365 Domain Name Health

Alert Title: “Domains Health”

Description: Alerts when a client domain name health fails one of a number of checks.   Checks include:

  • Domain has Name Servers with IPs that resolve
  • Name Servers are responding
  • Name Servers output is matching
  • Name Servers SOA is matching
  • Root name servers have matching entries for Name Servers (matching with the assigned NameSevers output)
  • Name Servers have no private IP addresses
  • Name Servers have no private IP addresses in SOA
  • Name Servers are spread out over at least 2 separate /24 networks
  • Domain has at least 1 MX record
  • Domain is missing a 3rd party filtering system (ie, direct 365 connection)
  • If the domain is a 365 direct, it only has the required 365 MX record(s)
  • The domain has no SPF record
  • The domain has no  DMARC record

Options:

  • Domains can be ignored for alerting
  • Specific checks can be ignored.

Domain has Name Servers with IPs that resolve

The problem: This alert is triggered when our system was unable to resolve all name servers (to IP addresses) for the domain as listed in the root servers.

Impact: This may lead to a delay or failure in resolution if one or more name servers are not resolving.   This could slow or stop services that rely on DNS.

Suggested steps: A suitable technician will need to diagnose the source of the problem.

Name Servers are responding

The problem: This alert is triggered when our system was unable to get a reply from all name servers listed for the domain as listed in the root servers.

Impact: This may lead to a delay or failure in resolution if one or more name servers are not responding.   This could slow or stop services that rely on DNS.

Suggested steps: A suitable technician will need to diagnose the source of the problem.

Name Servers output is matching

The problem: This alert is triggered when our system detects differences between responses from the domain name (for A, CNAME and MX Records). 

Impact: This may lead to unexpected result. It may also be of no impact. 

Suggested steps:A suitable technician will need to diagnose the source of the problem.

Name Servers SOA is matching

The problem: This alert is triggered when our system detects differences between responses from the domain name servers Start of Authority (SOA). 

Impact: This may lead to unexpected result. It may also be of no impact.  

Suggested steps: A suitable technician will need to diagnose the source of the problem.

Root name servers have matching entries for Name Servers

The problem: This alert is triggered when our system detects differences between the root servers output for NameServer (NS) entries for the domains, and what the name servers are providing as NS entries.

Impact: This may lead to unexpected result, or reduced redundancy.

Suggested steps: A suitable technician will need to diagnose the source of the problem.

Name Servers have no private IP addresses

The problem: This alert is triggered when our system detects a nameserver entry for the domain resolving to a private IP address.

Impact: This may lead to failure of resolution, or reduced redundancy. 

Suggested steps: A suitable technician will need to diagnose the source of the problem.

Name Servers have no private IP addresses in SOA 

The problem: This alert is triggered when our system detects an entry in the SOA resolving to a private IP address. 

Impact: This may lead to failure of resolution, or reduced redundancy. 

Suggested steps: A suitable technician will need to diagnose the source of the problem.

Name Servers are spread out over at least 2 separate /24 networks

The problem: This alert is triggered when our system detects name server IP addresses not spread out over 2 separate /24 networks.

Impact: This may lead to a failure of redundancy due to reduced routing redundancy.

Suggested steps: A suitable technician will need to advise on how to improve redundancy.

Domain has at least 1 MX record

The problem: This alert is triggered when our system detects a lack of MX records

Impact: This may lead to a failure of email delivery.

Suggested steps: A suitable technician will need to diagnose the source of the problem.

Domain is missing a 3rd party filtering system

The problem: This alert is triggered when our system detects 365 directly as the MX record.

Impact: It may be beneficial to consider quality enhanced 3rd party email filtering options.

Suggested steps: A suitable technician will be able to describe the risks and benefits of your current configuration and potential changes.

If the domain is a 365 direct, it only has the required 365 MX record(s)

The problem: This alert is triggered when our system detects excess MX record(s).

Impact: There may be a negative impact on email flow if email is routed to MX records that should not be there.

Suggested steps: A suitable technician will be able to advise on the best MX configuration.

The domain has no SPF record

The problem: This alert is triggered when our system detects a missing SPF Record

Impact: This may have an negative impact on deliver-ability, and make your domain more susceptible to email forgery.

Suggested steps: A suitable technician will be able to advise on the steps required to configure a SPF record.

The domain has no DMARC record

The problem: This alert is triggered when our system detects a missing DMARC Record

Impact: This may have an negative impact on deliver-ability, and make your domain more susceptible to email forgery.

Suggested steps: A suitable technician will be able to advise on the steps required to configure a DMARC record.