Granting Audit Access — Email & DNS
Time required: 30 seconds Who should do this: Anyone who knows your company's domain name What we get: We check your publicly visible DNS records — no credentials required for most checks What we can't do: Modify DNS records, access email, or change any settings
What we need from you
Just your domain name. That's it.
For example: yourcompany.com
If you have multiple domains (e.g., yourcompany.com and yourcompany.co.uk), send us all of them.
Why no credentials?
DMARC, DKIM, SPF, and MX records are public DNS records — that's how email works. Any mail server in the world can look them up to verify your email authenticity. We check the same records.
SSL certificate status is also public — browsers check it on every page load.
Optional: DNS provider access (for deeper checks)
If you want us to also check for:
- DNS record drift (unexpected changes to your records)
- Domain renewal dates (are any domains about to expire?)
- Full DNS inventory (what subdomains and records exist?)
Then we'll need read-only access to your DNS provider dashboard. Common providers:
| Provider | How to grant read-only access |
|---|---|
| GoDaddy | Delegate Access → add our email as "View-Only" delegate |
| Cloudflare | Add member → select domain → set permission to "DNS Read" |
| Route 53 (AWS) | IAM user with route53:GetHostedZone and route53:ListResourceRecordSets only |
| Google Domains | Share access → add our email as "Reader" |
| Namecheap | No built-in read-only — share Advanced DNS page screenshot instead |
This is optional. The public DNS checks alone catch 80%+ of email security issues.
What we check
| Check | What it tells you | Needs credentials? |
|---|---|---|
| SPF record | Is your email sender authorization properly configured? | No |
| DKIM records | Are your emails cryptographically signed? | No |
| DMARC policy | What happens when someone spoofs your domain? | No |
| MX records | Are your mail servers correctly configured? | No |
| SSL certificates | Are any certificates expired or expiring soon? | No |
| DNS record inventory | What's your full DNS footprint? | Yes (optional) |
| Domain expiry dates | Are any domains about to lapse? | Yes (optional) |
After the audit
If you granted DNS provider access, simply remove our delegate/member/IAM user. For the public DNS checks — there's nothing to revoke since we're reading public records.