For some time (going back to before Sympl forked) there’s been a problem checking what DNS is actually public, versus what Sympl thinks it should have.
I’ve spent some time and built a script which you can run against a domain, and it will check the domain health in general (nameservers are consistent), then iterate through the current DNS templates in /srv/example.com/config/dns/*.txt and compare their contents against public results.
It’s very early, and may well have some interesting bugs, but it do have a go and see what you think.
The script itself is available here, and part of the the sympl-scripts repository.
As an example…
root@sympl:~# ./sympl-dns-audit sympl.host
Detecting authoritative DNS servers... ok
Nameserver 1: ns1.mythic-beasts.com
Nameserver 2: ns2.mythic-beasts.com
Checking authoritative servers are in-sync... ok, will use 'ns1.mythic-beasts.com' for queries
ok sympl.host A 46.235.231.141
ok ftp.sympl.host A 46.235.231.141
ok www.sympl.host A 46.235.231.141
ok mail.sympl.host A 46.235.231.141
ok mx.sympl.host A 46.235.231.141
ok sympl.host AAAA 2a00:1098:88::3:1
ok ftp.sympl.host AAAA 2a00:1098:88::3:1
ok www.sympl.host AAAA 2a00:1098:88::3:1
ok mail.sympl.host AAAA 2a00:1098:88::3:1
ok mx.sympl.host AAAA 2a00:1098:88::3:1
ok sympl.host MX mx.sympl.host.
warn sympl.host TXT
expected "v=spf1 +a +mx -all"
got "v=spf1 a mx ip6:2a00:1098:88::3:2 a:sympl.host -all"
"google-site-verification=PLy31m_2atEDmGh4p-rkmd8lNfmiZdV5cyhYi9hc8uk"
ok default._domainkey.sympl.host TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx5d846+Kwm/+Wo5k8Y1SyV2uFHZaGETpPLeFcTV5vu9cVoP2OFnOFVVtAPQ1J8MLSVpH0mJX27sw2RGGImFWvlIVFmhX4bhk3rIwEUBuL4+jwEmk5LjIpwdZtzUVxJzJfCsE/rEdXTPohmOJI6DxDaVciVPF1UBTGFbFsUJV9tJ3FCsbbi+lGmZBtMJn9NNlfcM2uPHY2urwUKiKNi/UrrBP0fHwOlVjLGOyG1ugxbC1jsS37cpRQ8kxLoIVxJ/un4cZo3tWDqkytLDXM11DSrF/TWbS3ENCsuxHvOMuuin+AJFN3P1KIiGrGynH3f6tOEgTcS3MQ0CNPP/HuJuP+QIDAQAB"
ok _dmarc.sympl.host TXT "v=DMARC1; p=quarantine; sp=none"
Give it a go and let me know how it works.