DNS Monitoring
MailShield continuously monitors your domain's DNS records to ensure your email security configuration is correct and up-to-date.
What We Monitor
MX Records
Mail exchanger records define which servers receive email for your domain.
Checks performed:
- Valid MX records exist
- Priority values are correctly set
- Mail servers are reachable
- TLS/STARTTLS support on each server
- DANE/TLSA records for each MX host
Example MX record:
example.com. IN MX 10 mail.example.com.SPF Records
Sender Policy Framework specifies authorized email senders.
Checks performed:
- Valid SPF syntax (
v=spf1) - Mechanism validation (ip4, ip6, include, a, mx)
- All-policy presence and strength
- DNS lookup count (max 10 per RFC)
- Include tree expansion
- Provider detection
Example SPF record:
v=spf1 include:_spf.google.com include:sendgrid.net -allDKIM Records
DomainKeys Identified Mail provides cryptographic email signing.
Checks performed:
- Selector existence and validity
- Key type (RSA, Ed25519)
- Key strength (recommends ≥2048 bits)
- Record syntax validation
- Multiple selector support
Example DKIM record:
selector._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjAN..."DMARC Records
Domain-based Message Authentication unifies SPF and DKIM.
Checks performed:
- Valid DMARC syntax (
v=DMARC1) - Policy strength (none, quarantine, reject)
- Alignment modes (relaxed, strict)
- Reporting configuration (rua, ruf)
- Subdomain policy (sp)
- Percentage (pct)
Example DMARC record:
_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"MTA-STS
Mail Transfer Agent Strict Transport Security enforces TLS.
Checks performed:
- DNS TXT record at
_mta-sts.domain - Policy file at
https://mta-sts.domain/.well-known/mta-sts.txt - Policy ID matching
- Mode validation (testing, enforce)
- MX host list validation
- Max age setting
TLS-RPT
TLS Reporting enables TLS failure notifications.
Checks performed:
- Valid record at
_smtp._tls.domain - Reporting URI validation
- Version tag presence
Example TLS-RPT record:
_smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:tls@example.com"BIMI
Brand Indicators for Message Identification displays logos.
Checks performed:
- Valid record at
default._bimi.domain - Logo URL accessibility
- Image format validation
- VMC certificate (optional)
DNSSEC
DNS Security Extensions authenticates DNS responses.
Checks performed:
- DNSSEC enabled for domain
- Chain validation (root → TLD → domain)
- Key and signature validity
Monitoring Frequency
MailShield checks your DNS records:
| Trigger | Timing |
|---|---|
| Automatic | Every 2 hours |
| Manual | When you click "Run Check" |
| On change | When DNS propagation is detected |
Check Results
Each check produces one of these results:
Valid ✅
The record exists and follows best practices:
- Correct syntax
- Strong configuration
- No issues detected
Warning ⚠️
The record works but could be improved:
- Weak policy (e.g., DMARC
p=none) - Small key size
- Missing optional features
Error ❌
The record is missing or misconfigured:
- Syntax errors
- Missing required fields
- Invalid values
Not Configured ○
The feature is not set up:
- No record exists
- Feature is optional
Detailed Check Information
For each check, MailShield provides:
- Raw Record: The actual DNS response
- Parsed Fields: Structured breakdown of the record
- Validation Results: Specific issues found
- Recommendations: How to fix problems
- Best Practices: Tips for improvement
Change Detection
MailShield detects when DNS records change:
- Compares current records to previous checks
- Identifies what changed
- Sends alerts (if configured)
- Logs the change history
Provider Detection
For SPF and DKIM, MailShield identifies common providers:
| Provider | Detection Method |
|---|---|
| Google Workspace | _spf.google.com, google selector |
| Microsoft 365 | spf.protection.outlook.com, selector1/2 |
| Amazon SES | amazonses.com |
| SendGrid | sendgrid.net |
| Mailchimp | mailchimp.com, k1 selector |
This helps you understand which services are authorized to send email for your domain.