Pricing

from $3.00 / 1,000 dns looked ups

DNS Record Lookup

Bulk DNS record lookup for domains. Query A, AAAA, MX, NS, TXT, CNAME, SOA records. Email security audit with SPF, DMARC, DKIM detection. No API keys needed. Structured JSON output.

Pricing

from $3.00 / 1,000 dns looked ups

Rating

0.0

(0)

Developer

ryan clinton

Actor stats

Bookmarked

Total users

Monthly active users

4 hours ago

Last modified

Why use DNS Record Lookup?

Running manual DNS lookups with command-line tools like dig or nslookup works fine for a single domain. But when you need to audit the DNS configuration of 50, 500, or 5,000 domains -- for security assessments, infrastructure migration, or competitive intelligence -- doing it manually is slow and error-prone.

DNS Record Lookup gives you a cloud-hosted, API-accessible, fully automatable solution. You provide a list of domains and the actor resolves all major record types in parallel batches of 10, returning clean, typed JSON that feeds directly into spreadsheets, databases, monitoring dashboards, or downstream Apify workflows. Schedule it to run daily and you have continuous DNS monitoring with zero maintenance.

The actor also performs email security analysis that goes beyond basic DNS. It checks for SPF records (v=spf1), queries _dmarc.{domain} for DMARC policies, and probes 10 common DKIM selectors to assess whether a domain has email authentication configured. This makes it a practical tool for IT security teams, email deliverability consultants, and domain portfolio managers.

Because the actor uses Node.js native dns.promises for resolution, there are no third-party API keys to manage, no rate limits to worry about, and no usage-based billing from external services. You only pay standard Apify compute costs, which are minimal for DNS queries.

Key features

7 DNS record types -- Resolves A (IPv4), AAAA (IPv6), MX (mail exchange), NS (nameservers), TXT (text records), CNAME (canonical names), and SOA (start of authority) for any domain.
Email security analysis -- Checks SPF, DMARC, and DKIM records to assess email authentication posture and phishing vulnerability.
DKIM selector scanning -- Probes 10 common selectors -- google, default, selector1, selector2, k1, k2, k3, mail, smtp, dkim -- covering Google Workspace, Microsoft 365, Mailchimp, SendGrid, and more.
Bulk parallel processing -- Processes domains in concurrent batches of 10 with all record type queries running in parallel within each domain lookup.
Smart input cleaning -- Automatically strips https://, http://, trailing paths, port numbers, and www. prefixes so you can paste raw URLs without manual formatting.
Configurable per-query timeout -- Set timeouts from 1,000ms to 30,000ms using Promise.race to handle slow or unresponsive nameservers gracefully.
No API keys required -- Uses the Node.js native dns.promises module for resolution. No third-party service accounts or credentials needed.
MX priority sorting -- Mail exchange records are automatically sorted by priority value (lowest first), matching standard MX preference order.
Structured JSON output -- Every result is clean, typed JSON with 13 fields per domain, ready for downstream processing, filtering, and integration.

How to use

Using the Apify Console

Navigate to the DNS Record Lookup page on Apify Store.
Click Try for free to open the actor in the Apify Console.
Enter one or more domains in the Domains field -- for example, google.com, github.com, apify.com.
Optionally adjust Record Types to query only specific types (e.g., just MX and TXT). The default queries all seven types.
Leave Check Email Security enabled (the default) to include SPF, DMARC, and DKIM analysis.
Optionally adjust the Timeout if you expect slow DNS responses (default is 5,000ms).
Click Start to run the actor.
When the run completes, view results in the Dataset tab. Export as JSON, CSV, Excel, or retrieve via API.

