DNS, Domain, and Email Security Check
Use this to review DNS records, SPF, DKIM, DMARC, domain spoofing exposure, and external email posture.
IT Operations & Cybersecurity Encyclopedia
Public DNS and domain records control how customers, employees, email systems, cloud services, websites, VPNs, and third-party platforms find and trust the business online. A DNS audit preparation process reviews registrars, authoritative name servers, zone records, MX, SPF, DKIM, DMARC, CAA, TTLs, stale records, ownership, access control, and change history before problems become outages or security incidents.
Why it matters
DNS is easy to overlook because it usually works quietly until a domain expires, an MX record changes, email authentication fails, an old vendor hostname remains active, or a critical service points to the wrong destination. Public DNS also affects phishing resistance, brand trust, email delivery, certificate issuance, cloud services, and incident response.
A strong audit preparation process creates a clean inventory of domains, registrars, DNS hosts, records, owners, business purpose, security settings, and change controls. It also identifies stale, risky, duplicate, or undocumented records before an auditor, attacker, or outage exposes them.
Practical rule: Every public DNS record should have a business purpose, owner, approved destination, review date, and removal plan when the service is retired.
Review scope
Review registrars, contacts, expiration, MFA, lock status, billing ownership, renewal process, and administrative access.
Confirm delegated name servers, DNS hosting provider, zone exports, redundancy, and change-control ownership.
Validate MX, SPF, DKIM, DMARC, third-party senders, alignment, reporting, and Microsoft 365 email authentication.
Review A, AAAA, CNAME, CDN, website, SaaS, VPN, remote access, cloud validation, and certificate-related records.
Find dangling CNAMEs, old vendors, unused TXT validation, wildcard records, duplicate records, and undocumented subdomains.
Document who can change DNS, how emergency changes work, TTL strategy, rollback, and audit evidence retention.
Review matrix
| Area | What to verify | Questions to answer | Evidence |
|---|---|---|---|
| Domain expiration risk | A domain expires or renewal is tied to one person, old email, or expired payment method. | Confirm auto-renewal, registrar lock, billing owner, contacts, MFA, and renewal calendar. | Who is accountable for renewal? |
| Weak email authentication | SPF, DKIM, or DMARC is missing, misaligned, too permissive, or undocumented. | Review Microsoft 365 and third-party senders, align domains, monitor reports, and tighten policy in phases. | Can attackers spoof this domain easily? |
| Stale vendor record | DNS still points to an old SaaS, hosting, marketing, validation, or remote access service. | Confirm owner and current use, remove unused records, and document the retirement decision. | What happens if this hostname is reused or hijacked? |
| Dangling CNAME | A CNAME points to a service that is no longer claimed or provisioned. | Validate target ownership, remove or reclaim the service, and monitor for recurrence. | Could this become a subdomain takeover path? |
| Uncontrolled changes | Multiple users or vendors can change DNS without approval or documentation. | Restrict access, require MFA, document changes, and keep rollback-ready exports. | Would the team know who changed a critical record? |
Step-by-step review
List every owned domain, registrar, expiration date, lock status, MFA status, billing owner, and administrative contact.
Capture current records from authoritative DNS providers and document purpose, owner, destination, and review date.
Validate MX, SPF, DKIM, DMARC, third-party senders, reporting, alignment, and phased enforcement plans.
Find old vendor records, dangling CNAMEs, unused subdomains, wildcard entries, old TXT records, and duplicate records.
Review who can change registrar or DNS settings, require MFA, capture change history, and document emergency process.
Remove stale records carefully, update owners, adjust TTLs where needed, and re-export records after changes.
Common risks
Domains tied to one person’s email, card, or registrar account can create renewal and access risk.
Old TXT records for SaaS, hosting, mail, or security tools can clutter zones and confuse audits.
Broad SPF includes, too many senders, or missing alignment can weaken email authentication.
A monitor-only policy may be a good start, but it should have a roadmap, reporting, and owner review.
Records pointing to unclaimed services can create takeover opportunities if not removed.
DNS changes should start with a zone export and rollback plan because mistakes can affect email and public services.
Related support
IT Perfection can help inventory, document, monitor, and remediate public DNS and domain records through managed IT services, including Microsoft 365, domain registrar coordination, email authentication, and website support.
When DNS findings affect phishing risk, domain spoofing, audit readiness, cloud exposure, or incident response, OC Security Audit can provide cybersecurity assessment support.
Created by Ali Hassani, CISO
Ali Hassani brings 25+ years of hands-on experience across IT operations, cybersecurity, Microsoft infrastructure, network security, compliance readiness, cloud services, healthcare IT, MSP services, and business technology leadership.
This guide is for initial education and planning. It does not replace a professional cybersecurity audit, compliance assessment, penetration test, legal review, vendor engineering review, or Microsoft professional services engagement.
Ali Hassani, CISO and IT infrastructure consultant, has 25+ years of experience across Microsoft 365, DNS, cybersecurity, compliance, managed IT, email security, and infrastructure operations. DNS audits help organizations reduce outage risk, phishing exposure, and undocumented external dependencies.
Related validation tools
After reviewing this IT Perfection guide, administrators can use these OC Security Audit resources to validate the same control areas from a security, audit-readiness, or risk-review perspective.
Use this to review DNS records, SPF, DKIM, DMARC, domain spoofing exposure, and external email posture.
Use this to review control maturity, audit evidence, policy/process gaps, and compliance readiness across major frameworks.
Use this to validate exposed systems, internet-facing services, external vulnerabilities, and attack surface evidence.
These tools are for initial guidance only and do not replace a professional cybersecurity audit, compliance assessment, penetration test, or legal/compliance review.
FAQ
Include domains, registrars, name servers, DNS zones, MX, SPF, DKIM, DMARC, CAA, A, AAAA, CNAME, TXT, SRV, owners, and stale records.
Stale records can point to old vendors, unclaimed services, retired systems, or confusing destinations that create security and operational risk.
DMARC helps domain owners define how receiving mail systems should handle messages that fail SPF or DKIM alignment and provides reporting.
Review critical domains at least quarterly and after website, email, SaaS, hosting, Microsoft 365, merger, vendor, or branding changes.
Yes. IT Perfection can inventory records, verify Microsoft 365 email authentication, document owners, remove stale records, and support remediation.
After reviewing public DNS and domain records audit preparation, administrators can use these OC Security Audit resources to validate DNS posture, domain ownership, email authentication, public exposure, SaaS exposure, and audit-readiness evidence tied to external records. These tools are for initial guidance only and do not replace a professional cybersecurity audit, compliance assessment, penetration test, or legal/compliance review. These tools are for initial guidance only and do not replace a professional cybersecurity audit, compliance assessment, penetration test, or legal/compliance review.
Use this when validating public DNS records, SPF, DKIM, DMARC, domain ownership, and external email security posture.
Use this when DNS records point to public services, exposed IP addresses, portals, or application endpoints.
Use this when public DNS and domain evidence must support external audit, cyber insurance, or compliance readiness.
Use this when DNS records expose SaaS, cloud-hosted services, or vendor-managed applications.
For broader security-specific checks, review the OC Security Audit free cybersecurity assessment tools library and choose only the tools that match the DNS and domain audit scope.
We use necessary cookies and limited analytics and advertising-measurement cookies. Select Accept to allow optional cookies or Deny to continue with necessary cookies only. No name or email is required. You may close this website at any time.