Here are the three records most teams forget to monitor — and what happens when they break.
1. CAA Records
CAA stands for Certificate Authority Authorization. It tells the world which certificate authorities are allowed to issue SSL certificates for your domain.
If you use Let's Encrypt, your CAA record says only Let's Encrypt can issue certs for your domain. If someone changes that record, a different CA could issue a valid cert — and a bad actor could run a perfect-looking phishing site that even passes browser checks.
CAA records are also easy to break by accident. Migrating CDN providers, changing email vendors, or rotating SSL providers can leave you with a mismatched CAA — meaning your own renewals start failing.
What to monitor:
Whether the record exists (some domains don't have one at all)
The list of authorized CAs
Any change without your team's approval
2. SPF, DKIM, and DMARC Records
This trio controls email authentication. They tell the world's mail servers which servers are allowed to send email on your behalf.
If any of these break or get misconfigured:
Your real emails land in spam. Customers stop seeing your invoices, your password resets, your support replies.
Bad actors can spoof you. Without DMARC enforcement, anyone can send email pretending to be from your domain.
Your sender reputation tanks. Once you're flagged as a spam source, it takes weeks to recover.
In 2024, both Google and Yahoo started enforcing strict email authentication for senders. If your SPF, DKIM, or DMARC isn't set up right, your emails are getting blocked at the gateway.
What to monitor:
All three records exist and parse correctly
SPF includes the right "include" entries for your sending services
DKIM keys haven't expired or been rotated unexpectedly
DMARC policy hasn't been weakened (e.g. dropped from
rejecttonone)
3. NS Records
NS records are the foundation of your DNS. They tell the internet which nameservers hold the rest of your DNS configuration.
If your NS records change, everything changes. Email. Website. Subdomains. All of it.
This is the record you should be the most paranoid about. NS hijacking is one of the cleanest ways to take over a domain — change the nameservers, point them at attacker-controlled servers, and now they control where every visitor and email goes.
It's rare. But it's catastrophic.
What to monitor:
The list of authoritative nameservers
Any change at the registrar level
Mismatches between what your registrar reports and what the internet sees
Why This Keeps Happening
DNS records feel "set and forget" because they usually are. Most months, nothing changes.
But when they do change — whether by accident, configuration drift, vendor migration, or attack — you typically find out after the damage is done.
The fix isn't to memorize your DNS or run manual checks every week. The fix is automated monitoring that alerts you the moment any of these records change.
That's exactly what DNS Spy does.
Stop Finding Out from Your Customers
DNS Spy monitors every record on your domain — CAA, SPF, DKIM, DMARC, NS, MX, A, AAAA, TXT, and more. The moment something changes, you get an alert. Email. Slack. Discord. PagerDuty. However you want.
You stop being the last to know.
Start a free 7-day trial of DNS Spy — no credit card required.
Or run a free scan of any domain to see what your DNS looks like right now.
