arrow_back Back to Blog
DNS Security March 5, 2026 · 9 min read

When a DNS Change You Didn't Make Breaks Every Client's Email

The MSP didn't touch the DNS zone. Nobody on the team changed anything. But overnight, DMARC aggregate reports for four M365 tenants started showing alignment failures from legitimate senders. The common thread: Cloudflare had quietly updated how it handled proxied DNS records — and the SPF and DKIM configuration that had worked for months broke silently without any change notification going anywhere. This isn't an edge case. It's the scenario that makes reactive DMARC management fundamentally inadequate.

How DNS records break email auth without any obvious trigger

Email authentication depends on DNS records that sit in zones the MSP often doesn't fully control. SPF records, DKIM public keys, DMARC policies, MX records, and CNAME chains to third-party sending services all live in DNS — managed across registrars, DNS hosting providers, and CDN platforms. Any of the parties with write access to those zones can break email authentication without intending to.

The common trigger patterns:

  • web Web developers editing DNS zones. A developer updating DNS to point a subdomain to a new hosting environment deletes or overwrites a CNAME that was part of a DKIM delegation chain. They didn't know that record was load-bearing for email authentication. The zone looks correct for web traffic. DKIM starts failing immediately.
  • cloud CDN and DNS provider configuration changes. Cloudflare, AWS Route 53, Google Cloud DNS — all periodically update how they handle certain record types or zone behaviour. A change in how a provider handles TXT record lookups, or how it resolves CNAMEs for mail-related services, can invalidate SPF lookups or break DKIM with no change at the client level.
  • transfer_within_a_station Registrar migrations. A client moves their domain from one registrar to another — often triggered by cost or consolidation — and the migration doesn't carry across all the DNS records correctly. SPF records, DKIM selectors, and DMARC policies silently disappear on transfer or become misconfigured in the new zone.
  • construction New tools and integrations. A client adds a new marketing automation platform, CRM, or ticketing system. The vendor provides onboarding instructions that include editing SPF records. The client or an internal IT contact follows the instructions incorrectly — exceeds the 10-lookup SPF limit, introduces a syntax error, or removes existing entries while adding new ones. SPF breaks for every sender, not just the new one.

The silent failure problem:

None of these events generate a notification to the MSP. DNS records don't come with change triggers that alert external parties. DMARC aggregate reports show the consequences — but only after the next reporting cycle, which could be 24 hours. If the MSP reviews reports weekly, the window between the break and the discovery can be days. During that window, legitimate email may be failing delivery, going to spam, or functioning only because the receiving server's local policy happens to be lenient.

Why DMARC aggregate reports alone aren't enough

DMARC aggregate reports are an excellent signal — when something is actively failing. They show message volume, pass/fail breakdowns per sender, and alignment status per source IP. If SPF breaks for Microsoft 365 on a busy client domain, the next day's aggregate reports will show a dramatic shift in the pass rate for that sender. The signal is clear.

The problem is the lag. A break that happens at 2pm on Monday might not appear in reports until Tuesday morning, or later if the reporting interval from that particular receiver is longer. By then, an unknown number of messages have been affected — and if the DMARC policy is p=reject, some portion of them were silently dropped at the receiving server with no bounce notification to the sender.

There's also the problem of quiet DNS zones. A client domain that sends low volumes — a secondary domain used only for certain notifications, or a recently acquired company's legacy domain — might generate so few DMARC reports that a break goes undetected for weeks simply because the failure count isn't large enough to be visible in a manual review.

The complementary signal that closes this gap is direct DNS record monitoring — watching the actual records, not the downstream effects. If the TXT record containing the SPF policy changes, alert immediately. If a DKIM selector CNAME disappears, alert immediately. If the DMARC record's p= value changes without an MSP-initiated change, alert immediately. The DNS change itself is the earliest possible signal — earlier than any aggregate report, and earlier than any client complaint.

