New: SSL Certificate Monitoring, Security Center, Domain & SSL Expiration Tracking — Plus Our Affiliate Program

TL;DR

DNS Spy now goes well beyond DNS record monitoring. We've shipped SSL certificate discovery and security auditing, expanded the Security Center to 40+ automated checks across six categories, and built expiration tracking for both domains and SSL certificates — with tiered alerts so nothing expires without warning.

What's New:

• SSL Certificate Monitoring: Automatic certificate discovery across all DNS records, with 6 security checks for weak keys, deprecated TLS, hostname mismatches, invalid chains, self-signed certs, and weak signature algorithms

• Security Center: 40+ automated security checks across Connectivity, Performance, Resilience, DNS Records, SSL/TLS, and Expiration — with weighted scoring and letter grades (A–F)

• Domain & SSL Expiration Tracking: Tiered expiration alerts at 90, 30, and 7 days for both domain registrations and SSL certificates

• Affiliate Program: Earn 30% lifetime recurring commissions (up to 40% at higher tiers) on every referral

Start your 7-day free trial to try everything — no credit card required.

SSL Certificate Monitoring: Every Certificate, Every Endpoint, Continuously

SSL certificates are the backbone of trust on the internet — and they're one of the most common things to silently break. An expired certificate on a single server behind a load balancer causes intermittent TLS failures that are maddeningly hard to diagnose. A weak key or deprecated TLS version is a vulnerability sitting in plain sight. A hostname mismatch triggers browser warnings that send visitors running.

DNS Spy now discovers and monitors SSL certificates automatically — no manual imports, no certificate inventories to maintain.

How It Works

When DNS Spy scans your domains, it resolves A and AAAA records to their IP addresses and connects to each IP on port 443 with the correct SNI (Server Name Indication) hostname. Every certificate is fetched independently — including those behind CDNs, load balancers, and multi-server deployments.

For every certificate discovered, DNS Spy tracks:

• Common name, subject alternative names (SANs), and issuer details

• Serial number, signature algorithm, key type, and key length

• Validity dates and self-signed status

• Chain depth, chain validity, and TLS version negotiated

• The IP address and port where each certificate was found

• Full PEM certificate and chain storage

6 SSL/TLS Security Checks

Beyond tracking certificate details, DNS Spy runs six continuous security checks against every discovered certificate:

1. Hostname Mismatch — Flags certificates where the common name or SANs don't match the serving hostname. This catches misconfigured deployments and CDN issues before your users see "Your connection is not private."

2. Weak Key Length — Detects RSA keys under 2048 bits or EC keys under 256 bits. Weak keys are vulnerable to brute-force attacks and no longer meet industry standards.

3. Weak Signature Algorithm — Identifies certificates signed with SHA-1 or MD5, both of which are cryptographically broken.

4. Deprecated TLS Protocol — Catches servers negotiating TLS 1.0 or TLS 1.1, protocols with known vulnerabilities that major browsers have deprecated.

5. Invalid Certificate Chain — Validates the full chain of trust from leaf to root. Incomplete chains cause verification failures in clients that don't fetch intermediates automatically.

6. Self-Signed Certificate — Detects certificates not issued by a trusted CA. Legitimate in internal environments, but a red flag on public-facing endpoints.

All SSL/TLS security checks are available on the Enterprise plan.

Security Center: 40+ Automated Checks, Six Categories, One Score

DNS configurations drift. What was correctly set up six months ago may be misconfigured today — and nobody knows because nobody is checking continuously. The Security Center changes that.

DNS Spy now runs 40+ automated security checks across six categories for every domain in your portfolio:

1. Connectivity — IPv4/IPv6 availability, nameserver online status, response times, and geographic distribution of your nameservers

2. Performance — Response times, TTL adequacy for NS and MX records, and SOA configuration

3. Resilience — Nameserver count, subnet distribution, provider diversity, MX redundancy, SOA serial consistency

4. DNS Records — SPF, DMARC, DKIM, DNSSEC, CAA records, NS record consistency, RFC compliance, and Enterprise-only checks like dangling CNAMEs and comprehensive email security

5. SSL/TLS — The six certificate security checks described above

6. Expiration — Tiered expiration tracking for both domain registrations and SSL certificates

Weighted Scoring & Letter Grades

Every check carries a severity weight. Results are aggregated into a single security score with a letter grade (A through F) — per domain and across your entire account. This gives you a quick, at-a-glance view of your security posture without needing to dig into individual check results.

