You do not need to know what DNS stands for to use this checklist.
You need to know three things:
Your domain name (the part after the @ in your email address — like
yourbusiness.com)Who hosts your website or where you registered your domain (GoDaddy, Namecheap, Cloudflare, or whoever sends you the renewal invoice)
About 30 minutes
That is enough to work through this checklist, identify what is missing on your domain, and know who to call to fix it.
Why This Matters Before Anything Else
Every small business that owns a domain has the same three problems, usually without knowing it.
Problem 1: Anyone can send email pretending to be you. By default, email has no authentication. If you own yourbusiness.com, a scammer can send an email saying it came from invoices@yourbusiness.com and most email apps will show your business name as the sender. Your customers have no way to tell the difference. Three DNS records (SPF, DKIM, DMARC) fix this — and most small businesses have none of them correctly configured.
Problem 2: Your legitimate emails are landing in spam. Not because you did anything wrong. Because without those same three records, Gmail and Outlook treat your emails with suspicion. Password resets, invoices, and follow-ups are going to spam folders instead of inboxes — and you have no idea.
Problem 3: Your domain could be stolen or redirected. The account where you registered your domain (GoDaddy, Namecheap, etc.) is the single most valuable target for someone who wants to impersonate your business. If someone gets into that account, they own your domain, your website, and your email. A few settings changes prevent this entirely.
None of this requires technical expertise to fix. It requires knowing what to look for and asking the right person to action it.
How to Use This Checklist
Each item below has:
What it is — a plain-English explanation
How to check — the easiest way to see your current status
Who fixes it — you, your web developer, your IT person, or your hosting provider
Priority — how urgently this needs attention
Work through the items in order. The high-priority items first. If something is above your comfort level, screenshot it and send it to whoever manages your website or IT.
Section 1: Your Domain Registrar Account (Do This First)
Your domain registrar is where you registered your domain name — companies like GoDaddy, Namecheap, Cloudflare, Google Domains, or Hover. This account controls everything. Protecting it is the first step.
✅ Item 1.1 — Two-Factor Authentication on Your Registrar Account
What it is: Two-factor authentication (2FA) means that even if someone steals your password, they cannot log in without also having your phone. It is a second lock on the front door.
Why it matters: If someone gains access to your domain registrar account, they can point your domain at any website they choose — including a fake version of yours that steals your customers' passwords. This has happened to well-known businesses, not just careless ones.
How to check: Log in to your domain registrar. Go to account settings or security settings. Look for "Two-Factor Authentication," "2-Step Verification," or "Multi-Factor Authentication." If it is not enabled, there will be an option to turn it on.
Who fixes it: You. It takes five minutes. Use an authenticator app (Google Authenticator, Authy) rather than SMS if the option is available — SMS can be intercepted.
Priority: Critical. Do this today.
✅ Item 1.2 — Domain Lock / Transfer Lock Enabled
What it is: Most registrars offer a "domain lock" that prevents your domain from being transferred to another registrar without additional verification. Unlocked domains can be stolen through a process called an unauthorized transfer.
Why it matters: Domain theft — transferring your domain to a registrar the attacker controls — is one of the most damaging things that can happen to a business. It takes days to recover, and your website and email are offline the entire time.
How to check: Log in to your domain registrar. Find your domain and look for a setting called "Transfer Lock," "Registrar Lock," or "Domain Lock." It should be set to ON or LOCKED.
Who fixes it: You. Toggle the lock on in your registrar account.
Priority: High.
✅ Item 1.3 — Your Registrar Contact Email Is Current
What it is: Your registrar sends renewal notices, security alerts, and transfer confirmations to the email address on file. If that address is an old personal email, a former employee's account, or an inbox nobody checks, these notifications disappear.
Why it matters: Domain renewal notices going to an inbox nobody monitors is one of the most common reasons small businesses lose their domain — they miss the renewal, the domain expires, and someone else registers it.
How to check: Log in to your registrar. Check the contact email address under account settings. Send a test email to it and confirm you receive it.
Who fixes it: You. Update the email to one that you — or someone responsible — actively monitors.
Priority: High.
