Compare
lens is a unified domain health checker — one URL, five axes, one grade. This page helps you decide which tool fits your needs: lens for breadth, or a specialist for depth. The depth gaps are admitted, not papered over.
Table 1 — Unified domain checkers
Tools in this group each aim to give you a broad domain health picture from a single query.
✓ full coverage
~ partial or lower depth
✗ not done
— out of scope for that tool
| Feature | lens | hardenize | internet.nl | observatory.mozilla.org |
|---|---|---|---|---|
DNS checks
lens: MX, SPF, DKIM, DMARC, DNSSEC, NS, SOA via mhost-prism.
hardenize: MX, NS, DNSSEC, CAA; strong on DNS security hygiene. internet.nl: DNSSEC validation, IPv6 on name servers; email-DNS records. observatory.mozilla.org: Does not perform DNS record analysis. |
✓ | ✓ | ~ | ✗ |
TLS checks
lens: Certificate validity, chain, protocol versions, cipher suite basics, HSTS via tlsight.
hardenize: Deep TLS analysis; cipher enumeration, protocol downgrades, certificate monitoring. internet.nl: HTTPS availability, TLS version support, HSTS; moderate depth. observatory.mozilla.org: Checks HTTPS redirect and HSTS header; no TLS handshake analysis. |
~ | ✓ | ~ | ~ |
HTTP header checks
lens: All major security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) via spectra.
hardenize: Security headers included; graded alongside TLS and certificate results. internet.nl: HTTPS and HSTS checked; does not grade the full security-header set. observatory.mozilla.org: Primary focus — detailed security-header grading A+ through F. |
✓ | ✓ | ~ | ✓ |
Email checks
lens: SPF, DKIM, DMARC, MTA-STS, BIMI via beacon.
hardenize: SPF, DKIM, DMARC, MTA-STS, BIMI VMC chain validation, STARTTLS on mail ports. internet.nl: SPF, DKIM, DMARC, STARTTLS, DANE — focused on modern standard compliance. observatory.mozilla.org: Does not check email configuration. |
✓ | ✓ | ~ | ✗ |
IP enrichment
lens: ASN lookup, geolocation, reverse DNS, abuse contact via ifconfig-rs.
hardenize: Shows hosting provider and geolocation alongside security results. internet.nl: No IP-level enrichment beyond IPv6 connectivity checks. observatory.mozilla.org: Does not provide IP enrichment. |
✓ | ~ | ✗ | ✗ |
API access
lens: REST API, SSE streaming, open source — self-hostable. No key required for public instance.
hardenize: API available on paid plans; free tier is UI-only. internet.nl: Batch API available; requires registration for bulk queries. observatory.mozilla.org: Public HTTP API; no auth required. |
✓ | ~ | ~ | ✓ |
No login required
lens: Fully open — no account, no rate-limit wall for normal use.
hardenize: Free tier is no-login; advanced reports and API require an account. internet.nl: Single checks need no login; batch API requires registration. observatory.mozilla.org: No login required for any feature. |
✓ | ✓ | ✓ | ✓ |
Table 2 — Per-axis specialists
When you need deep analysis on a single axis, these tools go further than any unified checker.
✓ full coverage
~ partial or lower depth
✗ not done
— out of scope for that tool
DNS
| Check | mhost-prism (lens) | dig | dnsviz.net | intodns.com | mxtoolbox (DNS) |
|---|---|---|---|---|---|
MX records
mhost-prism: Retrieves and displays MX records with priority.
dig: Raw MX query — full control, no interpretation. dnsviz.net: MX visible in zone graph; no semantic analysis. intodns.com: Lists MX records and checks basic configuration. mxtoolbox: Dedicated MX lookup with latency and reverse-DNS check. |
✓ | ✓ | ~ | ✓ | ✓ |
SPF record
mhost-prism: Retrieves and parses SPF TXT record, flags common policy errors.
dig: Raw TXT lookup only; no SPF semantic analysis. dnsviz.net: No SPF-specific analysis; zone data visible as raw TXT. intodns.com: No SPF semantic checking. mxtoolbox: Dedicated SPF record lookup and policy parse. |
✓ | ~ | ✗ | ✗ | ✓ |
DMARC record
mhost-prism: Retrieves and parses DMARC record including policy and rua/ruf tags.
dig: Can query _dmarc TXT record; no parsing. dnsviz.net: No DMARC semantic analysis. intodns.com: No DMARC checking. mxtoolbox: Dedicated DMARC lookup with policy interpretation. |
✓ | ~ | ✗ | ✗ | ✓ |
DKIM lookup
mhost-prism: Queries common DKIM selectors and displays public key records.
dig: Can query any selector directly if known; requires manual selector input. dnsviz.net: No DKIM-specific analysis. intodns.com: No DKIM checking. mxtoolbox: DKIM record lookup given a selector name. |
✓ | ~ | ✗ | ✗ | ✓ |
DNSSEC validation
mhost-prism: Checks DNSSEC signing status and DS records.
