How does DNS change monitoring work?
CertSentry takes a snapshot of your domain's DNS — A, AAAA, CNAME, MX, NS and TXT records — and tells you when it changes. That single feature catches a surprising range of incidents:
- an accidental edit in the DNS console,
- an expired delegation or a registrar that reset your nameservers,
- a hijack or unauthorised change,
- "who moved the MX record?" email-delivery mysteries,
- a TXT/SPF/DKIM change that quietly breaks email authentication.
How we avoid false alarms
DNS is eventually consistent: during a propagation window, different resolvers briefly disagree. If we alerted on the first thing we saw, you'd get noise. Instead, a change only becomes confirmed when we see the same new records on two consecutive checks. Transient propagation flaps are absorbed; real changes still come through.
What the alert shows
When a change is confirmed, the alert spells out what changed — the old records versus the new — so you can tell at a glance whether it was you, a teammate, or something to investigate.
Cadence and availability
DNS checks run on a daily cadence and are available on every plan, including Free. For domains where DNS is business-critical, pair this with domain-expiry monitoring so both the records and the registration are covered.