Alert Central, which is available for all subscribers, allows you to monitor your domains without having to login to your dmarcian account. We’ll send alerts based on domain events that could include new or changed DNS records (e.g. we see a new DMARC record) and fluctuation in volume across categories of traffic for your domains.
You can choose from common communication channels for alert notifications to be sent—email (see example to the right), Slack, or webhook (see Appendix B below). The alert notification will provide you with the details of the event and a link to your dmarcian Timeline for you to get even more information.
How does Alert Central Work?
Alert Central is based around the dmarcian Timeline. Like the Timeline, you choose which changes to track, and your configured alerts ensure that you’re aware of the changes as soon as we detect them. When we notice a DNS change that matches an alert you have configured, we’ll let you know via the configured channel.
Why Set Up Alerts?
Notifications are beneficial in any deployment phase. During the initial stages of your DMARC project, you may want to track all the changes you are actively making; once you’ve secured your domains with a DMARC enforcement policy, Alert Central will help operationalize DMARC by focusing alerts on broken records and potential domain abuse. Regardless of the type of alert, it’s important to discover changes quickly and take corrective actions as needed.
We are monitoring your DNS domains for you; DMARC is monitored hourly, and SPF and DKIM are monitored daily.
How To Configure Alert Central
To set up your alerts, navigate to the Alert Central item located in your DMARC Manager dropdown menu and follow these steps:
Click the create button, which brings you to the modal illustrated below.
Choose an example template from the top or configure a new alert by completing the fields.
The alert name you provide should be unique since this is what will be used in the notification and will allow users to easily distinguish which alert was triggered.
The domains available for alerting are the ones you see on your Domain Overview page. These are your DMARC domains (aka FROM Domain or Visible FROM). Plus and Enterprise users can choose a domain group which associates the alert with the domain group no matter what domains you add or remove from that group.
Add recipients and configure channels. Recipients, Slack URL and webhook URLs can be added while creating the alert or you can click the Configure Channels button on the Alert Central page to manage them. Non-admin users aren’t able to add channels when choosing recipients, but they can choose any recipients or channels that admins have configured.
When you have completed the form fields, click Create Alert and you’re done!
To edit or delete an alert, navigate to the main Alert Central page and follow the edit or delete icons.
Invalid DMARC record – creates an alert that lets recipients know if an invalid DMARC record is detected for any of your domains.
We’ll also alert you when this clears and the DMARC record is valid again.
SPF Warning – creates an alert that lets recipients know if any SPF Warnings are detected for your domains. Warnings don’t invalidate the record but may cause functional issues; for example, if your SPF record contains mechanisms after the all mechanism, everything after all is ignored. We’ll also alert you when this clears.
Change in SPF Record – creates an alert that lets recipients know if we detect any change in your SPF record. (not available to Basic)
SPF Invalid – creates an alert that lets recipients know if we detect that their SPF record has become invalid. We will also send an alert when this has cleared.
Configuring Alert Channels – Admins only
Only Admins are able to see this Configure Channels page.
The Alert Channel Settings page is where Admins manage the list of all possible alert recipients including email recipients, slack channels and webhook urls.
Only recipients and channels configured by Admins in the Alert Channel Settings will be available for non-admin users to choose from when they create an alert.
Admins should add their email address here so that non-admin can choose to send the alert to them.
If Admins do not create recipients or channels, non-admin users will only be able to create an alert and send it to themselves.
In the example below, non-admin users will be able to create an alert and choose from 3 email addresses or a slack channel. They will not be able to add additional recipients or slack channels.
The image below illustrates the Alert Central details page. To edit or delete an alert, navigate to the main Alert Central page and follow the edit or delete icons.
Appendix A: Alert Central Events and Triggers
Note: Basic subscriptions only have Invalid and Warnings
Event Type: DKIM
All Changes → users are alerted of ANY changes in current DKIM records in DNS for the selectors we’re aware of through RUA reports.
Discovered or Created → users will be alerted the first time we discover a new DKIM selector from the DMARC RUA data. This doesn’t necessarily correspond to when the DKIM record was entered in DNS.
Public key length changed
Public key revoked
Public key type changed
Hash algorithm changed
Event Type: DMARC
Discovered or created records
Policy set to reject
Quarantine % tag value change
SPF or DKIM alignment mode(s) changed
Aggregate report RUA changed
Forensic options changed
Forensic report RUF invalid
Event Type: Start of Authority (SOA)
SOA has the email address of the administrator, when the domain was last updated, and how long the server should wait between refreshes. SOA will show invalid currently when we see >1 SOA records and it becomes valid when <=1 SOA records.
Event Type: SPF
Discovered or Created
“All” mechanism changed
IP addresses/network changed
Volume Triggers → each of the volume triggers requires the user to configure a percentage condition (except “parked domain is/is not sending” triggers)
Parked domain is sending → no condition required
Parked domain is not sending → no condition required
Spike in DMARC capable in the last 24 hours
Spike in forwarders in the last 24 hours
Spike in non compliant sources in the last 24 hours
Spike in threat/unknown in the last 24 hours
Threat/unknown percentage of DMARC capable in the last 24 hours
Appendix B: Webhook Alert Payload Examples
Webhooks are one of a few ways web applications can communicate with each other. It allows you to send real-time data from our application to another whenever a given event occurs.
Changed record example:
Specific record property change example:
Specific record list change example:
Specific record has warnings example:
Specific record became invalid example:
Specific record became valid (RESOLVING) example:
Volume example for threat/unknown percentage of DMARC capable:
We’re here to help people understand and deploy DMARC, so get in touch with us if you have any questions about our platform or Alert Central.
Get your domains into compliance.
Try out dmarcian for free!