dig: +dnssec flag shows RRSIG records; requires expert interpretation. dnsviz.net: Gold standard — visual chain-of-trust graph, delegation analysis, failure diagnosis. intodns.com: No DNSSEC validation. mxtoolbox: Basic DNSSEC check; no chain-of-trust visualisation. |
~ | ~ | ✓ | ✗ | ~ |
NS records
mhost-prism: Lists authoritative name servers.
dig: Full NS query with any server override. dnsviz.net: NS delegation path is central to its graph. intodns.com: Checks NS records, lame delegation, and consistency. mxtoolbox: NS lookup available. |
✓ | ✓ | ✓ | ✓ | ✓ |
SOA record
mhost-prism: Retrieves SOA record fields (serial, refresh, retry, expire).
dig: Full SOA query. dnsviz.net: SOA visible as part of zone graph. intodns.com: Checks SOA and flags configuration issues. mxtoolbox: SOA lookup available. |
✓ | ✓ | ✓ | ✓ | ✓ |
DNS propagation
mhost-prism: Queries from a single vantage point; no multi-PoP propagation view.
dig: Single resolver per invocation; scripts can parallelize. dnsviz.net: Queries multiple authoritative servers; not a propagation checker per se. intodns.com: No global propagation check. mxtoolbox: DNS propagation checker queries resolvers in multiple regions. |
✗ | ~ | ✗ | ✗ | ✓ |
TLS
| Check | tlsight (lens) | ssllabs.com | badssl.com |
|---|---|---|---|
Certificate validity
tlsight: Expiry date, subject, SAN entries, issuer chain.
ssllabs: Full certificate details with trust-chain validation across major stores. badssl.com: Reference pages for expired/self-signed certs — not a scanner. |
✓ | ✓ | — |
Certificate chain
tlsight: Verifies chain completeness and flags missing intermediates.
ssllabs: Full chain analysis; checks cross-signs and extra certs. badssl.com: Has reference pages for incomplete-chain scenarios; not a scanner. |
✓ | ✓ | — |
Protocol versions (deprecated detection)
tlsight: Flags TLS 1.0 and 1.1 if offered alongside 1.2/1.3.
ssllabs: Tests all versions including SSLv2/v3; grades down for deprecated protocols. badssl.com: Reference endpoints for TLS 1.0 and 1.1 — useful for browser testing. |
✓ | ✓ | — |
Cipher suites
tlsight: Lists offered cipher suites; flags known-weak ciphers.
ssllabs: Full enumeration with per-cipher grade, forward secrecy flags, and downgrade attack tests (POODLE, BEAST, RC4). badssl.com: Reference pages for RC4 and other weak cipher configurations; not a scanner. |
~ | ✓ | — |
HSTS
tlsight: Checks HSTS header presence, max-age, and includeSubDomains flag.
ssllabs: HSTS included in full TLS grade; preload list status shown. badssl.com: Has a no-hsts reference page; not an active scanner. |
✓ | ✓ | — |
OCSP stapling
tlsight: Does not currently check OCSP stapling status.
ssllabs: Full OCSP stapling and must-staple extension check. badssl.com: Out of scope — badssl is a reference tool, not a scanner. |
✗ | ✓ | — |
StartTLS (mail ports)
tlsight: HTTPS (port 443) only; does not test SMTP ports 25, 465, or 587.
ssllabs: Tests StartTLS on ports 25, 465, and 587 as part of its mail-server profile. badssl.com: Web-only reference; no mail-port testing. |
✗ | ✓ | — |
HTTP
| Check | spectra (lens) | securityheaders.com |
|---|---|---|
Content-Security-Policy
spectra: Detects presence, shows raw and parsed directives, flags unsafe-inline.
securityheaders.com: Parses and grades CSP; flags unsafe-* keywords and missing directives with detailed explanation. |
✓ | ✓ |
Strict-Transport-Security
spectra: Checks HSTS presence, max-age, and subdomain coverage.
securityheaders.com: Same checks plus preload status and explanatory grading. |
✓ | ✓ |
X-Frame-Options
spectra: Checks for DENY or SAMEORIGIN; flags deprecated ALLOWFROM.
securityheaders.com: Same checks with notes on CSP frame-ancestors superseding X-Frame-Options. |
✓ | ✓ |
X-Content-Type-Options
spectra: Checks for nosniff value.
securityheaders.com: Checks for nosniff; notes browser MIME sniffing mitigations. |
✓ | ✓ |
Referrer-Policy
spectra: Detects presence and value; flags overly-permissive policies.
securityheaders.com: Grades referrer policy strictness and explains cross-origin implications. |
✓ | ✓ |
Permissions-Policy
spectra: Checks for presence and lists declared feature policies.
