DNS Automation & Safe Change Management

Before any DNS change is committed,Live SpoofSentry shows the exact before-and-after state of the record. The preview includes the current published value, the proposed new value, a diff highlighting what changed, and validation results (syntax check, lookup count, record length). Nothing is written to DNS until the preview is explicitly approved.

Preview is available for all record types managed by SpoofSentry: SPF TXT records, DKIM CNAME and TXT records, DMARC TXT records, MTA-STS TXT and HTTPS records, and DANE TLSA records. The preview resolves the proposed record to confirm it will parse correctly after publication.

SpoofSentry supports four approval modes. Self-serveLive allows the requesting user to approve their own change (suitable for single-operator environments). Maker-checkerLive requires a different user to approve the change. MSSP dual approvalLive requires approval from both the MSSP operator and the customer tenant admin. Emergency overrideLive allows bypassing the normal approval flow with an audit-logged justification for time-critical incidents.

Approval requests are delivered through configured notification channels (email, Slack, Teams) with direct links to the preview. Pending approvals that exceed a configurable timeout are automatically escalated or expired based on policy.

After a DNS change is applied,Live SpoofSentry automatically re-resolves the record from multiple vantage points to confirm the change propagated correctly. Verification uses retries with exponential backoff to account for DNS propagation delays. A change is marked as verified only when the published record matches the intended value.

If verification fails after all retries, the change is flagged as unverified and the operator is alerted with the option to retry verification or initiate a rollback. Verification status is visible in the Change Center and included in audit logs.

Every DNS change preserves the previous record state.Live Automatic rollback restores the prior value and runs the same post-apply verification to confirm the revert took effect. Rollback is available from the Change Center, the domain detail page, or the API.

Rollback history is maintained so you can see the full chain of changes and reverts for any record. On Enterprise plans, automatic rollback can be configured to trigger if post-change monitoring detects delivery degradation beyond a configurable threshold.

The Change CenterLive is a unified dashboard showing all DNS changes across your domains. Changes are categorized as pending approval, recently applied, failed, or rollback-eligible. Each entry shows the domain, record type, change summary, who requested it, who approved it, and the current verification status.

Filters allow viewing changes by domain, record type, status, date range, or operator. The Change Center serves as the audit trail for all DNS modifications made through SpoofSentry, which is useful for compliance evidence and post-incident review.

SpoofSentry manages DNS records for six email security protocols. SPF TXT records (including optimization and flattening). DKIM CNAME and TXT records (key rotation and selector management). DMARC TXT records (policy progression from none to reject). MTA-STS TXT records and HTTPS-hosted policy files. DANE/DNSSEC TLSA records for certificate binding. All record types go through the same preview, approve, apply, verify, rollback pipeline.

DNS automation works with five integrated providers: Cloudflare, AWS Route 53, Azure DNS, Google Cloud DNS, and GoDaddy. Each provider integration is authenticated with least-privilege credentials and supports the full change lifecycle.

For domains hosted on non-integrated providers, SpoofSentry generates the exact record values with copy-to-clipboard and provides post-change verification once the record is updated manually. DNS provider integrations are available on all paid plans (Protect and above).