TL;DR: Domain health checks surface misconfigured DNS, weak email authentication, and blacklist exposure that can disrupt availability and enable spoofing, phishing, and deliverability failures, according to DigiCert. For identity teams, the message is that trust is operationally enforced through records, keys, and monitoring, not assumed by domain ownership alone.
At a glance
What this is: This is a practical overview of domain health checks and DNS scanning, showing how they detect configuration and authentication gaps that affect availability, deliverability, and abuse resistance.
Why it matters: It matters to IAM practitioners because domain trust, email authentication, and DNS integrity sit on the same governance boundary as machine identities, secrets, and access controls.
By the numbers:
- An estimated 90% of businesses experience DNS attacks annually.
- 21% of legitimate emails never reach customer inboxes due to poor domain reputation.
- There are over 300 active email blacklists used by ISPs and email providers to block spam or unwanted email sources.
- Network and connectivity-related issues accounted for 31% of IT service outages in 2024.
👉 Read DigiCert's domain health check guidance for DNS and email trust
Context
A domain health check is a recurring inspection of DNS records, email authentication settings, and related service reachability. In identity terms, it is the control plane that determines whether a domain can be trusted to send mail, route traffic, and resist spoofing or misconfiguration.
For IAM and NHI teams, the interesting part is not the scanner itself but the governance boundary it exposes. DNS records, SPF, DKIM, DMARC, and related controls often carry the trust signal for systems that operate outside human login flows, so domain integrity becomes part of identity assurance rather than a pure infrastructure task.
Key questions
Q: How should security teams govern DNS and email authentication together?
A: They should treat DNS records, SPF, DKIM, and DMARC as one trust chain rather than separate tasks. Changes need explicit ownership, change review, and monitoring because a failure in any one layer can break deliverability or enable spoofing. The practical goal is consistent identity proof for domain-sent traffic, not just clean configuration.
Q: When do domain health issues become an identity risk?
A: They become an identity risk when the domain is used to prove legitimacy for mail, verification, or service routing. At that point, record drift, broken authentication, or blacklist placement can cause users and systems to distrust the domain, which affects access flows, communications, and operational continuity.
Q: What do security teams get wrong about SPF, DKIM, and DMARC?
A: They often deploy them as isolated email settings instead of treating them as enforcement controls for domain identity. SPF, DKIM, and DMARC only work well when they are tuned together, monitored continuously, and backed by an operational process that responds to failure reports and configuration drift.
Q: Who should own domain health in a hybrid environment?
A: Ownership should sit with the team that can see DNS changes, mail authentication, and service impact together, usually across infrastructure, messaging, and security. If no one owns the full trust chain, misconfigurations persist and incidents become harder to diagnose and contain.
Technical breakdown
DNS record evaluation and domain integrity
Domain health tools check core DNS records such as A, MX, CNAME, TXT, and PTR to confirm that traffic routes where it should and that the published configuration matches operational reality. In practice, these checks detect broken delegations, stale hostnames, and inconsistent mappings that create outages or open a path for hijack and misdelivery. The security value comes from comparing intended configuration to live resolution, not just from listing records. When DNS and email systems are tightly coupled, a small misconfiguration can become both an availability event and an identity trust problem.
Practical implication: inventory critical records, compare them against expected state, and alert on drift before it affects routing or trust.
SPF, DKIM, and DMARC as email identity controls
SPF states which servers may send on behalf of a domain, DKIM signs outbound mail so recipients can verify it was authorised and unmodified, and DMARC tells receivers how to handle failures and where to send reports. Together they create a layered email identity check. The important operational point is that none of these controls works well in isolation. SPF can break on forwarding, DKIM can fail if keys or selectors are mismanaged, and DMARC only becomes useful when administrators review reports and tune policy based on actual mail flow.
Practical implication: manage SPF, DKIM, and DMARC as one control set and review failure reports as part of routine governance.
Blacklist monitoring and deliverability failure modes
Blacklist checks are a detection layer for domains that have already lost reputation or are behaving like spam sources. Many organisations treat blacklist placement as a mail problem, but it is often the downstream effect of weak authentication, compromised sending systems, or persistent misconfiguration. Domain scanners use blacklist lookups, SMTP tests, and deliverability checks to show whether mail servers are reachable and whether messages are likely to be accepted. That makes deliverability a security signal as well as an operational one, because repeated rejection can indicate abuse, spoofing, or hidden infrastructure drift.
Practical implication: pair blacklist monitoring with mail authentication review so reputation loss is traced back to the actual control failure.
Threat narrative
Attacker objective: The attacker aims to make malicious mail or traffic appear legitimate enough to reach users, disrupt services, or degrade the domain’s reputation.
- Entry occurs when attackers exploit weak DNS or email authentication posture to spoof a domain or abuse misrouted mail paths.
- Credential or trust abuse follows when recipients accept unauthenticated messages or the domain’s reputation has already been damaged.
