惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

L
LINUX DO - 最新话题
G
Google Developers Blog
J
Java Code Geeks
The GitHub Blog
The GitHub Blog
F
Full Disclosure
H
Help Net Security
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Vercel News
Vercel News
酷 壳 – CoolShell
酷 壳 – CoolShell
Recent Announcements
Recent Announcements
Help Net Security
Help Net Security
The Hacker News
The Hacker News
IT之家
IT之家
Y
Y Combinator Blog
Martin Fowler
Martin Fowler
L
Lohrmann on Cybersecurity
C
CERT Recently Published Vulnerability Notes
V
Visual Studio Blog
博客园 - 聂微东
Hacker News: Ask HN
Hacker News: Ask HN
H
Hacker News: Front Page
Know Your Adversary
Know Your Adversary
Security Latest
Security Latest
Security Archives - TechRepublic
Security Archives - TechRepublic
Simon Willison's Weblog
Simon Willison's Weblog
www.infosecurity-magazine.com
www.infosecurity-magazine.com
T
Troy Hunt's Blog
Last Week in AI
Last Week in AI
Schneier on Security
Schneier on Security
N
News and Events Feed by Topic
博客园 - 【当耐特】
有赞技术团队
有赞技术团队
AWS News Blog
AWS News Blog
Blog — PlanetScale
Blog — PlanetScale
博客园_首页
Google DeepMind News
Google DeepMind News
Cloudbric
Cloudbric
N
News | PayPal Newsroom
A
About on SuperTechFans
S
Schneier on Security
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
Hugging Face - Blog
Hugging Face - Blog
M
MIT News - Artificial intelligence
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
雷峰网
雷峰网
T
The Exploit Database - CXSecurity.com
罗磊的独立博客
K
Kaspersky official blog
The Cloudflare Blog
I
Intezer

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Why Most DNS Audit Tools Don't Give You the Actual Fix (And Why We Do)
Regő Botond Ronyecz · 2026-05-29 · via DEV Community

Regő Botond Ronyecz

You run the audit. The results come back. SPF: Fail. DMARC: Not configured. Blacklist status: Listed on 3 databases.

You stare at the screen. The tool has done its job. It found the problems. Now what?

There is no "what." The tool stops there. The next step is yours: figure out what the record should say, find the right panel in your DNS provider, format it correctly, and hope propagation confirms the fix worked. Most teams open a new tab and start Googling. Some open a support ticket and wait. Some close the browser and move on.

The audit found the problem. The problem stays unfixed.

This is not a small gap. It is the reason email deliverability issues persist for weeks at companies that have already run three separate audits. The diagnostic and the remedy are disconnected, and almost no tool in this space has tried to close that gap — until you understand why.


The Diagnostic Business Model

Most DNS and email security tools were built by network engineers for network engineers. The design assumption is that whoever runs the audit knows what to do with the results.

That assumption made sense in 2008. DNS was managed by sysadmins who had memorized RFC 7208 and could write a DKIM TXT record from scratch. The tool's job was to surface the data. The engineer's job was to interpret and fix it.

The market has changed substantially. Today, DNS is managed by:

  • Founders at early-stage SaaS companies who registered the domain themselves
  • Marketing managers who inherited the domain when the previous IT person left
  • Office administrators at 40-person logistics companies who have DNS access because someone has to
  • Developers who know their stack cold and DNS not at all
  • MSPs managing 80 client domains across 12 different registrars

None of these people want a DNS audit result. They want to know what to type and where to type it.

The tool vendors didn't adapt because their core customers — enterprise security teams, MSSPs, large IT departments — didn't need them to. The diagnostic was sufficient. The rest of the market was either too small to matter or too fragmented to serve with a standardized fix.


What "Not Giving You the Fix" Actually Looks Like

Here is what a standard DNS audit result looks like across the tools most people use:

MXToolbox

SPF Record Published: YES
SPF Contains characters after ALL: ERROR
SPF Record Syntax Check: ERROR

Useful diagnostic. Clear that something is wrong. No indication of what the correct record should say.