securityheaders.com: Checks presence; notes it as an emerging standard in grades. |
✓ | ✓ |
Server header disclosure
spectra: Shows raw Server header value; flags software version disclosure.
securityheaders.com: Flags server and X-Powered-By disclosure as informational findings. |
✓ | ✓ |
| Check | beacon (lens) | mxtoolbox (mail) | dmarcian | postmark mail-tester |
|---|---|---|---|---|
SPF record & policy
beacon: Retrieves and parses SPF record; flags policy permissiveness and syntax errors.
mxtoolbox: SPF record lookup with policy interpretation and include-chain expansion. dmarcian: SPF analyser as part of its DMARC-focused suite; checks include limits. postmark mail-tester: SPF verified against a test message you send; requires sending an email to a test address. |
✓ | ✓ | ✓ | ✓ |
DKIM record lookup
beacon: Queries common DKIM selectors and displays public key records.
mxtoolbox: DKIM lookup given a selector name. dmarcian: DKIM record lookup as part of domain analysis. postmark mail-tester: Validates DKIM signature in a test message you send. |
✓ | ✓ | ✓ | ✓ |
DMARC record & policy
beacon: Parses DMARC record including policy, subdomain policy, and reporting addresses.
mxtoolbox: DMARC record lookup with policy explanation. dmarcian: Primary focus — deep DMARC record analysis, policy evaluation, alignment guidance. postmark mail-tester: Checks DMARC alignment in the test message. |
✓ | ✓ | ✓ | ✓ |
MTA-STS
beacon: Checks MTA-STS DNS record and fetches the policy file.
mxtoolbox: Does not check MTA-STS. dmarcian: No MTA-STS checking. postmark mail-tester: Out of scope for mail-tester. |
✓ | ✗ | ✗ | — |
BIMI record
beacon: Checks BIMI DNS record and logo URI.
mxtoolbox: No BIMI checking. dmarcian: No BIMI checking in the standard tool. postmark mail-tester: Out of scope. |
✓ | ✗ | ✗ | — |
DANE / TLSA
beacon: Does not currently check DANE/TLSA records.
mxtoolbox: No DANE/TLSA checking. dmarcian: No DANE/TLSA checking. postmark mail-tester: Out of scope. |
✗ | ✗ | ✗ | — |
Blacklist check
beacon: Does not include blacklist / reputation checks.
mxtoolbox: Checks 100+ blacklists; a flagship feature with 20+ years of list curation. dmarcian: No blacklist checking. postmark mail-tester: Checks blacklist reputation as part of deliverability scoring. |
✗ | ✓ | ✗ | ✓ |
IP
| Check | ifconfig-rs (lens) | ifconfig.me | ipapi.co |
|---|---|---|---|
IP address detection
ifconfig-rs: Detects caller IP; also resolves IPs for a queried domain.
ifconfig.me: Returns the caller's public IP; simple, minimal interface. ipapi.co: Returns IP data for any given IP; API-first. |
✓ | ✓ | ✓ |
ASN lookup
ifconfig-rs: ASN number and organisation name via RDAP.
ifconfig.me: No ASN information. ipapi.co: ASN and organisation name included in geolocation response. |
✓ | ✗ | ✓ |
Geolocation
ifconfig-rs: Country, region, city via GeoIP database.
ifconfig.me: No geolocation. ipapi.co: Country, city, latitude/longitude, timezone — primary product. |
✓ | ✗ | ✓ |
Reverse DNS
ifconfig-rs: PTR record lookup for the queried IP.
ifconfig.me: Shows hostname (reverse DNS) for the caller's IP. ipapi.co: No reverse DNS lookup. |
✓ | ✓ | ✗ |
Abuse contact
ifconfig-rs: Abuse contact email and RDAP data from the RIR record.
ifconfig.me: No abuse contact information. ipapi.co: No abuse contact information. |
✓ | ✗ | ✗ |
Where lens trades depth for breadth
lens covers five axes in one query. Specialists go deeper on each axis. Here are the three gaps that matter most.
SSL Labs covers StartTLS on SMTP ports 25, 465, and 587, runs full cipher-suite enumeration with downgrade tests (POODLE, BEAST, RC4), and checks a broader set of handshake variants that tlsight does not yet test. For a mail server's TLS posture, SSL Labs gives a more authoritative grade.
hardenize includes additional email-edge checks such as BIMI VMC chain validation and variant MTA-STS report parsing that beacon does not yet replicate. Its certificate-monitoring subscription tracks expiry across all your domains, not just on-demand checks.
mxtoolbox carries 20+ years of mail-flow heuristics — blacklist reputation across 100+ lists, live SMTP banner testing, and delivery-path tracing — that beacon does not yet replicate.
Skeptical? Check your own domain at netray.info.