✅ Item 1.4 — Auto-Renew Is Enabled for Your Domain
What it is: Auto-renew automatically renews your domain registration before it expires, charging the card on file.
Why it matters: An expired domain goes offline immediately. Website down, email stopped, everything offline. After a 30-day grace period, the domain enters public availability. Competitors, domain squatters, or attackers can register it. Recovering it — if possible — is expensive and takes days.
How to check: Log in to your registrar. Find your domain. Check whether auto-renew is enabled and whether the payment card on file is current.
Who fixes it: You. Enable auto-renew and confirm the payment method is valid.
Priority: High.
Section 2: Email Authentication Records
These three records (SPF, DKIM, DMARC) tell the internet that your emails are legitimate. Without them, your emails look suspicious to every inbox provider in the world. With them, you are protected against email impersonation and your delivery rates improve.
You do not need to understand how they work. You need to know whether they are set up — and if not, have someone set them up.
✅ Item 2.1 — SPF Record Exists and Is Correct
What it is: SPF (Sender Policy Framework) is a list, published in your domain's DNS, of the email services that are allowed to send email on your behalf. Think of it as an authorized sender list that inbox providers check before accepting your email.
Why it matters: Without SPF, anyone can send email claiming to be from your domain and inbox providers have no way to verify it is fake. With a broken SPF record (two records, or over the 10-lookup limit), your emails may land in spam or be rejected.
How to check: Go to mxtoolbox.com/spf.aspx and enter your domain. It will tell you whether an SPF record exists, whether it is valid, and whether there are any errors.
What to look for:
✅ "SPF record found" with no errors — you are set
⚠️ "Multiple SPF records found" — there are two SPF records, which breaks email. One needs to be deleted.
❌ "No SPF record found" — no SPF is configured
Who fixes it: Your web developer, IT person, or email provider. Give them the MXToolbox result and ask them to fix it.
Priority: High.
✅ Item 2.2 — DKIM Is Configured for Your Email Service
What it is: DKIM (DomainKeys Identified Mail) adds an invisible digital signature to every email you send. Receiving servers verify this signature to confirm the email genuinely came from you and was not altered in transit. Think of it as a tamper-evident seal on every email.
Why it matters: Without DKIM, your emails lack a key trust signal that Gmail, Outlook, and Yahoo use to evaluate sender reputation. It is also required before you can set up DMARC (the next item).
How to check: Go to mxtoolbox.com/dkim.aspx. Enter your domain. For the selector field, try google if you use Google Workspace, or selector1 if you use Microsoft 365. If you are unsure, ask whoever set up your email.
What to look for:
✅ "DKIM record found, valid" — you are set
❌ "DKIM record not found" — DKIM is not configured for that selector
Who fixes it: Your email provider or IT person. Google Workspace, Microsoft 365, and most email providers have documentation on how to configure DKIM — it involves adding a TXT record to your DNS. Your provider can walk you through it or do it for you.
Priority: High.
✅ Item 2.3 — DMARC Is Configured (and Not Just at p=none)
What it is: DMARC ties SPF and DKIM together and tells inbox providers what to do when an email fails authentication — for example, when a scammer tries to send a fake invoice from your domain. It also sends you daily reports showing who is sending email as your domain.
There are three DMARC policy levels:
p=none— monitor only, do nothing (a starting point, not a finished configuration)p=quarantine— send suspicious emails to spamp=reject— block suspicious emails entirely
Why it matters: p=none does not protect anyone. It just collects data. The protection starts at p=quarantine. Most small businesses that have DMARC configured are stuck at p=none and don't know it.
How to check: Go to mxtoolbox.com/dmarc.aspx and enter your domain.
What to look for:
✅ "DMARC record found" with
p=quarantineorp=reject— good⚠️ "DMARC record found" with
p=none— configured but not enforced. Ask your IT person to move it top=quarantineafter confirming SPF and DKIM are passing.❌ "No DMARC record found" — DMARC is not configured at all
Who fixes it: Your IT person or web developer. Moving from p=none to p=quarantine is a single character change to a DNS record — but it should be done carefully, after confirming SPF and DKIM are working correctly first.
Priority: High.
