DNS Security Audit Checklist: SPF, DKIM, DMARC, DNSSEC, and CAA
DNS Security Audit Checklist
Most deliverability and spoofing problems trace back to DNS drift. Review these records often.
SPF
- Publish one SPF record and remove unused vendors
- Keep lookups under 10 to avoid softfail
- List only trusted senders
DKIM
- Ensure selectors exist for each sender
- Use 1024-bit keys or stronger and rotate on schedule
- Test alignment after template changes
DMARC
- Set p=quarantine or stronger in production
- Add rua and ruf for aggregate and forensic reports
- Align from domain with SPF and DKIM
DNSSEC and CAA
- Enable DNSSEC at the registrar and confirm the DS record
- Restrict issuance with CAA and include issuewild if you use wildcards
MX and TLS
- Point MX to live hosts in the right priority order
- Confirm STARTTLS and valid certificates on MX hosts