guides

Email Authentication Monitoring: Complete Guide

Learn how continuous SPF, DKIM, and DMARC monitoring detects configuration drift before it becomes a deliverability or spoofing incident.

Email authentication monitoring repeatedly checks the DNS records and policies that prove who may send mail for a domain. A useful monitor establishes a known baseline, detects meaningful changes, confirms them independently, and alerts with a readable explanation. A one-time test cannot catch the DNS edit, provider migration, or expired policy that happens next week.

What should be monitored?

The core controls are SPF, which authorizes sending infrastructure; DKIM, which cryptographically signs messages; and DMARC, which connects SPF and DKIM alignment to a receiver policy. MTA-STS, BIMI, and DNSSEC add transport, brand, and DNS-integrity signals.

For web posture, monitor TLS certificate validity and protocol version, HSTS, Content-Security-Policy, frame protection, MIME-sniffing protection, referrer policy, and permissions policy. These settings drift after CDN, WAF, hosting, or deployment changes even when the site still appears healthy.

A practical monitoring workflow

  1. Inventory every sending service and the domain it uses in the visible From address.
  2. Record the expected SPF includes, DKIM selectors, DMARC policy, reporting address, and alignment modes.
  3. Run an initial audit and resolve known failures before treating it as the baseline.
  4. Recheck on a schedule and after planned DNS or infrastructure changes.
  5. Confirm a change using another resolver or delayed observation before alerting.
  6. Review DMARC aggregate reports to find new or unauthorized senders that DNS checks alone cannot reveal.

Example: a marketing team adds a platform by appending include:sender.example to SPF. The include chain pushes the domain from 9 to 11 DNS-causing terms. The record still exists and looks plausible, but receivers must return a permanent SPF error after the limit is exceeded. A recursive monitor should report both the count and include path.

What a useful alert contains

An alert should name the affected domain and control, show the old and new values, state the likely impact, and offer a concrete next check. “DNS changed” is noise; “DMARC changed from p=reject to p=none, so failing mail is no longer rejected” is actionable.

Monitor configuration, not message content. Hash or avoid visitor identifiers, restrict access to customer-specific results, and never publish indexable per-domain scan pages.

Authoritative references

Run the free AuthDrift checker below to capture the current email-authentication and web-posture baseline for a domain.

Check a domain for free

Audit email authentication, TLS, HSTS, and security headers. No signup required.

Know your DKIM selector?
Checking the domain's records…