Watch the DMARC record on the sending domain
A junior marketer flips DMARC from <code>p=quarantine</code> to <code>p=none</code> "to fix bounces" — Gmail starts marking everything as spam an hour later.
Recipe
bash
#!/usr/bin/env bash
# Compare current DMARC TXT record against a known-good baseline.
# /etc/cron.d/dmarc-watch
# */10 * * * * root /opt/dmarc.sh enterno.io '/etc/dmarc.expected'
DOMAIN=${1:?domain required}
EXPECTED_FILE=${2:?baseline file required}
EXPECTED=$(cat "$EXPECTED_FILE")
ACTUAL=$(dig +short TXT "_dmarc.$DOMAIN" | tr -d '"' | head -1)
if [ "$ACTUAL" != "$EXPECTED" ]; then
echo "DMARC drift on $DOMAIN: was '$EXPECTED', now '$ACTUAL'" \
| mail -s "[ALERT] DMARC change" ops@$DOMAIN
fiSame thing in Enterno.io
Run one DNS check to see your current DMARC TXT, then add the domain to a Navigator+ DNS monitor — Enterno alerts the moment the TXT record changes.
Related recipes
One public DNS resolver (1.1.1.1, 8.8.8.8) degrades for a region. Your site "is up" but half the users see "server not found" — the uptime monitor stays silent.
Ensure your site returns 2xx every minute, alert to Slack/Telegram on failure.
Minimal script that checks an SSL certificate and alerts 14 days before expiry.