Back to The Rejected Folder
| 9 min read

Email authentication monitoring: why set-and-forget fails

Publishing SPF, DKIM, and DMARC records is just the start. Without monitoring, you won't know when authentication breaks, new senders appear, or someone starts spoofing you.

DT
Marc, Owner
Email authentication monitoring: why set-and-forget fails

You’ve configured SPF. You’ve set up DKIM. You’ve published a DMARC record. Done, right?

Not even close.

Email authentication breaks. Silently. Without monitoring, you won’t know when:

  • A new marketing tool starts sending unauthenticated email
  • Someone accidentally deletes your SPF record
  • Attackers start spoofing your domain for phishing campaigns
  • A vendor changes their sending infrastructure

By the time you notice, it’s too late. Emails bounced. Campaigns failed. Customers got phishing messages “from” your domain.

Here’s what monitoring actually means, what to track, and how to set it up so you find problems before they find you.

What is email authentication monitoring?

Email authentication monitoring means watching whether your email passes SPF, DKIM, and DMARC checks, and getting alerts when something changes.

Three things matter.

Report analysis: DMARC aggregate reports (RUA) arrive daily from Gmail, Microsoft, Yahoo, and others. They show every email sent using your domain and whether authentication passed. You need to collect and actually read these.

DNS tracking: Your SPF, DKIM, and DMARC configs live in DNS. Any change affects authentication. You need to know when records change.

Sender discovery: New senders appear constantly. Marketing signs up for a new tool. HR uses a recruiting platform. Shadow IT proliferates. You need to spot these before they cause failures.

Skip any of these and you’ve got blind spots.

Why email authentication monitoring matters

Deliverability depends on it

Gmail, Yahoo, and Microsoft require DMARC for bulk senders. Fail authentication and your emails go to spam or get blocked.

The problem is that authentication breaks silently. A new sender fails SPF. A DNS change breaks DKIM. Your DMARC policy has a syntax error nobody noticed.

Without monitoring, you find out when open rates tank or customers ask why they didn’t get your email. By then you’ve lost days or weeks.

Security requires visibility

DMARC’s security value is stopping domain spoofing. With p=reject, receivers block emails that fail authentication. Attackers can’t impersonate you.

But you can only move to enforcement if you know who’s sending as your domain. You can only know that through monitoring.

Without visibility into your reports, you’re stuck at p=none (no protection) or you risk enforcement that blocks legitimate email.

Compliance demands evidence

SOC 2, PCI-DSS, and HIPAA increasingly reference email authentication. Auditors want more than a screenshot of your DNS records. They want evidence of ongoing monitoring, historical data, and response procedures.

Can’t show that you actively monitor and respond to failures? You might fail the audit.

What to actually watch

Pass rates

The basic question: what percentage of email from your domain passes authentication?

Break it down:

  • SPF pass rate: Are sending IPs authorized in your SPF record?
  • DKIM pass rate: Are messages properly signed with valid DKIM keys?
  • DMARC alignment rate: Do passing SPF or DKIM results align with the From domain?

Healthy domains see 95%+ pass rates on legitimate email. Below that? You’ve got config problems, unauthorized senders, or someone spoofing you.

Volume anomalies

Sudden changes in email volume are red flags.

A spike might indicate:

  • A new sender you weren’t aware of
  • A compromised system sending spam
  • An attacker spoofing your domain at scale

A drop might indicate:

  • DNS misconfiguration blocking legitimate email
  • A sender that stopped authenticating
  • Infrastructure problems with a key email provider

Source changes

Your senders change constantly. Marketing tries new tools. Vendors update infrastructure. Employees sign up for services without telling IT.

Watch for:

  • New IP addresses in reports
  • New domains in DKIM signatures
  • Shifts in how much email comes from each source

DNS record changes

DNS changes cause most authentication failures.

Watch for:

  • SPF record changes (added/removed includes, IP changes)
  • DKIM selector changes or deletions
  • DMARC policy changes
  • Complete record deletions

Well-meaning changes break things all the time. A developer “cleaning up” DNS deletes a DKIM record they don’t recognize. An IT admin tweaks SPF without understanding the 10-lookup limit.

Where companies screw this up

The inbox nobody checks

Most common failure by far: reports go to an email address nobody looks at.

Company publishes rua=mailto:[email protected]. Nobody ever opens that inbox. Reports pile up. XML files sit unread. Problems accumulate.

Fix: use a platform that parses reports automatically and alerts you when something’s wrong.

Manual spot-checks

Some companies try manual monitoring. Check DNS once a week. Skim reports occasionally. This doesn’t work because:

  • Authentication breaks between checks
  • Report volume exceeds human capacity
  • Attention wanders

You need automation. Continuous collection. Automatic parsing. Alerts that actually fire.

Monitoring only your primary domain

Big companies have lots of domains. Main corporate domain, product domains, regional domains, marketing domains, legacy domains from acquisitions.

Attackers know this. They target the forgotten ones. One unprotected domain becomes the entry point for phishing.

Monitor every domain you own, not just the main one.

How DMARCTrust handles email authentication monitoring

DMARCTrust is what we built to solve this. Here’s how it works.

Automated report collection

When you sign up, you get a unique reporting address. Point your DMARC record’s rua= tag there, and reports flow in automatically. No email server to manage. No inbox to check. No XML to parse manually.

Reports from Gmail, Microsoft, Yahoo, and everyone else get collected, parsed, and stored. You just look at the dashboard.

