Why monitor email security and deliverability?
Running an email domain audit once tells you where you stand today. But your DNS configuration is not static. Vendors update their sending infrastructure, teams rotate DKIM keys, registrars migrate zones, and a single edit to a TXT record can silently break authentication or weaken your security posture.
Email security and deliverability monitoring closes that gap. CaptainDNS re-runs the complete audit on a schedule, compares the result to the previous scan, and emails you a digest the moment something meaningful changes. You see the previous value, the new value, and the reason, so a regression never goes unnoticed.
This is not limited to deliverability. The monitor covers the full picture: how your domain sends mail, how it receives mail, and how its DNS is secured.
What the monitor watches
The audit, and therefore the monitor, spans nine protocols grouped into three pillars:
| Pillar | Protocols | What a change can mean |
|---|---|---|
| Sending | SPF, DKIM, DMARC, BIMI | Authentication weakened, mail sent to spam, brand logo lost |
| Receiving | MX, MTA-STS, TLS-RPT, DANE | Inbound TLS downgraded, mail routing altered, reporting lost |
| DNS Security | DNSSEC | Resolution at risk, domain may stop resolving entirely |
For each pillar, the monitor tracks both the score and the individual records. A change to either can trigger an alert.
Changes that trigger an alert
Every alert is a digest that names the affected record or pillar, shows the value before and after, and explains why it matters. Common triggers include:
- SPF weakened or oversized: the qualifier changes to
~all(softfail) or?all(neutral), or the record exceeds the 10 DNS lookup limit and starts failing. Validate with the SPF Record Check. - DKIM key removed or expired: a published selector disappears or stops returning a public key, breaking signatures for that stream. Verify with the DKIM Record Check.
- DMARC downgraded: the policy drops from
p=rejectorp=quarantineback top=none, removing spoofing protection. Review with the DMARC Record Check. - DNSSEC broken or unsigned: the signing chain breaks or DNSSEC is removed, putting resolution at risk for validating resolvers.
- Reception records altered: MX records change, the MTA-STS policy mode is lowered, TLS-RPT reporting is removed, or DANE TLSA records are modified.
- BIMI modified: the BIMI record or logo reference changes, which can remove your brand indicator from supporting inboxes.
How to set up monitoring in 3 steps
Step 1: Run a domain audit
Open the email domain audit and scan the domain you want to watch. CaptainDNS evaluates SPF, DKIM, DMARC, BIMI, MTA-STS, TLS-RPT, DANE, and DNSSEC, then produces a score for each of the three pillars.
Step 2: Start a monitor
Click the Monitor button on the audit result, or create a new monitor from this page. Sign in to save the monitor to your account. On paid plans, choose which pillars and records to watch and how often the domain is checked.
Step 3: Receive change alerts by email
CaptainDNS re-runs the audit on your schedule and compares each scan to the previous one. When a pillar score changes or a watched record is altered, you receive an email digest with the before and after values and the reason. No dashboard babysitting required.
Plans and check frequency
| Plan | Domains | Customization | Check frequency |
|---|---|---|---|
| Free | 1 | None | Every 24 h |
| Starter | 30 | Choose pillars and records | From 6 h |
| Pro | 75 | Choose pillars and records | From 3 h |
| Business | 250 | Choose pillars and records | From 1 h |
| Enterprise | 2500 | Choose pillars and records | From 1 h |
Free monitoring is enough to catch most slow-moving regressions. Faster frequencies matter when you operate high-volume domains, run frequent infrastructure changes, or need to react quickly to a security event.
Real-world use cases
Case 1: A vendor silently weakens SPF
Symptom: the Sending score drops a few days after onboarding a new email provider.
Diagnosis: the monitor alert shows the SPF record changed from -all to ~all, and now includes an extra include: that pushed the record over 10 DNS lookups. Some receivers start treating the record as a permerror.
Action: flatten the SPF record and restore a strict qualifier. The next scan confirms the score recovers.
Case 2: DMARC quietly downgraded
Symptom: the monitor reports the DMARC pillar changed.
Diagnosis: during a DNS cleanup, the policy was reverted from p=reject to p=none, removing spoofing protection without anyone noticing.
Action: republish p=reject (or p=quarantine during a transition). The before and after values in the alert make the regression obvious.
Case 3: DNSSEC breaks during a migration
Symptom: a high-priority alert flags the DNS Security pillar.
Diagnosis: a zone transfer to a new provider left the DNSSEC chain broken. Validating resolvers risk failing to resolve the domain, threatening both web and mail.
Action: re-sign the zone or disable DNSSEC cleanly at the registrar. The monitor confirms resolution is safe again.
FAQ - Frequently asked questions
Q: What does email security and deliverability monitoring do?
A: It re-runs the full email audit of your domain on a schedule and compares each scan to the previous one. When a pillar score changes or a watched record (SPF, DKIM, DMARC, BIMI, MTA-STS, DANE, TLS-RPT, DNSSEC) is altered, you receive an email digest with the value before and after and the reason it matters.
Q: Which records are monitored?
A: The nine protocols covered by the audit: SPF, DKIM, DMARC, BIMI, MTA-STS, TLS-RPT, DANE, DNSSEC, and the MX records behind reception. The monitor watches both the records themselves and the scores of the three pillars: Sending, Receiving, and DNS Security.
Q: When do I get an alert?
A: You get an email digest when a pillar score changes or when a monitored record changes. Typical triggers include SPF switching to ~all or ?all or exceeding 10 lookups, a DKIM key removed or expired, DMARC downgraded to p=none, DNSSEC broken or unsigned, and changes to MX, MTA-STS, TLS-RPT, DANE or BIMI.
Q: How often is my domain checked?
A: The free plan checks one domain every 24 hours with no customization. Paid plans monitor more domains, let you choose which pillars and records to watch, and increase the frequency: every 6 hours on Starter, every 3 hours on Pro, and every hour on Business and Enterprise.
Q: How do I start monitoring a domain?
A: Run the email domain audit, then click the Monitor button on the result. You can also create a new monitor directly from this page. You need a CaptainDNS account; sign in and the monitor is saved to it.
Q: Is monitoring free?
A: Yes. Free monitoring covers one domain checked every 24 hours without customization. Paid plans add more domains, selectable pillars and records, and faster check frequencies down to one hour.
Q: What is the difference with DMARC monitoring?
A: DMARC monitoring ingests the aggregate reports sent by mailbox providers to show who sends mail for your domain. Email security and deliverability monitoring watches your DNS configuration itself across all nine protocols and alerts you when a record or score changes. The two are complementary.
Complementary tools
| Tool | Purpose |
|---|---|
| Email Domain Audit | Run the full nine-protocol audit and start a monitor |
| DMARC Monitoring | Collect and analyze DMARC aggregate reports |
| SPF Record Check | Check your SPF DNS record |
| DKIM Record Check | Check your DKIM DNS record |
| DMARC Record Check | Check your DMARC DNS record |
| MTA-STS Hosting | Host your MTA-STS policy for free |
| TLS-RPT Monitoring | Monitor SMTP TLS reports |
| BIMI Hosting | Host your BIMI logo and certificate for free |
Useful resources
- RFC 7208: SPF, Sender Policy Framework
- RFC 6376: DKIM, DomainKeys Identified Mail
- RFC 7489: DMARC, Domain-based Message Authentication
- RFC 8461: MTA-STS, SMTP MTA Strict Transport Security
- RFC 8460: TLS-RPT, SMTP TLS Reporting
- RFC 6698: DANE, DNS-Based Authentication of Named Entities
- RFC 4033: DNSSEC, DNS Security Introduction and Requirements