Domain Security Monitoring Checklist for Agencies and MSPs
A repeatable domain monitoring checklist for agencies and MSPs covering ownership, email authentication, TLS, security headers, alerting, and evidence.
Agencies and MSPs should maintain one owned inventory, a verified baseline, scheduled checks, and an escalation path for every client domain. The checklist below is designed to produce actionable evidence rather than a collection of one-off screenshots.
Onboarding
- Record the registrable domain, business owner, technical owner, DNS host, registrar, CDN/WAF, hosting platform, and renewal contacts.
- Require MFA and least-privilege access at the registrar, DNS provider, email platforms, and CDN.
- Inventory every authorized mail sender and its DKIM selectors.
- Capture the current SPF include chain, DKIM keys, DMARC record, MTA-STS policy, DNSSEC state, TLS certificate, HSTS policy, and security headers.
- Resolve critical failures before accepting the baseline; document intentional exceptions.
Recurring monitoring
- Recheck email and web posture on a consistent schedule and after planned changes.
- Alert on record removal, SPF lookup growth, DKIM key disappearance or revocation, DMARC enforcement reduction, certificate expiry, deprecated TLS, HSTS weakening, and removed security headers.
- Confirm observations from another vantage point or after a delay to avoid alerting on transient DNS and CDN propagation.
- Review DMARC aggregate reports for unknown senders and changes in alignment pass rate.
- Test notification delivery and keep at least two escalation contacts current.
Change and incident workflow
For each alert, preserve the time, old value, new value, confirmation result, impact assessment, owner, remediation, and resolution time. Avoid emailing secret share tokens or raw customer data into broad ticket queues. Revoke client report links when they are no longer needed.
After remediation, run a fresh independent check. A DNS control panel showing the intended value is not proof that public resolvers and receivers see it.
Quarterly review
Remove retired senders and stale accounts, rotate access, verify domain and certificate renewals, review exceptions, test restore procedures, and give the client a concise posture report. Update the baseline only after the client approves intentional changes.
The underlying standards include RFC 7208 for SPF, RFC 6376 for DKIM, RFC 7489 for DMARC, and RFC 6797 for HSTS.
Use the free checker below during onboarding to create a consistent first observation for each domain.
Check a domain for free
Audit email authentication, TLS, HSTS, and security headers. No signup required.
Checking the domain's records…