Google Admin Toolbox (CheckMX)

✓ Domain has SPF records
✗ Domain's SPF record does not include all sending sources

Accurate. Clean output. Still no record to copy.

dig (command line)

$ dig TXT yourdomain.com +short
"v=spf1 include:sendgrid.net ~all"

Shows you the current record. Does not tell you what's missing or what to add.

Generic audit PDF from a compliance scanner

Finding: SPF record missing include for third-party ESP
Severity: High
Recommendation: Update SPF record to include authorized sending services

The recommendation is technically correct and operationally useless.

In every case, the tool has correctly identified that something is wrong. In no case does it tell you the specific string to add to your DNS provider's TXT record field.


Why the Fix Is Harder Than It Looks

Giving an actionable fix is not a UI decision. It requires solving several non-trivial problems simultaneously.

Problem 1: The fix depends on your sending stack

An SPF record is not a universal string. It is a list of the specific mail servers authorized to send on your behalf. If you use SendGrid, the correct include is include:sendgrid.net. If you use Google Workspace, it is include:_spf.google.com. If you use both, plus Mailchimp and a Salesforce marketing instance, the record has to cover all of them — and stay under the 10 DNS lookup limit.

A generic audit tool has no idea which ESPs you use. It can tell you your SPF is broken. It cannot tell you which services to add without knowing your sending infrastructure. The right approach is not to guess — it's to show you the email provider options and let you identify your own stack.

Problem 2: The fix depends on your DNS provider

Every DNS provider has a different interface. Adding a TXT record in Cloudflare is different from Route53. The field labels in GoDaddy are named differently. Namecheap's Advanced DNS tab splits host and value in a way that confuses first-time users. AWS Route53 requires TXT values wrapped in double quotes — a detail that breaks records silently when you get it wrong.

A fix that says "add this TXT record" without provider-specific steps leaves you to figure out the interface yourself. That step is exactly where non-technical users give up.

Problem 3: The fix has to account for what's already there

DNS records interact. Adding an SPF include without checking the current lookup count can push you over the 10-lookup limit and break SPF for every email you send. Adding a DMARC record without knowing your current DKIM alignment state can trigger quarantining of legitimate mail. The most common SPF mistake — creating a second TXT record starting with v=spf1 instead of editing the existing one — instantly invalidates both records and breaks all email delivery.

A correct fix requires reading the existing zone state, not just flagging a missing record.

Problem 4: Building the provider database has no clear ROI for most tools

Every DNS provider has its own UI patterns, field naming conventions, and record validation logic. Building and maintaining step-by-step instructions for Cloudflare, GoDaddy, Namecheap, Route53, DigitalOcean, Hostinger, and the rest — and keeping those instructions current as providers update their interfaces — requires ongoing investment.

For tools that charge per scan or sell to enterprise security teams, that investment has no direct revenue justification. The enterprise buyer doesn't need the step-by-step. The SMB buyer who does need it isn't the primary customer.


What a Real Fix Looks Like

Here is what the same SPF finding looks like when the tool gives you the actual remedy.

If you already have an SPF record, the fix shows your current record, modifies it correctly, and gives you the exact string to replace it with:

Your current record:
v=spf1 include:sendgrid.net ~all

Updated record (soft fail — recommended to start):
v=spf1 include:sendgrid.net ~all

Hard fail version (once you've confirmed all services pass):
v=spf1 include:sendgrid.net -all

If you don't have a record yet, the fix doesn't guess which email provider you use. Instead, it presents email provider tabs — Google Workspace, Microsoft 365, Zoho Mail, Fastmail, Protonmail, SendGrid, Amazon SES — each showing the exact include: value to add for that provider. You identify your own stack, pick the right tab, and copy the value.

Then, for adding the record to DNS, a second set of tabs covers each major DNS provider with numbered steps specific to that interface. For Cloudflare:

1. Log in at dash.cloudflare.com and select your domain.
2. Click DNS in the left sidebar.
3. Click Add record.
4. Set Type to TXT.
5. Set Name to @ (root domain).
6. Paste your complete SPF record into the Content field.
7. Leave Proxy status as DNS only (grey cloud). SPF records must never be proxied.
8. Click Save.

