Email Auth Hardening
SPF lookup-count limits, DMARC policy strictness, DKIM key length and rotation, MX hygiene. Catch the spoofing risk before someone uses it.
Email auth status
LiveSPF — strict, 7 lookups
DMARC — p=none
DKIM — 1024-bit key
DNS Monitoring
Catch the DNS change before the attacker uses it
Continuous hardening audit and drift detection across every DNS record category. SPF, DMARC, DKIM, DNSSEC, CAA, MX, dangling CNAMEs — validated on every cycle, diffed against baseline.
What it monitors
Three layers of DNS security visibility
Email authentication, infrastructure hardening, and dangling-record detection — covered in one continuous audit.
Drift Detection
Every record baselined. Every check diffed. Catch the unauthorized A record, the silent MX swap, the weakened DMARC policy — within hours, not weeks.
Recent changes
3 today
DNS state diffed vs baseline
A record added — 3.92.x.x
MX record changed
DMARC policy weakened
DNSSEC chain valid
Dangling CNAME Detection
The CNAME pointing to a deprovisioned S3 bucket. The retired Heroku app. The expired Azure resource. Subdomain takeover risk surfaced with provider-specific verification steps.
Takeover risk
Detectedold.example.com
Heroku app retired
cdn.example.com
S3 bucket deleted
docs.example.com
GitHub Pages unclaimed
How it works
Three steps to continuous DNS visibility
Add your domains once. FortWatch handles record validation, baselining, and drift alerting.
Step 1
Add
Register your domains and subdomains. FortWatch resolves zone delegation and discovers subdomains automatically — no zone-file imports required.
Step 2
Audit
Every record category validated — SPF/DMARC/DKIM/DNSSEC/CAA/MX. Each subdomain CNAME resolved to confirm the target is still claimed. State baselined.
Step 3
Alert
Drift, hardening gaps, and takeover risks surface with the exact diff and remediation guidance. Slack, email, or webhook delivery.
FAQ
Common questions about DNS monitoring
We audit the records that matter for security: SPF (and lookup count limits), DMARC (policy strictness, reporting), DKIM (key strength, rotation), DNSSEC (chain validation), CAA (certificate issuance restrictions), and MX hygiene. Plus structural checks: missing records on subdomains, dangling CNAME pointers, and orphaned records that point to retired infrastructure.
FortWatch baselines your current DNS state on first scan and compares every subsequent check against it. New A records, changed MX targets, removed TXT records, modified DMARC policies — all flagged with the exact diff and a timeline of when the change happened. Useful for catching unauthorized DNS changes (compromised registrar account, rogue admin) and accidental drift after deploys.
Yes. We resolve every CNAME on every monitored subdomain and check whether the target is still claimed. Dangling CNAMEs pointing to deprovisioned S3 buckets, retired Heroku apps, expired Azure resources, or unclaimed GitHub Pages are flagged with provider-specific takeover instructions for verification.
Both. Email auth (SPF/DKIM/DMARC) is one part — but we also audit infrastructure DNS: A and AAAA records, NS records (registrar lock status, DS hash for DNSSEC), CAA records (which CAs are allowed to issue certs for your domain), and zone-level health. The whole DNS surface, not just the email part.
DNS scans run continuously — every 6 hours by default for standard assets, hourly for assets you mark as critical. You can also trigger an on-demand scan after a registrar change. Each check runs against multiple resolvers to catch propagation issues and resolver-specific mismatches.
6 record types
SPF, DMARC, DKIM, DNSSEC, CAA, MX — every category validated.
Drift detected
Every record diffed against baseline — unauthorized changes surface in hours.
Takeover-aware
Dangling CNAMEs flagged with provider-specific verification steps.
Ready to secure your stack?
Secure your entire stack today
Start scanning in under 5 minutes. No credit card required. 14-day free trial included.