Using the API

curl -X POST "https://api.apify.com/v2/acts/ryanclinton~dns-record-lookup/runs?token=YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "domains": ["google.com", "github.com", "apify.com"],
    "recordTypes": ["A", "AAAA", "MX", "NS", "TXT", "CNAME", "SOA"],
    "checkEmailSecurity": true,
    "timeout": 5000
  }'

After the run completes, fetch results from the default dataset:

$curl "https://api.apify.com/v2/acts/ryanclinton~dns-record-lookup/runs/last/dataset/items?token=YOUR_API_TOKEN"

Input parameters

Name	Type	Required	Default	Description
`domains`	string[]	Yes	--	List of domains to look up. Protocols, paths, ports, and `www.` prefixes are stripped automatically.
`recordTypes`	string[]	No	`["A","AAAA","MX","NS","TXT","CNAME","SOA"]`	Which DNS record types to query. Leave empty for all seven types.
`checkEmailSecurity`	boolean	No	`true`	When enabled, checks SPF (from TXT), DMARC (from `_dmarc.{domain}` TXT), and DKIM (10 selector probes).
`timeout`	integer	No	`5000`	Timeout per individual DNS query in milliseconds. Range: 1,000 -- 30,000.

Example input:

{
    "domains": ["google.com", "github.com", "stripe.com", "apify.com"],
    "recordTypes": ["A", "MX", "TXT"],
    "checkEmailSecurity": true,
    "timeout": 5000
}

Tips:

You can paste full URLs like https://www.example.com/page?q=test -- the actor strips everything down to example.com automatically.
If you only need mail server information, set recordTypes to ["MX"] and enable checkEmailSecurity to get a focused email infrastructure report.
For domains behind slow or geographically distant nameservers, increase the timeout to 10,000ms or higher to avoid null results from premature timeouts.

Output

Each domain produces one result object in the output dataset. Here is a realistic example for google.com:

{
    "domain": "google.com",
    "aRecords": ["142.250.80.46"],
    "aaaaRecords": ["2607:f8b0:4004:800::200e"],
    "mxRecords": [
        { "priority": 10, "exchange": "smtp.google.com" },
        { "priority": 20, "exchange": "smtp2.google.com" },
        { "priority": 30, "exchange": "smtp3.google.com" },
        { "priority": 40, "exchange": "smtp4.google.com" }
    ],
    "nsRecords": [
        "ns1.google.com",
        "ns2.google.com",
        "ns3.google.com",
        "ns4.google.com"
    ],
    "txtRecords": [
        "v=spf1 include:_spf.google.com ~all",
        "google-site-verification=wD8N7i1JTNTkezJ49swvWW48f8_9xveREV4oB-0Hf5o",
        "globalsign-smime-dv=CDYX+XFHUw2wml6/Gb8+59BsH31KzUr6c1l2BPvqKX8=",
        "docusign=05958488-4752-4ef2-95eb-aa7ba8a3bd0e",
        "facebook-domain-verification=22rm551cu4k0ab0bxsw536tlds4h95"
    ],
    "cnameRecords": null,
    "soaRecord": {
        "nsname": "ns1.google.com",
        "hostmaster": "dns-admin.google.com",
        "serial": 612637029,
        "refresh": 900,
        "retry": 900,
        "expire": 1800,
        "minttl": 60
    },
    "spfRecord": "v=spf1 include:_spf.google.com ~all",
    "dmarcRecord": "v=DMARC1; p=reject; rua=mailto:mailauth-reports@google.com",
    "dkimFound": true,
    "dkimSelectors": ["google"],
    "hasEmailSecurity": true,
    "lookupTimestamp": "2026-02-19T14:30:00.000Z"
}

Output field reference:

Field	Type	Description
`domain`	string	The cleaned domain that was queried (lowercase, no protocol/path/port/www).
`aRecords`	string[] or null	IPv4 addresses from A record resolution.
`aaaaRecords`	string[] or null	IPv6 addresses from AAAA record resolution.
`mxRecords`	object[] or null	Mail exchange servers with `priority` (integer) and `exchange` (hostname), sorted by priority ascending.
`nsRecords`	string[] or null	Authoritative nameserver hostnames.
`txtRecords`	string[] or null	All TXT records including SPF, domain verification tokens, and other entries. Multi-chunk TXT records are joined into single strings.
`cnameRecords`	string[] or null	Canonical name aliases. Null for apex domains that typically lack CNAME records.
`soaRecord`	object or null	Start of Authority record with `nsname`, `hostmaster`, `serial`, `refresh`, `retry`, `expire`, and `minttl` fields.
`spfRecord`	string or null	The SPF record if found (starts with `v=spf1`). Only populated when `checkEmailSecurity` is enabled.
`dmarcRecord`	string or null	The DMARC policy if found (starts with `v=DMARC1`, queried from `_dmarc.{domain}`). Only populated when `checkEmailSecurity` is enabled.
`dkimFound`	boolean	Whether any DKIM selector returned a valid record.
`dkimSelectors`	string[]	Alphabetically sorted list of DKIM selectors that returned records (e.g., `["google"]`, `["selector1", "selector2"]`).
`hasEmailSecurity`	boolean	`true` if any of SPF, DMARC, or DKIM is configured for the domain.
`lookupTimestamp`	string	ISO 8601 timestamp of when the lookup was performed.

