Skip to main content

Alert Central Documentation

Alert Central Email

Alert Central, which is available for all subscribers, allows you to monitor your domains without having to login to your dmarcian account. We’ll send alerts based on domain events that could include new or changed DNS records (e.g. we see a new DMARC record) and fluctuation in volume across categories of traffic for your domains.

You can choose from common communication channels for alert notifications to be sent—email (see example to the right), Slack, or webhook (see Appendix B below). The alert notification will provide you with the details of the event and a link to your dmarcian Timeline for you to get even more information.

How does Alert Central Work?

Alert Central is based around the dmarcian Timeline. Like the Timeline, you choose which changes to track, and your configured alerts ensure that you’re aware of the changes as soon as we detect them. When we notice a DNS change that matches an alert you have configured, we’ll let you know via the configured channel.

Why Set Up Alerts?

Notifications are beneficial in any deployment phase. During the initial stages of your DMARC project, you may want to track all the changes you are actively making; once you’ve secured your domains with a DMARC enforcement policy, Alert Central will help operationalize DMARC by focusing alerts on broken records and potential domain abuse. Regardless of the type of alert, it’s important to discover changes quickly and take corrective actions as needed.

Alert Frequency

We are monitoring your DNS domains for you; DMARC is monitored hourly, and SPF and DKIM are monitored daily.

How To Configure Alert Central

To set up your alerts, navigate to the Alert Central item located in your DMARC Manager dropdown menu and follow these steps:

  • Click the create button, which brings you to the modal illustrated below.
  • Choose an example template from the top or configure a new alert by completing the fields.
  • The alert name you provide should be unique since this is what will be used in the notification and will allow users to easily distinguish which alert was triggered.
  • The domains available for alerting are the ones you see on your Domain Overview page. These are your DMARC domains (aka FROM Domain or Visible FROM). Plus and Enterprise users can choose a domain group which associates the alert with the domain group no matter what domains you add or remove from that group.
  • Add recipients and configure channels. Recipients, Slack URL and webhook URLs can be added while creating the alert or you can click the Configure Channels button on the Alert Central page to manage them. Non-admin users aren’t able to add channels when choosing recipients, but they can choose any recipients or channels that admins have configured.
  • When you have completed the form fields, click Create Alert and you’re done!
  • To edit or delete an alert, navigate to the main Alert Central page and follow the edit or delete icons.

Alert Templates

  • Invalid DMARC record – creates an alert that lets recipients know if an invalid DMARC record is detected for any of your domains.
  • We’ll also alert you when this clears and the DMARC record is valid again.
  • SPF Warning – creates an alert that lets recipients know if any SPF Warnings are detected for your domains. Warnings don’t invalidate the record but may cause functional issues; for example, if your SPF record contains mechanisms after the all mechanism, everything after all is ignored. We’ll also alert you when this clears.
  • Change in SPF Record – creates an alert that lets recipients know if we detect any change in your SPF record.  (not available to Basic)
  • SPF Invalid – creates an alert that lets recipients know if we detect that their SPF record has become invalid.  We will also send an alert when this has cleared.

Configuring Alert Channels – Admins only

  • Only Admins are able to see this Configure Channels page.
  • The Alert Channel Settings page is where Admins manage the list of all possible alert recipients including email recipients, slack channels and webhook urls.
  • Only recipients and channels configured by Admins in the Alert Channel Settings will be available for non-admin users to choose from when they create an alert.
  • Admins should add their email address here so that non-admin can choose to send the alert to them.
  • If Admins do not create recipients or channels, non-admin users will only be able to create an alert and send it to themselves.

In the example below, non-admin users will be able to create an alert and choose from 3 email addresses or a slack channel.  They will not be able to add additional recipients or slack channels.

Alert Central Channel Settings

The image below illustrates the Alert Central details page. To edit or delete an alert, navigate to the main Alert Central page and follow the edit or delete icons.

Alert Central Summary page

Appendix A: Alert Central Events and Triggers

Note: Basic subscriptions only have Invalid and Warnings

Event Type: DKIM

DKIM Triggers:

  • All Changes → users are alerted of ANY changes in current DKIM records in DNS for the selectors we’re aware of through RUA reports.
  • Discovered or Created → users will be alerted the first time we discover a new DKIM selector from the DMARC RUA data. This doesn’t necessarily correspond to when the DKIM record was entered in DNS.
  • Invalid
  • Disappeared
  • Warnings
  • Public key length changed
  • Public key revoked
  • Public key type changed
  • Hash algorithm changed
  • Flags Changed

Event Type: DMARC

DMARC Triggers:

  • All Changes
  • Discovered or created records
  • Invalid records
  • Disappeared records
  • Policy changed
  • Policy set to reject
  • Quarantine % tag value change
  • SPF or DKIM alignment mode(s) changed
  • Aggregate report RUA changed
  • Forensic options changed
  • Forensic report RUF invalid
  • Warnings

Event Type: Start of Authority (SOA)

SOA has the email address of the administrator, when the domain was last updated, and how long the server should wait between refreshes. SOA will show invalid currently when we see >1 SOA records and it becomes valid when <=1 SOA records.

SOA Triggers:

  • Valid
  • Invalid

Event Type: SPF

SPF Triggers:

  • All Changes
  • Discovered or Created
  • Disappeared
  • Invalid
  • Warnings
  • “All” mechanism changed
  • IP addresses/network changed

Volume Triggers → each of the volume triggers requires the user to configure a percentage condition (except “parked domain is/is not sending” triggers)

  • Parked domain is sending → no condition required
  • Parked domain is not sending → no condition required
  • Spike in DMARC capable in the last 24 hours
  • Spike in forwarders in the last 24 hours
  • Spike in non compliant sources in the last 24 hours
  • Spike in threat/unknown in the last 24 hours
  • Threat/unknown percentage of DMARC capable in the last 24 hours

Appendix B: Webhook Alert Payload Examples

Webhooks are one of a few ways web applications can communicate with each other. It allows you to send real-time data from our application to another whenever a given event occurs.

Changed record example:

Webhook changed record example

Specific record property change example:

Webhook Specific record property change example

Specific record list change example:

Webhook specific record list change example

Specific record has warnings example:

Webhook specific record has warnings example

Specific record became invalid example:

Webhook specific record became invalid example

Specific record became valid (RESOLVING) example:

Webhook specific record became valid (RESOLVING) example

Volume example:

Webhook volume example

Volume example for threat/unknown percentage of DMARC capable:

Webhook volume example for threat/unknown percentage of DMARC capable

We’re here to help people understand and deploy DMARC, so get in touch with us if you have any questions about our platform or Alert Central.

Get your domains into compliance.
Try out dmarcian for free!