The third-party access problem MSPs face

MSPs are rarely the only party with DNS access on a client account. The realistic access landscape for a typical SMB client looks like this: the client's original IT contact (or founder) still has registrar credentials. Their web developer has DNS access to manage hosting. Their marketing agency has access to add records for their email marketing platform. The MSP has access to manage their business email DNS. Cloudflare is proxying the domain's web traffic.

Every one of those parties can make a DNS change. Only one of them — the MSP — understands the email authentication implications. The others are operating in good faith for their specific purpose, without knowing that the record they're editing or overwriting is load-bearing for SPF validation across all of the client's sending services.

The MSP liability pattern:

When email authentication breaks, regardless of who actually made the DNS change, the client's first call is to the MSP. From the client's perspective, "email is broken" is an MSP problem. The argument that a web developer made an unauthorised DNS change is true — and entirely irrelevant to a client whose outbound email reputation is taking damage while the conversation happens. Detecting the break before the client does, and correcting it before it compounds, is the only version of this situation where the MSP's competence is demonstrated rather than questioned.

What catch-before-complaint monitoring requires

Catching DNS-related email auth breaks before they become client complaints requires two independent monitoring layers working together:

1. DNS record change detection

Polling the live SPF, DKIM, DMARC, and MX records for every monitored domain at short intervals, comparing against a known-good baseline, and alerting when any deviation is detected. This operates entirely outside the DMARC report pipeline — it doesn't wait for receiving servers to send data. A change in an SPF TXT record at 2pm generates an alert at 2pm, not the next morning. For high-value or high-volume domains, this detection window matters significantly.

The records worth monitoring for email authentication purposes include: the v=spf1 TXT record, every DKIM selector CNAME or TXT record, the _dmarc TXT record, MX records (whose changes often precede email auth problems), and any CNAME records that resolve back to email-related services.

2. DMARC aggregate report analysis with trend alerting

DNS change detection tells you what changed. DMARC aggregate reports tell you what the impact is. For the category of DNS breaks where the record didn't technically change but the downstream behaviour did — a provider updated their SPF include record to different IP ranges, for example — the aggregate report is the only available signal.

Trend-based alerting on aggregate reports — watching for sudden increases in failure rate rather than just absolute failure counts — catches these cases even when the failure count is absolutely low. A domain that normally runs at 99% pass rate suddenly dropping to 85% pass rate is actionable even if the total affected message count is small, because the trend signals a configuration break rather than normal variance.

Combined visibility across all client domains simultaneously

Both monitoring layers need to operate across the entire client portfolio simultaneously, not one domain at a time. An MSP managing forty clients across seventy domains cannot manually check DNS health for each domain daily. The value is in the exception-based workflow: most days, everything is green, and nothing requires attention. The monitoring layer's job is to surface the specific domains that need attention on the specific days something changes — without requiring the MSP to look at everything to find the one domain that matters today.

Controlling what you can't fully lock down

The ideal solution to third-party DNS access is to consolidate DNS management under the MSP's control for all client domains — hosting zones in a platform the MSP manages, with all changes going through a controlled workflow. That's the right long-term architecture, and it's worth working toward as part of a domain management practice.

It's also not always achievable immediately. Clients have existing DNS hosting relationships, technical vendors with access requirements, and internal IT contacts who aren't going to relinquish control immediately. In the transition period — which for many MSPs is measured in years, not months — monitoring provides the compensating control: you can't prevent the change, but you can detect it fast enough to respond before the impact compounds.

MSPs that centralise DNS hosting are in a stronger position because they can enforce change control processes, review DNS edits before they propagate, and maintain a full audit trail of every record modification. But even with full DNS control, monitoring matters — provider-side changes, upstream DNS infrastructure issues, and configuration drift over time all happen regardless of who controls the zone.

Related reading

Know when a DNS record changes — before the client does

Albaspot monitors SPF, DKIM, DMARC, and MX records across all your client domains and alerts you the moment something changes — giving you time to respond before a DNS break becomes an email outage complaint.

Get started with Albaspot arrow_forward