✅ Item 2.4 — You Are Not on an Email Blacklist
What it is: Email blacklists are databases of IP addresses and domains known to send spam. Inbox providers check these lists when deciding whether to deliver your email. If your domain or sending IP is listed, your emails may be silently rejected or sent to spam.
Why it matters: Blacklistings happen to legitimate businesses — often from a compromised email account, a spam complaint, or a sudden spike in sending volume. Most businesses find out when customers stop receiving their emails.
How to check: Go to mxtoolbox.com/blacklists.aspx and enter your domain or sending IP address. It checks against over 100 blacklists simultaneously.
What to look for:
✅ All green — you are not listed anywhere
❌ One or more red items — you are listed on a blacklist. Follow the removal instructions for each list. Spamhaus, Barracuda, and SORBS each have their own removal forms.
Who fixes it: You can often submit removal requests yourself — each blacklist has a form on their website. If you are listed on Spamhaus specifically, contact your IT person first as it requires explaining what caused the listing.
Priority: High if listed, otherwise ongoing monitoring.
Section 3: Website and SSL Security
✅ Item 3.1 — Your SSL Certificate Is Valid and Not Expiring Soon
What it is: The padlock icon in your browser that indicates a secure connection. Your website needs a valid SSL certificate to show this padlock. An expired certificate causes browsers to display a warning page that blocks visitors.
Why it matters: A browser warning page stops customers from reaching your website. It looks like your site has been hacked even if it has not. It also harms your search engine rankings.
How to check: Visit your website. In your browser address bar, click the padlock icon. It should show "Connection is secure" and a certificate that is not expiring in the next 30 days. You can also check at sslshopper.com/ssl-checker.html.
What to look for:
✅ Padlock present, certificate valid for 30+ days — you are set
⚠️ Expiring within 30 days — contact your hosting provider to renew
❌ No padlock or certificate error — contact your hosting provider immediately
Who fixes it: Your hosting provider or web developer. Most hosting providers offer free SSL certificates through Let's Encrypt that auto-renew.
Priority: Critical if expired. Monitoring if valid.
✅ Item 3.2 — Your Website Redirects HTTP to HTTPS
What it is: Your website should automatically redirect visitors from http://yourbusiness.com to https://yourbusiness.com. Without this redirect, some visitors — especially those following old links — reach your site over an unencrypted connection.
How to check: In your browser address bar, type http://yourbusiness.com (with http, not https) and press enter. You should be automatically redirected to the https:// version. If you stay on http://, the redirect is missing.
Who fixes it: Your web developer or hosting provider. It is a standard configuration option on all major hosting platforms.
Priority: Medium.
Section 4: DNS Configuration
This section requires slightly more technical knowledge — but each check has a simple tool you can use to see your status, and a clear description of what to ask your IT person to fix.
✅ Item 4.1 — DNSSEC Is Enabled
What it is: DNSSEC is a security layer that adds a digital signature to your DNS records. Without it, it is theoretically possible for attackers to intercept the "where does this website live?" lookup that happens when someone visits your domain and redirect them to a fake website instead.
Why it matters: Most small businesses do not have DNSSEC enabled because it was not on by default when they set up their domain. On modern DNS providers it takes about five minutes to enable.
How to check: Go to dnssec-analyzer.verisignlabs.com and enter your domain. A green result means DNSSEC is active and working. Red or missing means it is not configured.
Who fixes it: Your IT person or DNS provider. On Cloudflare, it is a one-click toggle under DNS settings. On GoDaddy, it requires a manual DS record submission. Ask your IT person to enable it.
Priority: Medium — high if you are in an NIS2-regulated sector.
✅ Item 4.2 — MTA-STS Is Configured (Inbound Email Encryption)
What it is: MTA-STS forces other email servers to use encryption when delivering email to your inbox. Without it, there is a theoretical risk that email sent to you could be intercepted and read in transit.
Why it matters: Most email transport is encrypted by default today, but without MTA-STS there is no enforcement — an attacker in the right position can downgrade the connection. MTA-STS eliminates that possibility.
How to check: Go to internet.nl/mail/yourbusiness.com/ (replace with your domain) and look for the MTA-STS result. Or ask your IT person to check.
