DomainOpsDomainOps

Email & DNS Security

DomainOps continuously validates the DNS records that protect your email deliverability, domain identity and certificate issuance authority. Every check below runs against your domains on a schedule and surfaces failures as findings on the Exposure dashboard with severity grades and remediation guidance.

SPF (Sender Policy Framework)

We resolve the v=spf1 TXT record at your apex domain and validate it against RFC 7208.

  • Detects multiple SPF records on the same domain (spec violation — both will be ignored by receivers).
  • Counts DNS lookups recursively across include:, a, mx, redirect and exists mechanisms — flags records that exceed the 10-lookup limit.
  • Warns on permissive qualifiers (+all or ?all) that effectively disable SPF protection.
  • Recommends -all (hard fail) over ~all (soft fail) once you're confident the include chain is correct.

DKIM (DomainKeys Identified Mail)

DKIM records sit at <selector>._domainkey.<domain> rather than the apex, so detecting them requires guessing the selector. DomainOps probes 21 selectors commonly used by mail platforms:

google, mail, k1, s1, s2, selector1, selector2, default, dkim, mxvault, aws, sendgrid, mandrill, mailchimp, mailgun, pm, fd, sm, sm1, hubspot, klaviyo

  • Confirms at least one selector resolves to a valid DKIM record (v=DKIM1).
  • Reports each selector's status independently so you can see which providers you're configured for.
  • If you use a selector outside this list, drop us a note — we can add it.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

We resolve _dmarc.<domain> and parse the policy.

  • Validates the p= policy — flags p=none as monitor-only (no actual protection).
  • Recommends p=quarantine or p=reject once you've confirmed your legitimate senders pass DKIM and SPF alignment.
  • Checks alignment mode (aspf / adkim) — strict vs relaxed.
  • Surfaces rua / ruf aggregate-report URIs so you can audit who's sending under your name.

DNSSEC

We query DNSKEY and DS records to verify the chain of trust from your TLD's zone down to yours.

  • Confirms DNSSEC is enabled for your zone.
  • Validates the parent zone has a matching DS record (a common misconfiguration that breaks the chain silently).
  • DNSSEC dramatically reduces the risk of DNS spoofing and cache-poisoning attacks against your users.

CAA (Certification Authority Authorization)

CAA records tell certificate authorities which CAs are authorised to issue certificates for your domain. Without CAA, any CA can issue a certificate for any domain.

  • Detects whether CAA records are present at the apex.
  • Lists the authorised CAs found.
  • Recommends adding CAA records pinning to your actual issuer (e.g. letsencrypt.org, digicert.com) to block mis-issuance attacks.

Where the results show up

Each check produces a row in the Exposure dashboard with a severity grade (Critical / High / Medium / Low / Info) and remediation guidance. Failures and warnings are also surfaced via the To-Do list and trigger notifications through your configured channels (email, Slack, Teams, webhooks).

Programmatic access to the same data is available via the Exposure API — query findings by domain, severity or category, acknowledge them, or export the full set for compliance evidence.