If a TXT record starting with 'v=spf1' already exists, click Edit on that
record instead of adding a new one — having two SPF records breaks all email delivery.

For Route53, the instructions include the detail that TXT values must be wrapped in double quotes in the Value field — a provider-specific requirement that isn't documented anywhere in the AWS console UI itself.

The person reading this does not need to know what SPF is, what RFC 7208 says, or how SMTP authentication works. They need to know what to copy and where to paste it. The fix guide is structured to make that possible.


The Provider Tab System, Across Every Check

This isn't limited to SPF. Every fix guide in ZeroHook's 30-point audit follows the same structure: a corrected record or configuration, email provider tabs where relevant, and DNS provider tabs with numbered steps for each interface.

Check What the fix guide provides
SPF Corrected record built from your existing one + email provider tabs + DNS provider steps
DKIM Key generation path at your email provider + DNS provider steps for adding the TXT/CNAME
DMARC Starter record with correct policy + rollout timeline + DNS provider steps
CAA CA auto-detected from your SSL certificate + CAA record for that CA + DNS provider steps
MX Email provider detected from your MX records + correction steps
DNSSEC Enable signing at your DNS provider + DS record → registrar steps
MTA-STS Policy file content + hosting instructions + TXT record + DNS provider steps
Blacklist Direct link to the removal form for the specific list + what to include in the request
SSL expiry Renewal path for your certificate provider
Subdomain takeover Delete this specific DNS record — with the exact record name shown

The CAA guide is worth noting specifically: it reads your current SSL certificate to detect which certificate authority issued it, then pre-populates the CAA record with that CA's domain. If you're on Let's Encrypt, the record authorizes letsencrypt.org. If you're on DigiCert, it authorizes digicert.com. You're not choosing from a generic list — the fix is pre-filled from what your certificate already tells the system.


Why Continuous Monitoring Without Fixes Is a Treadmill

Most DNS monitoring tools alert you when something changes or breaks. That is genuinely useful. If your SPF record gets corrupted or someone removes your DMARC policy, you want to know immediately.

But alerting without fixing creates a loop:

Alert fires → Team acknowledges → Ticket opened → DNS person assigned
→ DNS person researches → Fix applied (maybe) → Next alert fires

At SMB scale, the "DNS person" is often whoever has the registrar login. The research step is where the fix dies. The ticket stays open until it gets closed as stale or until a deliverability problem becomes bad enough to force action.

Continuous monitoring solves the detection problem. Provider-specific fix guides solve the remediation problem. Without both, you have a very good early warning system for problems that don't get fixed.


The Economics of Staying Broken

Here is what a persistent DNS misconfiguration actually costs.

An e-commerce company sending 10,000 transactional emails per month with a 15% spam rate is losing roughly 1,500 emails to spam folders. If those emails contain order confirmations, shipping notifications, and password resets, the downstream effects are customer service contacts, abandoned carts, and churn from users who assume the product is broken.

Industry estimates put the revenue impact of a 1% deliverability improvement at $10,000–$100,000 per year depending on email volume and order value. A 15% spam rate is not a 1% problem.

The audit tool that tells you something is wrong but doesn't tell you how to fix it contributes nothing to that number. It identifies the cost without reducing it.

A fix takes five minutes with the right instructions. The fix is worth five minutes.


TL;DR

  • Most DNS audit tools were built for engineers — the output assumes you already know how to fix what they find
  • The fix is non-trivial to generate — it depends on your existing records, your email sending stack, and your DNS provider's specific interface conventions
  • No major competitor builds the provider-specific fix database — it requires ongoing maintenance investment with no direct revenue justification for tools selling to enterprise teams
  • The right approach is not to guess your stack — email provider tabs let you identify which include: values apply to your own setup; DNS provider tabs give you numbered steps for the interface you're actually looking at
  • CAA and MX guides go one step further — they read your existing certificate and MX records to pre-fill the correct values before you touch anything
  • Monitoring without remediation is a treadmill — alerts tell you something is broken; fix guides tell you what to type
  • See it on your own domain, free: zerohook.org

*Part of an ongoing series on DNS security and email deliverability.