- Impact appears as phishing success, deliverability failure, or service disruption that erodes trust in the domain itself.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- MongoBleed breach — MongoBleed exposed secrets across 87K MongoDB servers.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Domain health is an identity assurance problem, not just a DNS hygiene task. SPF, DKIM, DMARC, and record integrity collectively decide whether a domain can be trusted by humans and machines alike. When those controls drift, the failure shows up as spoofing, misdelivery, or reputation damage, but the root issue is that the domain can no longer assert identity consistently. Practitioners should treat domain health as part of the identity control stack.
Email authentication is the machine identity analogue many teams still overlook. SPF authorises senders, DKIM proves message integrity, and DMARC enforces policy, which is the same pattern identity teams use elsewhere to separate possession from legitimacy. The governance mistake is to leave these controls in separate operational silos and assume mail gateways will compensate. Practitioners should align domain governance with broader identity and access review discipline.
Domain scanners expose the same trust debt that appears across NHI programmes. Over time, unmanaged DNS records, stale MX settings, and unreviewed authentication policies accumulate into a trust gap that attackers can exploit quickly. Identity trust debt: a backlog of configuration, validation, and reputation issues that gradually weakens the organisation’s ability to prove legitimacy. Practitioners should measure and reduce this debt before it becomes an incident.
Hybrid environments make domain governance harder because ownership, not technology, becomes the blind spot. The article notes that DNS, domain controllers, and email servers are often spread across teams and platforms. That fragmentation matters because no single owner sees the full chain from record change to user impact. Practitioners should re-establish clear accountability for every domain trust control.
Domain reputation is now part of access success. If 21% of legitimate emails never reach inboxes because of reputation problems, then identity workflows that depend on mail delivery, verification, or notification are already at risk. Practitioners should understand domain health as a prerequisite for reliable identity operations, not a post-incident cleanup item.
From our research:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to The 2026 Infrastructure Identity Survey.
- Only 44% of organisations have implemented any policies to manage their AI agents, despite 92% agreeing that governing AI agents is critical to enterprise security.
- That same survey shows 69% of security leaders agree identity management must fundamentally shift to address agentic AI systems, a signal that the domain trust problem is widening beyond email and DNS.
What this signals
Identity trust debt is now visible in the places teams once treated as plumbing. DNS, mail authentication, and reputation monitoring are becoming governance signals because they determine whether identity-bearing traffic is accepted at all. The practical shift is to fold domain health into identity assurance reviews, especially where verification, notification, and service routing depend on email.
A strong programme will also separate change authority from operational ownership. When DNS edits, mail policy, and monitoring are split across teams without a common control owner, configuration drift becomes inevitable and accountability becomes slow. That is where a domain scanner stops being a utility and starts becoming evidence for governance.
Teams building out autonomous and machine identity programmes should watch for the same pattern in service communications. If domain trust fails, the downstream identity workflow fails with it, so the next control question is not just whether the system is online but whether it can still prove who it is.
For practitioners
- Baseline authoritative DNS records Map every production A, MX, CNAME, TXT, and PTR record and compare live resolution against the intended configuration on a fixed review cycle.
- Treat SPF, DKIM, and DMARC as one governance set Review sender authorisation, message signing, and policy enforcement together so one weak control does not undercut the others.
- Monitor blacklist and SMTP signals together Correlate blacklist hits, SMTP reachability, and deliverability failures to distinguish reputation loss from routing or signing defects.
- Assign explicit ownership for domain trust controls Document who can change DNS, who approves authentication policy, and who receives exception alerts across mail and infrastructure teams.
Key takeaways
- Domain health checks are really trust checks for DNS and email identity controls.
- Misconfigured SPF, DKIM, DMARC, and DNS records can turn routine communication into a spoofing, deliverability, or outage problem.
- Teams should manage domain trust as a governed control chain with clear ownership, monitoring, and drift detection.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Domain trust controls determine whether mail and services are accepted as legitimate. |
| NIST CSF 2.0 | DE.CM-1 | Scanning and blacklist monitoring are continuous monitoring functions for domain health. |
| NIST SP 800-63 | Identity proofing concepts inform how domains assert legitimacy in email workflows. |
Use phishing-resistant identity and assurance thinking when domain trust supports verification or access flows.
Key terms
- Domain Health Check: A domain health check is a structured inspection of DNS, email authentication, and related configuration used to prove that a domain is functioning and trustworthy. It looks for misconfigurations, reputation issues, and validation failures that can affect deliverability, routing, and abuse resistance.
- SPF: Sender Policy Framework is a DNS-based control that lists which systems are authorised to send email for a domain. It helps recipients reject forged messages, but it must be maintained carefully because forwarding, delegation, and stale records can create false failures or gaps.
- DMARC: Domain-based Message Authentication, Reporting and Conformance is a policy layer that tells receivers how to handle messages that fail SPF or DKIM checks. It also gives administrators reports that reveal spoofing attempts, misalignment, and policy drift across the domain.
- Identity Trust Debt: Identity trust debt is the accumulation of unresolved configuration, validation, and governance issues that gradually weakens an organisation’s ability to prove legitimacy. In domain operations, it shows up as stale records, weak email policy, and reputation problems that make abuse easier and recovery slower.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
This post draws on content published by DigiCert: Why You Need a Domain Health Check. Read the original.
Published by the NHIMG editorial team on 2026-06-17.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
