Section 20 · Error Tracking & Reliability

Domain & Email Infrastructure

Domain inventory, registrar management, DNS hygiene, SSL lifecycle, and email authentication (MX, SPF, DKIM, DMARC)

14 items 8 critical 6 recommended

This guide walks you through auditing domain management (inventory, registrar, DNS, SSL) and email infrastructure (MX, SPF, DKIM, DMARC, deliverability, logging). Domain inventory is the foundation — it feeds into email, security, and infrastructure audits.

The Goal: Known, Secured, Authenticated

Every domain your organization owns should be inventoried, secured at the registrar, and — if it sends email — fully authenticated.

  • Inventoried — all domains and subdomains documented with purpose, registrar, DNS provider, and expiry
  • Secured — registrar accounts locked down with 2FA and multi-person access
  • Monitored — expiry alerts set, SSL lifecycle managed, stale records cleaned up
  • Authenticated — SPF, DKIM, and DMARC configured with enforcement enabled
  • Visible — email flows through providers with full delivery and engagement metrics

Before You Start

  1. Build domain inventory (DNS-001 is the first item — start here):

    • Root domain(s) — the ones you own at the registrar
    • Subdomains per root domain — enumerate from DNS provider
    • Purpose for each (production, staging, email, marketing, redirect, etc.)

  2. Get DNS read access:

    • Cloudflare API token (read-only) OR
    • AWS Route53 access OR
    • Other DNS provider API access
    • This enables automated discovery of all DNS records

  3. Get registrar access (or ask someone who has it):

    • Which registrar(s) are used
    • Expiry dates and auto-renewal status
    • Who has login access

  4. Identify email providers:

    • Transactional email provider (SendGrid, Mailgun, Postmark, SES, etc.)
    • Marketing email provider (Mailchimp, Klaviyo, HubSpot, etc.)

Domain Management

DNS-001
Domain inventory maintained critical

A centralized, up-to-date list of all domains and subdomains owned by the organization. Includes purpose, registrar, DNS provider, expiry date, and owner for each domain. This inventory feeds into email, security, and infrastructure audits.

“List every domain your org owns. All of them. Sure you got them all?”
DNS-002
Domain expiry monitoring critical

All domains have auto-renewal enabled or expiry alerts set. At least one person is notified 30+ days before any domain expires. Domain expiry is a single point of failure that takes down everything.

“When does your main domain expire — and who gets the alert?”
DNS-003
Registrar account security critical

Registrar accounts have 2FA enabled, access is limited to more than one person, and credentials are stored in a shared secret manager (not one person's email). Registrar compromise = total domain takeover.

“Who has access to your registrar — and is it just one person?”
DNS-004
DNS provider consolidated and access audited recommended

All domains use a single DNS provider (or documented few) with audited access control. DNS changes are traceable to a person.

“How many DNS dashboards does your team need to check?”
DNS-005
SSL certificate lifecycle managed recommended

SSL/TLS certificates for all domains are auto-renewed (Cloudflare, Let's Encrypt, cert-manager) or have expiry monitoring with 30-day alerts. Manual certificates are inventoried.

“Any certs expiring in the next 30 days that nobody's watching?”
DNS-006
Unused domains and subdomains identified recommended

Stale DNS records and unused domains/subdomains are identified and cleaned up. Dangling CNAMEs and unused subdomains are subdomain takeover risks.

“Any domains you're paying for that point to a server that no longer exists?”

Email Authentication

EMAIL-001
MX records configured critical

MX records exist, resolve, and are reachable on port 25 for all domains in the domain inventory that receive email.

“Are you sure mail to your domain actually lands somewhere?”
EMAIL-002
SPF configured critical

SPF records exist with authorized senders and hard fail (-all) or documented soft fail (~all) for all sending domains/subdomains.

“Could someone send email as [email protected] right now?”
EMAIL-003
DKIM configured critical

DKIM records exist with valid public keys for all sending domains/subdomains. Selectors match configured email providers.

“Are your emails actually cryptographically signed?”
EMAIL-004
DMARC configured critical

DMARC records with enforcement policy (quarantine/reject), reporting configured, and reports actively reviewed.

“What's your DMARC policy — p=none is basically nothing.”

Email Monitoring

EMAIL-005
Email deliverability testing recommended

Spam scoring tool and periodic placement tests with fresh accounts (Gmail, Outlook minimum).

“When did you last check if your emails hit Gmail's spam folder?”
EMAIL-006
Transactional email control and logging critical

Dedicated provider with dashboard access, bounce tracking, open/click tracking (or documented exceptions).

“Can you prove a specific user received a specific email last month?”
EMAIL-007
Marketing email logging recommended

Marketing platform with send logs, engagement metrics, and individual recipient tracking.

“What's your unsubscribe rate, and is it trending up?”
EMAIL-008
Email log retention recommended

Intentionally defined retention period (typically 2-4 weeks) for transactional and marketing logs.

“How far back can you prove what emails you sent and to whom?”
← Previous section

Error Reporting

8 items

 Next section →

Caching

2 items