For MSPs managing client portfolios, this means you can immediately identify which clients need attention and which are in good shape — without clicking into each domain individually.

State-Change Notifications

The Security Center doesn't just report status — it watches for changes. When a check transitions from passing to failing (or vice versa), you're notified through your configured channels: Email, Slack, Discord, PagerDuty, Microsoft Teams, or webhooks. You're alerted when things break and when they're fixed.

Domain & SSL Expiration Tracking: Never Miss a Renewal Again

Expired domains and SSL certificates are among the most preventable outages in IT — and among the most common. A domain that lapses can be snapped up by squatters within hours. An expired SSL certificate breaks trust for every visitor and API client.

DNS Spy now tracks expiration dates for both domain registrations (via WHOIS/RDAP data) and SSL certificates (via automatic certificate discovery), with tiered alerts to give you time to act:

• 90 days — Low severity. Plan ahead. Budget the renewal, start the procurement process for certificates, flag it in your client reports.

• 30 days — Medium severity. Time to act. Submit the renewal, verify auto-renewal is working, confirm the certificate rotation is scheduled.

• 7 days — High severity. Urgent. If it's not renewed by now, something has gone wrong. Escalate immediately.

• Expired — Critical. The domain or certificate has lapsed. Act now.

All expiration checks are integrated into the Security Center scoring, so an approaching expiration directly impacts your security grade — making it impossible to miss in your dashboard.

Why This Matters for MSPs

If you're managing DNS for dozens or hundreds of client domains, expiration tracking is a liability minefield. Clients assume you're watching this. Their domains and certificates are spread across different registrars, different CAs, different renewal cycles. One missed renewal can mean a client outage — and that's a conversation nobody wants to have.

DNS Spy centralizes all of this. Every domain. Every certificate. One dashboard. Alerts before anything lapses.

Introducing the DNS Spy Affiliate Program

We're also launching something for the community: the DNS Spy Affiliate Program. If you recommend DNS monitoring to clients, colleagues, or your audience, you can now earn recurring commissions on every referral.

How It Works

• Sign up for free — No approval wait, no application process

• Share your referral link — 60-day cookie, so referrals that convert within two months count

• Earn commissions — Not just on the first payment, but on every payment for the lifetime of the subscription

Tiered Commission Structure

• 30% base rate — Starting commission on all referrals

• 35% Performance Tier — Unlocks at 5+ paying referrals

• 40% Top Performer — Unlocks at 20+ paying referrals

Tiers unlock automatically as you grow. The affiliate program is a natural fit for MSP consultants, IT bloggers, security educators, and anyone who recommends tools to teams managing DNS infrastructure.

Join the Affiliate Program →

Everything Works Together

These features aren't siloed. SSL certificate monitoring feeds into the Security Center. Expiration tracking affects your security score. Security Center state changes trigger notifications through any of your six configured channels. Domain Groups aggregate all of this per client or business unit.

For MSPs, this means one dashboard gives you:

• Real-time DNS record change monitoring across all client domains

• Continuous security auditing with weighted scores and letter grades

• SSL certificate discovery, tracking, and security checks — automatically

• Domain and SSL expiration alerts with enough lead time to act

• WHOIS change tracking and phishing detection for brand protection

• Alerts via Email, Slack, Discord, PagerDuty, Teams, or webhooks

Get Started

All features are available during the 7-day free trial with full Enterprise access — no credit card required. SSL/TLS security checks and expiration tracking are included on the Enterprise plan.

• Start your free trial

• Explore SSL Monitoring

• See the full Security Center

• Join the Affiliate Program

DNS monitoring is just the beginning. DNS Spy is becoming the complete DNS security platform — and we're just getting started.