Who fixes it: Your IT person. MTA-STS requires two changes — a DNS record and a small text file hosted on a subdomain of your domain. It is a 15-minute task for someone with web hosting access.
Priority: Medium — required for NIS2 compliance.
✅ Item 4.3 — CAA Records Restrict Certificate Issuance
What it is: CAA records tell the internet which companies are allowed to issue SSL certificates for your domain. Without them, any certificate authority in the world could issue a certificate for your website — including in response to an impersonation attack.
How to check: Go to mxtoolbox.com/caa.aspx and enter your domain.
What to look for:
✅ "CAA record found" — you have records restricting certificate issuance
❌ "No CAA records found" — any CA can issue for your domain
Who fixes it: Your IT person or DNS provider. They add a CAA record specifying your current certificate provider.
Priority: Low-medium.
Section 5: Quick Reference — Who Does What
If you manage your website and email yourself, you can action most of these items using your registrar and hosting provider's control panel. If you have an IT person, web developer, or use a managed hosting service, forward them this checklist with the items you want actioned.
| Item | You can do it | Needs your IT person |
|---|---|---|
| Enable 2FA on registrar | ✅ | |
| Enable domain lock | ✅ | |
| Update registrar contact email | ✅ | |
| Enable auto-renew | ✅ | |
| Check SPF record | ✅ (check) | ✅ (fix) |
| Configure DKIM | ✅ | |
| Configure DMARC | ✅ | |
| Blacklist check | ✅ | |
| SSL certificate check | ✅ (check) | ✅ (fix if expired) |
| Enable DNSSEC | ✅ | |
| Configure MTA-STS | ✅ | |
| Add CAA records | ✅ |
The One-Page Summary for Your IT Person
If you are forwarding this to someone technical, here is the condensed version of what needs checking:
Domain security audit — please check and fix the following:
Registrar:
- 2FA enabled on registrar account?
- Transfer lock enabled?
- Auto-renew active, card current?
Email authentication:
- SPF record valid? Single record, under 10 lookups?
- DKIM configured for all sending services (Google Workspace / M365 / other)?
- DMARC at p=quarantine or p=reject? (p=none is not sufficient)
- Domain/sending IP clean on MXToolbox blacklist check?
DNS:
- DNSSEC enabled? (verify at dnssec-analyzer.verisignlabs.com)
- MTA-STS configured in enforce mode?
- CAA records restricting certificate issuance?
Website:
- SSL certificate valid, not expiring within 30 days?
- HTTP → HTTPS redirect working?
What to Do After the Checklist
Running through this list once is a good start. The problem is that DNS security is not a one-time task — it changes.
Email services you add change which servers need to be in your SPF record. SSL certificates expire. Domains come off blacklists and go back on. DNSSEC signatures have expiry dates. Your registrar account password may be compromised without you knowing.
The options for ongoing monitoring:
Manual — check quarterly. Block 30 minutes in your calendar every three months to run through the checks in this list. Use the tools above. It is not automated, but it is better than checking once and forgetting about it.
Automated — use a monitoring tool. ZeroHook runs these checks automatically and alerts you when something changes or breaks — a blacklist listing, an SSL certificate approaching expiry, an SPF failure. The free tier covers one domain with SPF, DKIM, DMARC validation, blacklist monitoring, and an Email Health Score: zerohook.org
TL;DR
Secure your registrar account first — 2FA enabled, transfer lock on, auto-renew active, contact email current. This single step prevents domain theft.
SPF, DKIM, and DMARC are the three email records every domain needs — without them, your emails look suspicious to inbox providers and anyone can send email impersonating you
DMARC at
p=noneis not a finished configuration — it monitors without protecting; ask your IT person to move it top=quarantineCheck your blacklist status at mxtoolbox.com/blacklists.aspx — listings happen silently and your dashboard will not tell you
DNSSEC and MTA-STS are the next tier — not urgent for day-to-day operations, but required for NIS2 compliance and best practice for any business handling customer data
Forward the one-page summary above to your IT person — they can action the full list in an afternoon
Part of an ongoing series on DNS security and email deliverability.
Top comments (0)