Free · No signup · Instant

Free Domain Lookup — WHOIS, DNS, SSL, Subdomains & Email Security

Type any domain. Get registration data, DNS records, live SSL certificate, subdomain enumeration, and SPF/DMARC/DKIM email security in one polished report. No ads, no signup, no rate limits on the report view.

Please enter a valid domain (e.g. example.com).
Or try: cloudflare.com github.com stripe.com openai.com vercel.com apple.com
5 data categories in one search No ads, no signup Open source & self-hostable
What you get

Five data categories in one search.

Every domain lookup returns the full picture: registration, infrastructure, certificates, attack surface, and email-security posture. Same data the underlying REST API returns, rendered as a polished HTML report.

WHOIS / RDAP

Registrar, creation and expiry dates, nameservers, status codes, and registrant data where public. RDAP-first with a 4-tier fallback ending in port-43 socket WHOIS for 50+ TLDs including most ccTLDs.

DNS records

All major record types resolved live: A, AAAA, MX, TXT, NS, CAA, and SOA. Returned with TTLs intact. Useful for verifying configuration changes and infrastructure mapping.

SSL/TLS certificate

Live TLS handshake against port 443. Returns issuer, subject, validity dates, SANs, signature algorithm, key strength, and days-until-expiry. No third-party scanner — the data is the live certificate the server presented.

Subdomain enumeration

Five parallel sources — crt.sh, certspotter, hackertarget, AlienVault OTX, and VirusTotal — plus an always-on DNS bruteforce against a 686-word wordlist. The bruteforce runs every time, so the response is never empty even when individual upstream sources are down.

Email security

SPF and DMARC records parsed. DKIM keys auto-discovered by probing ~29 common selectors used by major mail providers: Google Workspace, Microsoft 365, Mailchimp, SendGrid, Postmark, Mandrill, Klaviyo, Mailgun, and more.

Who uses this

Eight common workflows.

Domain lookup data is rarely the end goal. People use this tool to enrich something else — an alert, a CRM record, a phishing investigation, a compliance audit. Here are the most common ways visitors actually use it.

Security & threat intelligence
Enrich indicators of compromise from a SIEM alert. Pull DNS, WHOIS, SSL, and subdomain context on suspicious domains in one request. Pivot on shared registrars, certificate SANs, or nameservers to identify campaigns.
Phishing & scam investigation
Investigate brand-impersonation domains like netflixupdates.com or chase-verification.com. Check registration age (newly-registered = higher risk), SSL issuer, and whether SPF/DMARC is configured to look legitimate. Compare against the real brand's data side-by-side.
IP-to-domain verification
Verify that a specific IP address (e.g. 140.82.112.3) genuinely belongs to a given domain. The DNS section shows live A and AAAA records, so you can confirm or refute IP attribution in seconds — useful during incident response or when validating allowlists.
Subdomain finder & attack surface mapping
Discover all subdomains of a target domain. Six sources run in parallel (crt.sh, certspotter, hackertarget, AlienVault OTX, VirusTotal, plus always-on DNS bruteforce against a 686-word wordlist) so coverage is reliable even when individual sources are down. Used by pentesters, red teamers, and security engineers for asset discovery.
SSL/TLS certificate monitoring
Check certificate issuer, validity window, SANs, and days-until-expiry for any domain. Pull this into a monitoring script to alert before certs expire, or use it ad-hoc to verify a cert chain after deployment.
Email security audit (DKIM, DMARC, SPF)
Check email security posture in a single lookup. SPF and DMARC records are parsed; DKIM keys are auto-discovered by probing ~29 common selectors (Google Workspace, Microsoft 365, Mailchimp, SendGrid, Postmark, Mandrill, Klaviyo, Mailgun, and more). Useful for deliverability audits and compliance work.
Brand protection
Monitor for lookalike domains and unauthorized certificates issued for your brand. Combine subdomain enumeration via Certificate Transparency logs with WHOIS to catch typosquats, homoglyphs, and brand-impersonation domains as they appear.
Sales & lead enrichment
Verify domain age, MX provider (detect Google Workspace vs Microsoft 365), DMARC posture (mature security org?), and subdomain count (engineering footprint estimate) before adding a company domain to your CRM. Score leads automatically.
vs other lookup tools

Why this lookup tool?

Most free WHOIS / domain lookup tools were built years ago and show their age — aggressive ads, ugly markup, partial data, registration walls. This tool was built recently with the technical capabilities you'd expect from a modern API turned into a public UI.

OTI Labs Lookup whois.com / who.is ICANN Lookup WhoisXMLAPI (free)
WHOIS / RDAPRDAP + port-43 (4-tier)WHOISRDAP onlyWHOIS + RDAP
DNS recordsA, AAAA, MX, TXT, NS, CAA, SOASeparate paid product
SSL/TLS certLive handshakeSeparate paid product
Subdomain enumeration5 sources + DNS bruteforceSeparate paid product
Email security (SPF/DMARC/DKIM)29 selectors auto-probedSeparate paid product
Ads / signup wallNoneHeavy adsNoneRegistration required
Open sourceMIT on GitHub
FAQ

Frequently asked questions.

Quick answers to the most common questions about the lookup tool, the data, and how it compares.

