cloudflare.com — dnschecker · DNS Health Report

Report for cloudflare.com

Generated 2026-05-31 21:30:54 EDT · 33 checks performed · Parent queried: k.gtld-servers.net (192.52.178.30)

82%

Health Score 0 errors · 5 warnings

✔ 26 Passed

⚠ 5 Warnings

✖ 0 Errors

ℹ 2 Info

Parent Zone Delegation

Status	Check	Details & Recommendation
INFO	Parent NS Delegation	Queried via: k.gtld-servers.net (192.52.178.30) Delegated NS: ns3.cloudflare.com, ns5.cloudflare.com, ns4.cloudflare.com, ns6.cloudflare.com, ns7.cloudflare.com These are the NS records published in the parent (TLD) zone — what the global internet sees when resolving your domain for the first time.
OK	Parent Glue Records	ns3.cloudflare.com → 162.159.0.33, 162.159.7.226 \| ns5.cloudflare.com → 162.159.2.9, 162.159.9.55 \| ns4.cloudflare.com → 162.159.1.33, 162.159.8.55 \| ns6.cloudflare.com → 162.159.3.11, 162.159.5.6 \| ns7.cloudflare.com → 162.159.4.8, 162.159.6.6 Glue records are A records published alongside NS records in the parent zone. They are required when a nameserver hostname falls within the delegated domain itself (e.g. ns1.example.com for example.com).

Nameserver Configuration

Status	Check	Details & Recommendation
OK	NS Records (Authoritative)	5 NS record(s): ns6.cloudflare.com, ns7.cloudflare.com, ns3.cloudflare.com, ns4.cloudflare.com, ns5.cloudflare.com These are the NS records as returned by the authoritative nameservers themselves.
OK	NS Parent/Auth Consistency	Parent zone and authoritative zone agree on nameservers. Consistency is required for reliable DNS resolution worldwide.
OK	NS Redundancy	5 nameservers — redundancy is satisfied. Multiple nameservers ensure queries are answered even if one server is offline.
OK	NS A Records	ns6.cloudflare.com → 162.159.3.11, 162.159.5.6 \| ns7.cloudflare.com → 162.159.6.6, 162.159.4.8 \| ns3.cloudflare.com → 162.159.7.226, 162.159.0.33 \| ns4.cloudflare.com → 162.159.8.55, 162.159.1.33 \| ns5.cloudflare.com → 162.159.9.55, 162.159.2.9 Each nameserver resolves to a valid IP address.
WARN	NS Network Diversity	All nameservers appear to share the same /16 subnet (162.159.*). Consider using nameservers on separate networks. Nameservers on the same network segment can all go offline together in a network outage.

Zone / SOA

Status	Check	Details & Recommendation
OK	SOA Record	Primary NS: ns3.cloudflare.com \| Hostmaster: dns.cloudflare.com \| Serial: 2405012788 SOA record defines the zone's primary server, admin contact, and replication timers.
OK	SOA Serial	Serial 2405012788 uses YYYYMMDDNN format — good. Date-based serials make zone history easy to track.
OK	SOA Refresh	Refresh: 10000s — OK. Secondaries poll for updates at this interval.
OK	SOA Retry	Retry: 2400s — OK. Retry interval after failed refresh.
OK	SOA Expire	Expire: 604800s — OK. Secondaries discard stale data after this time.
OK	SOA Negative TTL	Negative TTL: 300s — OK. Negative caching TTL (NXDOMAIN) per RFC 2308.

DNS Address Records

Status	Check	Details & Recommendation
OK	A Records	IPv4: 104.16.132.229, 104.16.133.229 A records map your domain to your web server's IPv4 address(es).
OK	AAAA Records	IPv6: 2606:4700::6810:85e5, 2606:4700::6810:84e5 AAAA records provide IPv6 connectivity.
OK	WWW Record	www.cloudflare.com → 104.16.123.96, 104.16.124.96 www subdomain resolves correctly.

