DNS Audit for SMEs 2026: Secure Your DNS Zone in 1 Hour

DNS is the invisible entry point to your IT infrastructure. Misconfigured DNS = emails end up in spam, your domain becomes a phishing target. 1-hour audit for SMEs.

1. SPF

• Which servers are authorized to send emails for your domain
• Without SPF: anyone can spoof your email address
• TXT root record: v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all
• Test: mxtoolbox.com/SPFRecordCheck

2. DKIM

• Signs your emails with a private key; recipient verifies via public DNS key
• Configuration on provider side: Google Workspace, M365, SendGrid, Resend
• Record CNAME or TXT type: selector1._domainkey.yourdomain.com

3. DMARC

• Policy: what to do if SPF or DKIM fails
• TXT: _dmarc.yourdomain.com
• Startup: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com
• After 30 days observation: move to p=quarantine then p=reject
• Quick report parsing: dmarcian.com (free tier)

4. MTA-STS

• Enforces TLS between mail servers (HSTS equivalent for SMTP)
• TXT _mta-sts.yourdomain.com + HTTPS policy file
• Optional but recommended for sensitive sectors

5. DNSSEC

• Signs DNS records to prevent poisoning attacks
• Enableable via registrar (OVH, Gandi, Cloudflare)
• Caution: breaking DNSSEC breaks your entire domain

6. CAA

• Restricts which CA can issue SSL certificates for your domain
• CAA record: 0 issue "letsencrypt.org"

7. Free audit tools

• internet.nl — ANSSI reference
• mxtoolbox.com — SPF/DKIM/DMARC checks
• dmarcian.com — DMARC reports
• hardenize.com — DNS + web security

Conclusion

SME DNS audit = 1 hour invested to close 80% of email attack vectors. SPF + DKIM + DMARC are mandatory (Google and Yahoo reject emails without them since 2024). KOLOSALTech audits and configures your DNS zone.