What is a domain lookup?+
A domain lookup retrieves public registration and infrastructure data about a domain name. Our tool returns WHOIS/RDAP registration info, DNS records (A, AAAA, MX, TXT, NS, CAA, SOA), live SSL/TLS certificate details, subdomain enumeration, and email security posture (SPF, DMARC, DKIM) for any domain in a single request.
Is this lookup tool really free?+
Yes. The public lookup tool is free with no signup, no registration, and no rate limit on the rendered HTML report view. Each report is generated live on demand and cached for 24 hours. For programmatic API access, a free tier of 1,000 requests per month is available on RapidAPI, with paid tiers starting at $9.99/mo.
What data does the lookup return?+
Five categories. WHOIS/RDAP — registrar, dates, nameservers, status codes via a 4-tier fallback chain. DNS — A, AAAA, MX, TXT, NS, CAA, SOA resolved live. SSL — live TLS handshake returning issuer, validity, SANs, signature algorithm, days-until-expiry. Subdomains — 5 parallel sources plus always-on DNS bruteforce against a 686-word wordlist. Email security — SPF, DMARC, DKIM auto-probed across 29 selectors.
What DNS records does the lookup return?+
All seven major record types in one request: A (IPv4 addresses), AAAA (IPv6 addresses), MX (mail exchangers), TXT (verification and policy records, including SPF), NS (authoritative nameservers), CAA (certificate authority authorization), and SOA (start of authority). Records are resolved live via async DNS with a 5-second per-record timeout and TTLs are preserved in the response.
How does the SSL certificate check work?+
The tool performs a live TLS handshake against the domain on port 443 — no third-party scanner in the loop. The leaf certificate is parsed and the response includes the issuer (CA), subject, validity window, all Subject Alternative Names (SANs), signature algorithm, key bits, serial number, and a days-until-expiry countdown. The certificate data reflects exactly what the server presents at the moment of the request.
How does subdomain enumeration work?+
The enumeration runs six sources concurrently: crt.sh (Certificate Transparency log aggregator), certspotter (SSLMate CT mirror), hackertarget (passive DNS), AlienVault OTX (passive DNS), VirusTotal v3 (passive DNS), and an always-on DNS bruteforce against a curated 686-word wordlist via public resolvers. The bruteforce runs every time, not just as fallback — so even when external CT log sources are rate-limited or down, the response is never empty. Up to 1,000 deduplicated results are returned per request.
Does it check email security (SPF, DMARC, DKIM)?+
Yes. The lookup inspects DNS TXT records for SPF (sender policy framework) and DMARC (domain-based message authentication) records. DKIM keys are auto-discovered by probing ~29 common selectors used by major mail providers including Google Workspace, Microsoft 365, Mailchimp, SendGrid, Postmark, Mandrill, Klaviyo, Mailgun, and generic catchalls. This finds DKIM for ~60-80% of real domains. Custom or hash-based selectors (e.g. some Amazon SES configs) won't be auto-discovered, but the rest of the email security posture is still returned.
Why is some WHOIS data redacted?+
GDPR. Since 2018, most gTLDs (.com, .net, .org) strip personally identifiable registrant data from public WHOIS records by default. Registrar, dates, and nameservers remain public. Some ccTLDs (notably .uk, .nl) hide even more via port-43 WHOIS as registry policy. The tool returns whatever the upstream registry publishes — we don't synthesize or guess at redacted fields.
How is this different from whois.com or WhoisXMLAPI?+
Three main differences. (1) No ads and no signup wall — most free WHOIS sites are aggressive with ads, popups, or push-to-register flows. (2) Five categories in one search — WHOIS, DNS, SSL, subdomains, and email security in a single polished report instead of jumping between separate tools. (3) Open source — the underlying engine is MIT-licensed on GitHub and self-hostable, so security teams can inspect or run the code in their own environment.
Can I look up any domain?+
Yes. The tool accepts any syntactically valid domain — registered or unregistered, gTLD or ccTLD, IDN/punycode supported. If a domain isn't registered, you'll see empty WHOIS data and likely empty DNS records. If a domain is registered but has registry policy redactions (.uk, .nl), some fields will be blank. The tool returns whatever the authoritative sources publish.
Can I use this to investigate phishing or suspicious domains?+
Yes — this is one of the most common use cases. Security researchers, fraud teams, and SOC analysts use the lookup to investigate brand-impersonation domains, typosquats, and reported phishing URLs. Useful signals: registration age (newly-registered domains are higher risk), SSL certificate issuer (legitimate brands typically use specific CAs), nameserver patterns, and whether SPF/DMARC is configured. Compare a suspicious domain against the legitimate brand's report side-by-side to spot infrastructure mismatches.
Can I check whether an IP address belongs to a specific domain?+
Yes. The DNS section returns the live A (IPv4) and AAAA (IPv6) records for any domain. To verify whether a specific IP belongs to a domain — e.g. is 140.82.112.3 really GitHub? — look up the domain and check the A records. This is useful during incident response, allowlist validation, and forensic IP attribution work. Note: a single domain often resolves to many IPs (CDN-fronted services like Cloudflare, Fastly, AWS CloudFront), so the absence of a specific IP in the A records doesn't prove the IP isn't associated with the domain at all.
Do you offer an API for programmatic access?+
Yes. The same engine powers a JSON REST API listed on RapidAPI. The free tier covers 1,000 requests per month with no credit card required; paid tiers start at $9.99/mo for 50,000 requests. The API and the lookup tool return the same data structures from the same underlying engine, so the data is identical.

Need this in code instead?

The same engine that powers this lookup is available as a JSON REST API on RapidAPI. Free tier: 1,000 requests/month, no credit card. Single /lookup/{domain} call returns all five data categories. Or use individual endpoints like /domain/{d}/whois if you only need one.

See API docs & pricing View on GitHub