Watch the DMARC record on the sending domain
A junior marketer flips DMARC from <code>p=quarantine</code> to <code>p=none</code> "to fix bounces" — Gmail starts marking everything as spam an hour later.
Recipe
#!/usr/bin/env bash
# Compare current DMARC TXT record against a known-good baseline.
# /etc/cron.d/dmarc-watch
# */10 * * * * root /opt/dmarc.sh enterno.io '/etc/dmarc.expected'
DOMAIN=${1:?domain required}
EXPECTED_FILE=${2:?baseline file required}
EXPECTED=$(cat "$EXPECTED_FILE")
ACTUAL=$(dig +short TXT "_dmarc.$DOMAIN" | tr -d '"' | head -1)
if [ "$ACTUAL" != "$EXPECTED" ]; then
echo "DMARC drift on $DOMAIN: was '$EXPECTED', now '$ACTUAL'" \
| mail -s "[ALERT] DMARC change" ops@$DOMAIN
fiSame thing in Enterno.io
Run one DNS check to see your current DMARC TXT, then add the domain to a Navigator+ DNS monitor — Enterno alerts the moment the TXT record changes.
Related recipes
One public DNS resolver (1.1.1.1, 8.8.8.8) degrades for a region. Your site "is up" but half the users see "server not found" — the uptime monitor stays silent.
A name-server misconfig leaks AXFR to the internet — every subdomain, MX, TXT (including SPF/DKIM keys) is visible to attackers. Daily check with alert.
Postfix starts bouncing chunks of mail (the sending domain just lost reputation), but you only learn from a support ticket: 'no email arrived'.