Introducing Domain Setup History & Regression Alerts

Introduction

For MSPs and IT teams managing multiple domains, maintaining consistent email security configuration is an ongoing challenge. A single DNS change by a well-meaning web developer or an accidental record deletion can silently downgrade your email security posture.

Today, we're introducing Domain Setup Regression Alerts to provide quick notification when your domain's email security configuration downgrades.

The Problem: Silent Security Downgrades

Email security relies on correctly configured DNS records, including DMARC, SPF, TLS and MX. When these records are modified or deleted, the consequences can range from subtle to severe:

DMARC policy downgrades - A domain's policy changing from p=reject to p=quarantine or p=none reopens the door to email spoofing.
MX record changes - Unexpected modifications can redirect email to unauthorised servers or cause complete delivery failures.
DNS configuration errors - Typos or syntax errors in updated records can invalidate your entire email authentication setup.
MTA-STS or DANE issues - Changes to TLS enforcement configurations can disrupt encrypted email delivery.

Without proactive monitoring or strong change control, these changes often go unnoticed until there's a security incident or email delivery problem.

How Domain Setup Regression Alerts Work

Domain Setup Regression Alerts perform hourly checks on all your domains, monitoring the DMARC record, SPF syntax, TLS-RPT record (if turned on), MX records, and (if applicable) MTA-STS and DANE status.

Every time a change is detected, the domain's setup is logged under Domains > Domain Setup, giving you an audit trail of your domain configurations over time. However, email alerts are only sent for:

Status regressions - When a status (DMARC, SPF or TLS) or key indicator moves from a better state to a worse state (e.g., DMARC policy weakening from reject to quarantine).
MX record changes - Any modification to MX records, as these can indicate unauthorised access or misconfigurations.

This intelligent filtering ensures you're notified about issues that matter without being overwhelmed by routine improvements or maintenance.

‍

Smart Alert Management

To prevent alert fatigue during widespread issues, we've implemented two key safeguards:

Summary alerts - When multiple domains experience regressions simultaneously (such as during a DNS provider outage), alerts are consolidated into a single summary email rather than flooding your inbox with individual notifications.
24-hour suppression - Repeat identical alerts for the same domain and issue type are suppressed for 24 hours to avoid duplicate notifications while you're working on remediation.

The full history of all detected changes remains available in the Dashboard for your records, historic changes are stored for 90 days.

Real-World Scenarios

Here's how Domain Setup Regression Alerts help in common situations:

Scenario 1: The Web Developer Your client hands DNS credentials to a new web developer who accidentally deletes the domain's MX records while adding a new A record. You receive an email alert and can restore the MX records before the client experiences email downtime.

Scenario 2: The Mistaken Downgrade During routine DNS maintenance, a DMARC record is accidentally updated from p=reject to p=none, removing all email spoofing protection. An alert notifies you of the regression, and you can restore the proper policy before attackers exploit the window.

Scenario 3: The DNS Migration You're migrating DNS hosting providers and systematically moving records. The change log shows all updates being tracked, but you only receive alerts if something goes wrong - like a typo that breaks MTA-STS enforcement.

Getting Started

To turn on Domain Setup Regression Alerts:

Navigate to Settings > Organisation in your VerifyDMARC Dashboard
Ensure you have configured Alert Email Addresses
Turn on the Domain Setup Regression Alert feature

Once enabled, alerts will be sent if a regression is detected at the next hourly check. You can view the complete change history for any domain under Domains > [Domain Name] > Setup.

Best Practices

Use a monitored inbox - Ensure your alert email address goes to an inbox your team actively monitors. Consider using a ticketing system or shared mailbox for team visibility.

Out-of-band address - To ensure alerts are delivered even if your primary domain experiences TLS issues, also add an out-of-band alert email address (e.g., using a different domain).

Review the Domain Setup History log - Ensure that after a regression or outage the checks improve.

Implement DNS Change Control - Where possible, ensure DNS access is limited and changes are controlled.

Available Now

Domain Setup Regression Alerts are available to all VerifyDMARC customers on all plans. This feature provides an essential safety net for maintaining email security configuration across your entire domain portfolio.

We're keen to hear feedback from customers managing large numbers of domains - you may encounter edge cases we haven't seen yet. If you have suggestions for improvement, please reach out.

Sign up for our 30-day free trial to experience Domain Setup Regression Alerts alongside our comprehensive DMARC and TLS reporting platform. Protect your email security configuration with VerifyDMARC.