Use cases

Email deliverability auditing -- Check whether your domains and your clients' domains have SPF, DMARC, and DKIM properly configured to avoid spam filters and spoofing.
Domain migration planning -- Export the complete DNS configuration of all your domains before a registrar or hosting migration to verify nothing gets lost in the transfer.
Security posture assessment -- Audit a portfolio of domains for missing email authentication records that could leave them vulnerable to phishing and domain spoofing.
Competitive infrastructure analysis -- Discover which hosting providers, CDNs, and email services your competitors use by examining their A, MX, NS, and TXT records.
Subdomain reconnaissance -- Feed known subdomains (e.g., mail.example.com, api.example.com, staging.example.com) to map out an organization's infrastructure.
Vendor due diligence -- Before onboarding a new SaaS vendor or partner, check their domain's email security configuration as a proxy for their overall security maturity.
Monitoring DNS changes -- Schedule regular runs to detect unauthorized DNS modifications, expired records, or configuration drift across your domain portfolio.
Email provider identification -- Use MX records and DKIM selectors to determine which email provider a company uses (Google Workspace, Microsoft 365, Proton Mail, etc.).
Domain portfolio management -- Bulk-check hundreds of registered domains to identify which ones have active DNS records and which are parked or abandoned.
Compliance reporting -- Generate evidence that your organization's domains meet email security requirements for frameworks like NIST, SOC 2, or industry-specific regulations.

API & integration

Python

from apify_client import ApifyClient

client = ApifyClient("YOUR_API_TOKEN")

run_input = {
    "domains": ["google.com", "github.com", "stripe.com"],
    "recordTypes": ["A", "AAAA", "MX", "NS", "TXT", "CNAME", "SOA"],
    "checkEmailSecurity": True,
    "timeout": 5000,
}

run = client.actor("ryanclinton/dns-record-lookup").call(run_input=run_input)

for item in client.dataset(run["defaultDatasetId"]).iterate_items():
    domain = item["domain"]
    mx = item.get("mxRecords") or []
    spf = item.get("spfRecord") or "MISSING"
    dmarc = item.get("dmarcRecord") or "MISSING"
    print(f"{domain}: {len(mx)} MX records, SPF={spf[:40]}, DMARC={dmarc[:40]}")

JavaScript

import { ApifyClient } from "apify-client";

const client = new ApifyClient({ token: "YOUR_API_TOKEN" });

const run = await client.actor("ryanclinton/dns-record-lookup").call({
    domains: ["google.com", "github.com", "stripe.com"],
    recordTypes: ["A", "AAAA", "MX", "NS", "TXT", "CNAME", "SOA"],
    checkEmailSecurity: true,
    timeout: 5000,
});

const { items } = await client.dataset(run.defaultDatasetId).listItems();

for (const item of items) {
    console.log(`${item.domain}: A=${item.aRecords?.join(", ") ?? "none"}`);
    console.log(`  MX: ${item.mxRecords?.map(r => r.exchange).join(", ") ?? "none"}`);
    console.log(`  Email security: ${item.hasEmailSecurity ? "YES" : "NO"}`);
}

cURL

Start a run and wait for it to finish (synchronous execution):

curl -X POST \
  "https://api.apify.com/v2/acts/ryanclinton~dns-record-lookup/run-sync-get-dataset-items?token=YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "domains": ["google.com", "github.com"],
    "checkEmailSecurity": true
  }'

Start an asynchronous run:

curl -X POST \
  "https://api.apify.com/v2/acts/ryanclinton~dns-record-lookup/runs?token=YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"domains": ["example.com", "example.org"]}'

DNS Record Lookup also integrates with the broader Apify ecosystem and third-party platforms including Zapier, Make (formerly Integromat), Google Sheets, Slack, and GitHub Actions. Use Apify webhooks to trigger downstream workflows automatically when a run completes.

