.184.216.34). A CNAME maps one domain to another (e.g. www.example.com → example.com). A records point to a fixed IP, so you update them when your server changes. CNAMEs follow wherever the target name resolves. You cannot use a CNAME on the root domain, only on subdomains like www or shop.

DKIM adds a digital signature to every email from your domain. Your mail server signs messages with a private key, and recipients verify it using a public key in your DNS. This tool checks 12 common DKIM selectors (default, google, selector1, selector2, k1, and others) automatically. If your provider uses a custom selector, the check may show "not found" even when DKIM is configured.

DNSSEC adds cryptographic signatures to DNS responses, preventing attackers from spoofing your DNS and redirecting visitors to fake sites. Most registrars support it as a one-click setting. The downside is minimal, but misconfigured DNSSEC can make your domain unreachable. Follow your provider's setup guide and test with this tool afterwards to confirm records are resolving correctly.