Source insights dashboard

Raw DMARC reports show IP addresses. DMARCTrust resolves those IPs to actual senders, so you see “Mailchimp” or “SendGrid” instead of 198.51.100.42.

The dashboard shows:

  • Pass/fail rates by source
  • Email volume by sender
  • Alignment status (SPF, DKIM, or both)
  • Trend data over time

When a new sender appears or an existing sender starts failing, you see it immediately.

DNS change monitoring

DMARCTrust monitors your SPF, DKIM, and DMARC DNS records continuously. When something changes, you get an alert.

The system detects:

  • Record modifications
  • Complete deletions
  • New record additions
  • Syntax errors

Alerts explain what changed and why it matters. You don’t need to be a DNS expert to respond.

API for integration

Security teams need data in their existing tools. The API gives you:

  • Domain authentication status
  • Report data and statistics
  • DNS record configs
  • Alert history

Build dashboards wherever you want. Trigger incidents in your SIEM. Automate compliance checks. Data’s available however you need it.

Setting this up

Step 1: Stop using random inboxes

Send DMARC reports somewhere that actually processes them. Use DMARCTrust or similar. Update your rua= tag.

Our DMARC generator can help with the syntax.

Step 2: Inventory your domains

List every domain your organization owns. Include:

  • Primary corporate domains
  • Product and service domains
  • Regional/localized domains
  • Legacy domains from acquisitions
  • Parked domains (these get spoofed too)

Each domain needs a DMARC record with reporting enabled.

Step 3: Baseline your senders

Before you can spot anomalies, you need to know what normal looks like. Let reports collect for 2-4 weeks to identify all legitimate senders.

Document each sender:

  • What tool or service is it?
  • Who in the organization uses it?
  • Is it properly authenticated?

Step 4: Enable alerting

Configure alerts for:

  • DNS record changes
  • New senders appearing
  • Authentication pass rates dropping below threshold
  • Volume anomalies

Don’t alert on everything. Alert fatigue is real. Focus on things you’ll actually act on.

Step 5: Establish response procedures

Monitoring without response is theater. Define what happens when:

  • An unauthorized sender appears
  • DNS changes unexpectedly
  • Pass rates drop
  • Someone’s spoofing you

Assign owners. Set timeframes. Know who to escalate to.

Monitoring and DMARC enforcement

You can’t safely reach DMARC enforcement without monitoring.

Here’s how it goes:

  1. p=none with monitoring: Collect data, identify senders, spot problems
  2. Fix authentication issues: Configure SPF and DKIM for all legitimate senders
  3. p=quarantine with monitoring: Start affecting delivery, watch for problems
  4. p=reject with monitoring: Full enforcement, continued vigilance

Monitoring doesn’t stop once you hit enforcement. New senders will appear. DNS will change. Attackers will probe. You need to keep watching.

For the full roadmap, see our DMARC enforcement rollout playbook.

Watch out for these

Forwarding and mailing lists

Forwarding breaks SPF. The forwarding server’s IP isn’t in your SPF record, so SPF fails.

These are legitimate DMARC failures that look like problems but aren’t. Monitoring helps you spot the pattern so you don’t waste time chasing false positives.

Third-party senders with shared IPs

Mailchimp, SendGrid, and similar services use shared IP pools. IPs change frequently. Relying on SPF for these senders is fragile.

Monitoring shows when shared-IP senders start failing SPF. Fix: use DKIM, which survives IP changes.

Subdomain spoofing

Your DMARC policy might only cover your main domain. Attackers target subdomains without explicit policies.

Use sp=reject in your DMARC record to cover all subdomains. Monitoring confirms subdomain mail is handled correctly.

What happens without monitoring

Same story, every time.

Deliverability breaks silently: Something gets misconfigured. Emails start failing. Days pass. Weeks. By the time anyone notices, sender reputation is shot and recovery takes forever.

Security incidents blindside you: Attackers spoof your domain. Customers get phishing emails. You find out when they complain, or worse, when you’re named in a breach report.

Audits fail: Auditors ask for evidence. You don’t have it because you weren’t collecting it.

Troubleshooting becomes guesswork: Something breaks. You have no data. Can’t tell when it started, what changed, or who was affected. Every incident becomes a mystery.

The short version

Publishing SPF, DKIM, and DMARC records is the start, not the finish.

You need:

  • Automated report collection
  • DNS change alerts
  • Sender tracking
  • Integration with your existing tools

DMARCTrust does all four. Mailbox for reports. Dashboard showing what’s happening. Alerts when DNS changes. API for automation.

Check your domain to see where you stand. If you’re not monitoring, you’re missing problems you don’t know about yet.

Read Next

View all posts
DMARC, SPF, DKIM... and the thing everyone misses: alignment
dmarc ·

DMARC, SPF, DKIM... and the thing everyone misses: alignment

Forum threads keep repeating the same confusion: "SPF and DKIM pass, so why does DMARC fail?" The missing mental model is DMARC alignment. We explain aspf/adkim, organizational vs strict alignment, and why you likely rely on DKIM alignment more than you think.

DT
DMARCTrust
5 min read
From p=none to p=reject: how to enable DMARC enforcement in 2026
security ·

From p=none to p=reject: how to enable DMARC enforcement in 2026

Forums show the same anxiety pattern: 'I want p=reject, but I'm afraid I'll block legit mail.' The rollout is mostly about gates: inventory done, alignment fixed, SPF lookup limit avoided, and then staged enforcement.

DT
DMARCTrust
3 min read