Six DNS records protect every email your client sends — most agencies have never verified all six are correct.
SPF, DKIM, DMARC, MTA-STS, TLSRPT and BIMI — all DNS-based, all breakable by a single hosting migration or provider change. Aideworks monitors all six for every domain in your portfolio and alerts you the moment any record changes or stops being enforced.
How email security breaks — quietly, and always at the wrong moment
Email security failures don't announce themselves. They happen silently over days or weeks — until a client notices their emails are landing in spam, or worse, until their domain is spoofed.
SPF without DMARC = open spoofing
Your client has SPF and DKIM configured correctly. But DMARC is missing — or set to p=none. Spoofed emails from their domain pass right through. SPF and DKIM are checks. DMARC is the enforcement.
Migration breaks DKIM selectors
Client moves email providers. The old DKIM selector is gone. The new selector was added, but the DNS record points to the wrong key. Emails now fail DKIM — and with DMARC p=reject, they bounce silently.
MTA-STS: the missing last mile
Without MTA-STS, an attacker between mail servers can downgrade to plain text. MTA-STS mandates TLS — but only if the DNS record and policy file are correct. Most agencies never check this.
v=spf1 include:_spf.google.com -all
single include, hard fail
selector: google · key valid
RSA-2048 · not expired
p=reject rua=mailto:dmarc@client.nl
enforced · reports configured
mode: enforce · policy reachable
HTTPS policy file found
rua=mailto:tlsrpt@client.nl
reporting configured
VMC verified · logo reachable
SVG at /bimi.svg · 200 OK
All 6 email security records valid — last checked 08:41
All six records, every domain, continuously monitored
E-mailbeveiliging is geen eenmalige configuratie — het is een doorlopende toestand die verandert met DNS-updates, providerwisselingen en nieuwe e-mailtools. Aideworks volgt alle zes records en waarschuwt bij elke wijziging.
SPF — sender authorization
Validates which mail servers are authorized to send on behalf of the domain. Monitors the record value, lookup chain depth (max 10), and enforcement mechanism (-all vs ~all).
DKIM — message signing
Verifies that DKIM selector records exist and public keys are syntactically valid. Alerts when keys are rotated without updating DNS.
DMARC — policy enforcement
Checks policy level (none/quarantine/reject), alignment mode, and reporting configuration. Alerts when policy is weakened.
MTA-STS — enforced TLS
Verifies the MTA-STS DNS record exists and the policy file is reachable via HTTPS. Confirms mode is 'enforce' not 'testing'.
TLSRPT — TLS failure reporting
Checks that a TLSRPT record is published with a valid reporting address so you receive TLS failure reports from receiving servers.
BIMI — brand indicator for message identification
Validates the BIMI record, checks the VMC certificate validity, and verifies the logo file is reachable and returns 200.
Every email security record is a DNS record — DNS changes happen without warning.
SPF, DKIM, DMARC, MTA-STS, TLSRPT and BIMI are all TXT records living in DNS. They all change when hosting moves, providers change, or someone 'fixes' DNS without understanding the consequences.
Aideworks DNS monitoring watches every TXT record in real time. When a change is detected, email security monitoring re-validates all six records immediately.
Learn about DNS monitoring →⚡ DNS change — medicaloffice.eu
- TXT "v=spf1 include:_spf.google.com ~all"
+ TXT "v=spf1 include:_spf.google.com include:sendgrid.net ~all"
Email security re-check
DMARC policy is p=none — domain can still be spoofed.
Protects sender reputation
A spoofed email campaign using your client's domain destroys deliverability built over years. Continuous DMARC monitoring catches the vulnerability before it's exploited.
Catches migration side-effects
Hosting migrations almost always touch DNS. Aideworks catches the email security records that got left behind or were never updated for the new provider.
Ready for Google & Yahoo requirements
Google and Yahoo now require DMARC for bulk senders. Aideworks ensures your client portfolio stays compliant.
Works best alongside
Begin vandaag nog met monitoren
Onbeperkte domeinen, handmatige checks altijd inbegrepen. Elk domein dat je toevoegt krijgt 7 dagen volledige automatisering — geen creditcard vereist.