How it works

Input validation -- The actor reads the input and verifies that the domains array is non-empty. It sets defaults for recordTypes (all 7 types), checkEmailSecurity (true), and timeout (5,000ms).
Domain cleaning -- Each domain is normalized: the input is lowercased, protocols (http://, https://) are stripped, trailing paths and port numbers are removed, and www. prefixes are deleted. This means https://www.Example.COM/page?q=1 becomes example.com.
Batch processing -- Domains are split into batches of 10. Each batch is processed concurrently using Promise.all, while batches run sequentially to avoid overwhelming DNS infrastructure.
Parallel record resolution -- Within each domain lookup, all selected record types (A, AAAA, MX, NS, TXT, CNAME, SOA) are resolved simultaneously via dns.promises. Each individual query is wrapped in Promise.race with the configured timeout to fail gracefully on slow responses.
Email security checks -- When enabled, SPF is extracted by searching TXT records for entries starting with v=spf1. DMARC is queried from _dmarc.{domain} TXT records for entries starting with v=DMARC1. DKIM is probed by checking {selector}._domainkey.{domain} for 10 common selectors in parallel.
Result assembly -- Records are assembled into a structured DnsResult object. MX records are sorted by priority. TXT record chunks (which DNS returns as arrays of strings) are joined into single strings. A hasEmailSecurity boolean summarizes whether any of SPF, DMARC, or DKIM is present.
Dataset output -- All results are pushed to the Apify default dataset, with one object per domain. The dataset is accessible via API, downloadable as JSON/CSV/Excel, and available for integration with other actors and external systems.

┌─────────────────────┐
                    │   Input: domains[]  │
                    └──────────┬──────────┘
                               │
                    ┌──────────▼──────────┐
                    │  Clean each domain  │
                    │  (strip URL parts)  │
                    └──────────┬──────────┘
                               │
                    ┌──────────▼──────────┐
                    │  Split into batches │
                    │   (10 per batch)    │
                    └──────────┬──────────┘
                               │
              ┌────────────────▼────────────────┐
              │  For each batch (Promise.all):  │
              │                                 │
              │  ┌───────────────────────────┐  │
              │  │  Per domain (parallel):   │  │
              │  │  - Resolve A, AAAA, MX,   │  │
              │  │    NS, TXT, CNAME, SOA    │  │
              │  │  - Each with timeout      │  │
              │  └─────────────┬─────────────┘  │
              │                │                │
              │  ┌─────────────▼─────────────┐  │
              │  │  Email security checks:   │  │
              │  │  - SPF from TXT records   │  │
              │  │  - DMARC from _dmarc.dom  │  │
              │  │  - DKIM: 10 selectors     │  │
              │  └─────────────┬─────────────┘  │
              └────────────────┬────────────────┘
                               │
                    ┌──────────▼──────────┐
                    │  Assemble results   │
                    │  Push to dataset    │
                    └─────────────────────┘

Performance & cost

Metric	Details
Memory usage	256 MB -- DNS queries are extremely lightweight with minimal memory overhead.
Speed per domain	Typically 100--500ms per domain including all record types and email security checks.
Batch concurrency	10 domains processed simultaneously per batch. All record types resolved in parallel within each domain.
100 domains	Completes in approximately 10--30 seconds depending on DNS server response times.
1,000 domains	Completes in approximately 2--5 minutes.
Cost estimate	At 256 MB memory, approximately $0.001 per minute of compute. A 1,000-domain run costs roughly $0.005. Well within Apify's free tier ($5/month).

