Merula
Domain health · June 2026

Your email security was correct — six months ago: the quiet problem of configuration drift

Here is a pattern we see constantly. A business gets its email authentication sorted — maybe a consultant configured SPF, DKIM and DMARC, maybe the IT-savvy founder did it over a weekend. Everything passes. The checkmarks are green. The project is closed.

Eighteen months later, a customer mentions that invoices have been landing in spam since spring. Nobody changed the email security. But everything around it changed.

Nothing stays configured

A domain’s email and security posture isn’t a wall you build once; it’s a garden that grows weeds. The decay has nothing to do with attackers — it’s ordinary business life:

Marketing signs up for a new tool. The new newsletter platform sends on your domain, but nobody added it to SPF or set up its DKIM key. Its mail fails authentication from day one. If your DMARC policy is at enforcement, that mail is now being rejected — by design, doing exactly what you told it to do.

A DKIM key rotates badly. Your mail provider or a SaaS tool rotates signing keys. The new key was supposed to be published in your DNS; the ticket fell between two chairs. Signatures start failing silently.

An SPF include changes upstream. Your SPF record says include:provider.com — you delegated part of your policy to a vendor. Vendors restructure their records without telling you. Sometimes that pushes your record over SPF’s hard limit of 10 DNS lookups, at which point the whole recordstops validating — for every sender, including the ones that were fine.

A certificate expires. Your MTA-STS policy or the TLS certificate on your mail server lapses. Encrypted delivery degrades or fails, and some receivers start treating your mail with suspicion.

Someone edits DNS for an unrelated reason. A website migration, a new subdomain, a tidy-up of “old records” — and a _dmarc or DKIM selector record goes missing. DNS changes rarely go through change control in a small business.

None of these events announces itself. Email doesn’t have a warning light. The failure mode is always the same: gradual reputation damage, then a customer asking why something never arrived.

Why the annual check-up isn’t enough

The instinctive fix is periodic review — have someone look at the records once or twice a year. The problem is timing: the EU cybersecurity agency ENISA notes in itsreport on SME cybersecurity that many of the systems SMEs rely on log the evidence of problems, but without active monitoring and alerting, breaches and failures simply go unnoticed — like installing a burglar alarm and never switching it on. A misconfiguration that occurs in February and is reviewed in November has had nine months to bounce invoices and bleed sender reputation.

There’s a second cost to the annual model: the person reviewing has lost context. Which of these DKIM selectors are still in use? Why is this IP range in our SPF? Continuous monitoring catches the change while the cause is still fresh — “this broke when we migrated the website Tuesday” — and the fix takes minutes instead of an archaeology project.

What “monitored” actually means

For a small business, meaningful monitoring of a domain covers three layers:

  1. Existence and validity — your SPF, DKIM, DMARC, MTA-STS and related DNS records are present, syntactically valid, and within technical limits. This catches deletions, typos, and the 10-lookup problem.
  2. Authentication outcomes — DMARC aggregate reports, parsed continuously, show whether real-world mail from each of your senders is actually passing. This is the only way to see a new tool failing, or a forwarding service breaking alignment, before enforcement starts rejecting it. It’s also where spoofing attempts against your domain become visible.
  3. Transport and infrastructure health — TLS configuration, certificate expiry, DNSSEC validity, MX reachability. The plumbing under the authentication.

A useful mental model: the one-time setup project gets youto a correct state; monitoring keeps the distance between “what your DNS says” and “what your business actually does” at zero as both keep moving.

A 15-minute self-audit

Before investing in anything, establish where you are today:

The cheapest moment to catch a broken email configuration is the day it breaks. Every day after that, it costs a little more — in deliverability, in reputation, and eventually in a customer’s patience.

Merula runs twenty-six continuous checks on your domain — authentication, transport security, DNS integrity — and surfaces it when something drifts. Merula is in development and launches after summer 2026.