Mail Server (MX)

Status	Check	Details & Recommendation
OK	MX Records	4 MX record(s): pri=5 mxa-canary.global.inbound.cf-emailsecurity.net, pri=5 mxb-canary.global.inbound.cf-emailsecurity.net, pri=10 mxa.global.inbound.cf-emailsecurity.net, pri=10 mxb.global.inbound.cf-emailsecurity.net MX records list mail servers in priority order (lowest number = highest priority).
OK	MX A Record	mxa-canary.global.inbound.cf-emailsecurity.net → 172.65.65.66 MX host resolves to a valid IP address.
OK	MX A Record	mxb-canary.global.inbound.cf-emailsecurity.net → 172.65.65.66 MX host resolves to a valid IP address.
OK	MX A Record	mxa.global.inbound.cf-emailsecurity.net → 172.65.64.78 MX host resolves to a valid IP address.
OK	MX A Record	mxb.global.inbound.cf-emailsecurity.net → 172.65.64.78 MX host resolves to a valid IP address.
WARN	MX Reverse DNS (PTR)	No PTR record for 172.65.65.66. Missing PTR records on mail server IPs are a leading cause of email deliverability issues. Ask your IP provider to configure one.
WARN	MX Reverse DNS (PTR)	No PTR record for 172.65.65.66. Missing PTR records on mail server IPs are a leading cause of email deliverability issues. Ask your IP provider to configure one.
WARN	MX Reverse DNS (PTR)	No PTR record for 172.65.64.78. Missing PTR records on mail server IPs are a leading cause of email deliverability issues. Ask your IP provider to configure one.
WARN	MX Reverse DNS (PTR)	No PTR record for 172.65.64.78. Missing PTR records on mail server IPs are a leading cause of email deliverability issues. Ask your IP provider to configure one.
OK	MX Redundancy	4 MX records — mail delivery has redundancy. Multiple MX records ensure email is queued and delivered even if the primary server is down.

Email Authentication

Status	Check	Details & Recommendation
OK	SPF Record	v=spf1 ip4:199.15.212.0/22 ip4:173.245.48.0/20 include:_spf.google.com include:spf1.mcsv.net include:spf.mandrillapp.com include:mail.zendesk.com include:stspg-customer.com include:_spf.salesforce.com -all SPF record is present. Receiving servers will validate your outgoing email against this policy.
OK	SPF Policy	Policy: -all (hardfail) — unauthorized senders are rejected. -all provides the strongest SPF enforcement.
OK	DMARC Record	v=DMARC1; p=reject; pct=100; rua=mailto:[email protected],mailto:[email protected] DMARC policy is published.
OK	DMARC Policy	Policy: reject — failing emails are blocked. Maximum protection. Recommended for mature mail setups.
OK	DKIM Record	Selector 'k1': k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDbNrX2cY/GUKIFx2G/1I00ftdAj713WP9AQ1xir85i89sA2guU0ta4UX1Xzm06X… DKIM (RFC 6376) adds a cryptographic signature to outgoing mail, proving it was sent by an authorised server and was not altered in transit.

Other Records

Status	Check	Details & Recommendation
OK	CAA Records	0 issue "letsencrypt.org" \| 0 issue "pki.goog; cansignhttpexchanges=yes" \| 0 issue "ssl.com" \| 0 issuewild "comodoca.com" \| 0 issuewild "digicert.com; cansignhttpexchanges=yes" \| 0 issuewild "letsencrypt.org" \| 0 issuewild "pki.goog; cansignhttpexchanges=yes" \| 0 issuewild "ssl.com" \| 0 iodef "mailto:[email protected]" \| 0 issue "comodoca.com" \| 0 issue "digicert.com; cansignhttpexchanges=yes" CAA records restrict SSL certificate issuance to the listed certificate authorities.
INFO	Other TXT Records	_wkjc0fot0d7qrvrdt78bxkj2e2o67d2 apple-domain-verification=DNnWJoArJobFJKhJ asv=894f6d1f9f83bcf44e4b1bc40bc1c4aa atlassian-domain-verification=WxxKyN9aLnjEsoOjUYI6T0bb5vcqmKzaIkC9Rx2QkNb751G3LL/cus8/ZDOgh8xB canva-site-verification=oOyaVnHC-OiFoR1BPvetNA cisco-ci-domain-verification=27e926884619804ef987ae4aa1c4168f6b152ada84f4c8bfc74eb2bd2912ad72 Additional TXT records for domain ownership verification (Google Search Console, Microsoft 365, etc.) and other services.