Limitations

No recursive CNAME following -- The actor resolves CNAME records directly but does not recursively follow CNAME chains. The underlying Node.js resolver may resolve the final address in A/AAAA queries.
DKIM coverage is not exhaustive -- The actor probes 10 common selectors (google, default, selector1, selector2, k1, k2, k3, mail, smtp, dkim). Domains using custom or non-standard selectors may report dkimFound: false even when DKIM is configured.
No TTL values -- The Node.js dns.promises API does not expose TTL (time-to-live) values for records. If you need TTL data, use a raw DNS query tool.
Resolver-dependent results -- DNS resolution depends on the nameservers configured on the Apify infrastructure. Results may differ slightly from queries made through other resolvers (e.g., Google Public DNS, Cloudflare DNS).
No DNSSEC validation -- The actor does not verify DNSSEC signatures. Records are returned as-is from the resolver without cryptographic validation.
Rate sensitivity at scale -- While domains are batched in groups of 10, very large runs (10,000+ domains) may encounter transient DNS resolution failures due to resolver load. Increase the timeout for large runs.
No historical data -- Each run captures a point-in-time snapshot. DNS records change frequently, so results are only valid at the lookupTimestamp recorded in the output.

Responsible use

Respect DNS infrastructure -- While DNS is a public protocol, avoid unnecessarily large or frequent queries against the same domains. The actor's batch size of 10 is designed to be respectful of DNS server resources.
Use for legitimate purposes -- DNS Record Lookup is intended for infrastructure auditing, security assessment, migration planning, and research. Do not use it to facilitate attacks, unauthorized reconnaissance, or harassment.
Protect sensitive results -- DNS records can reveal internal infrastructure details (mail servers, hosting providers, CDN configurations). Handle output data responsibly and avoid exposing it publicly if it pertains to organizations you do not control.
Comply with applicable policies -- Some organizations may have acceptable use policies that restrict automated DNS querying. Ensure your use case complies with relevant policies and terms of service.
Combine with authorization -- When performing security assessments or penetration testing, ensure you have written authorization from the domain owner before conducting bulk DNS lookups as part of a broader engagement.

FAQ

Q: Do I need any API keys to use this actor? A: No. DNS Record Lookup uses the Node.js native dns.promises module, which queries DNS servers directly. No third-party API keys, accounts, or subscriptions are required.

Q: Can I look up subdomains, not just root domains? A: Yes. Enter any subdomain (e.g., mail.google.com, api.github.com, staging.example.com) and the actor will resolve its DNS records.

Q: What happens if a domain does not exist or has no DNS records? A: The domain will still appear in the output dataset with null values for all record types. This makes it easy to identify which domains failed resolution.

Q: How many domains can I process in a single run? A: There is no hard limit. The actor processes domains in batches of 10. Runs of 1,000+ domains are practical and complete in a few minutes. For 10,000+ domains, consider increasing the timeout to account for occasional slow responses.

Q: What DKIM selectors does the actor check? A: Ten common selectors: google, default, selector1, selector2, k1, k2, k3, mail, smtp, and dkim. These cover Google Workspace, Microsoft 365, Mailchimp, SendGrid, Amazon SES, and most other popular email providers.

Q: Can I check only email security without resolving standard DNS records? A: Yes. Set recordTypes to an empty array [] and keep checkEmailSecurity set to true. The actor will skip A, AAAA, MX, NS, TXT, CNAME, and SOA resolution and only perform SPF, DMARC, and DKIM checks.

Q: Why are some record types returning null for domains I know exist? A: Most likely the DNS query timed out. Increase the timeout parameter to 10,000ms or 15,000ms. Also note that not all domains have all record types -- for example, apex domains typically do not have CNAME records, and many domains lack AAAA (IPv6) records.

Q: Does the actor strip www. from my input? A: Yes. The input cleaning step removes http://, https://, trailing paths, port numbers, and www. prefixes. So https://www.example.com:8080/page becomes example.com.

Q: How does the email security summary (hasEmailSecurity) work? A: The hasEmailSecurity field is true if any of the three email authentication mechanisms -- SPF, DMARC, or DKIM -- is detected for the domain. It is false only if none of them are configured.

Q: Can I schedule this actor to run automatically? A: Yes. Use Apify Schedules to trigger runs at any interval -- daily, weekly, or hourly. Combine with webhooks to send results to Slack, email, or a database whenever a scheduled run completes.

Q: What is the difference between txtRecords and spfRecord? A: The txtRecords field contains all TXT records for the domain, including SPF, domain verification tokens, and other entries. The spfRecord field specifically extracts the one TXT record that starts with v=spf1, making it easy to check SPF without parsing the full TXT array.

