DNS monitoring for deliverability and security.

DMARC tells mailbox providers (Gmail, Outlook, etc.) what to do when an email claiming to be from your domain fails authentication. It also lets you collect reports (so you can see who is sending as you).

• The DMARC record lives at _dmarc.yourdomain.com (as a TXT record).
• “View report” shows your current DMARC record and a recommended record. The recommended record is designed to be safe to copy/paste (often starting with p=none for reporting, then upgrading later).
• The key comparison is usually the p= policy (none/quarantine/reject) and whether you have rua= set for reporting.

Run the DMARC check →

SPF is a TXT record that lists which mail systems are allowed to send email for your domain. SPF has a hard limit: mailbox providers will only follow 10 DNS lookups during evaluation.

• “Review” usually means your SPF record is getting close to the 10-lookup limit (often due to many include: entries).
• If you hit the limit, SPF can effectively fail — causing deliverability issues.
• Typical fixes: remove unused senders, consolidate providers, or “flatten” SPF (carefully).

(We’ll add a “See includes” view that lists the include chain and exactly which includes cost lookups.)

MX records tell the internet which servers receive email for your domain. If MX records change unexpectedly, inbound mail can break (or be redirected).

• We monitor MX changes and will surface “what changed” + whether it looks risky.
• Common legit change: migrating Google Workspace ↔ Microsoft 365 ↔ other providers.

MTA-STS is an email security standard that tells senders to require TLS when delivering mail to your domain. It helps prevent downgrade and man-in-the-middle attacks against inbound email.

• It’s “Missing” when you don’t publish an MTA-STS policy.
• Enabling it involves DNS + hosting a small policy file (we’ll provide step-by-step instructions).
• If you’ve never heard of it, you’re not alone — but it’s increasingly common on security-conscious domains.