Q: Does the actor work for internationalized domain names (IDN)? A: The actor passes domain names directly to the Node.js DNS resolver. If the resolver supports IDN/Punycode conversion, internationalized domains will work. For best results, provide domains in Punycode format (e.g., xn--nxasmq6b.xn--jxalpdlp).

Actor	Description	Link
WHOIS Domain Lookup	Get WHOIS registration data including registrar, creation date, expiration, and registrant details. Pair with DNS Record Lookup for complete domain intelligence.	WHOIS Domain Lookup
IP Geolocation Lookup	Resolve IP addresses to geographic locations, ISPs, and organizations. Feed A record IPs from DNS results to determine where servers are physically hosted.	IP Geolocation Lookup
SSL Certificate Search	Search Certificate Transparency logs for SSL/TLS certificates issued for a domain. Discover subdomains and monitor certificate issuance alongside DNS records.	SSL Certificate Search
Censys Internet Host Search	Search Censys for internet-connected hosts by IP, domain, or certificate. Combine with DNS data for comprehensive infrastructure mapping.	Censys Internet Host Search
Website Tech Stack Detector	Detect the technologies, frameworks, and services a website uses. Cross-reference with DNS records to build a full infrastructure profile.	Website Tech Stack Detector

DNS Records Lookup

nexgendata/dns-records-lookup

Look up DNS records for any domain. Returns A, AAAA, MX, NS, TXT, CNAME, and SOA records with TTL values. Perfect for domain research, email verification, network diagnostics, and security auditing.

Stephan Corbeil

DNS Lookup | Scrape Domain Records & Security Intelligence

datascoutapi/dns-lookup

DNS lookup scrapes 22 data points including 10 DNS records (A, AAAA, MX, TXT, NS, CNAME, SOA, SRV, PTR, CAA) + email security analysis ( SPF/DKIM/DMARC), SSL certificate checker, domain monitoring. Processes 100 domains per batch with security scoring.

halam

Supernet DNS Lookup

superlativetech/dns-lookup

Bulk DNS records lookup. Query MX, SPF, DMARC, DKIM, TXT, CNAME, A, AAAA, NS, SOA and reverse DNS for any domain or IP. Batch thousands or query one instantly using the Standby API. For email reputation scoring, see Supernet Domain Health. For whois, see Supernet Whois.

Superlative

103

Domain Lookup Tool

cerebral_aluminum/domain-lookup

Bulk DNS analysis. A records, MX, nameservers, hosting provider, email provider, SPF/DMARC status for any domain.

Benny

DNS Lookup

automation-lab/dns-lookup

DNS Lookup resolves all standard DNS record types for one or more domains. It returns structured data including IP addresses, mail servers, name servers, TXT records, and an email security analysis that checks for SPF and DMARC configuration.

Stas Persiianenko

Domain Lookup

greip/domain-lookup

Lookup and analyze domain names and retrieve detailed information including security status, email authentication records (SPF, DMARC, DKIM, MX, BIMI), creation date, and risk assessment. Perfect for domain verification, fraud prevention, and security analysis.

Greip

DNS / SPF / DKIM / DMARC Audit API

taroyamada/dns-dmarc-security-checker

Audit SPF, DKIM, DMARC, and MX in bulk with grades, fix-ready recommendations, and recurring email-security monitoring.

太郎山田

TXT Record Checker

automation-lab/txt-record-checker

This actor checks DNS TXT records for domains. It validates SPF (Sender Policy Framework), DMARC (Domain-based Message Authentication), and DKIM (DomainKeys Identified Mail) configuration. Also identifies domain verification records for Google, Facebook, Microsoft, and Apple.

Stas Persiianenko

Domain Checker - WHOIS & DNS

vivid_astronaut/domain-checker

Check domain availability, WHOIS records, DNS records, and SSL certificates. Supports bulk domain checking.

Fabio Suizu

Domain WHOIS & DNS Lookup â€” Registration, DNS Records & Tech

sovereigntaylor/domain-whois-scraper

Look up WHOIS data, DNS records, SSL certificates, and tech stack for any domain. Bulk domain research for lead generation, SEO audits, domain investing, and competitive intelligence. Uses RDAP, DNS-over-HTTPS, Certificate Transparency, and web WHOIS providers.