Blog article
Audit evidence overview:
Security teams can deploy SPF and DKIM. Few can prove to an auditor that those protocols are monitored across every domain the organization owns.
That gap is the most common weakness in enterprise email authentication programs. Configuration isn’t compliance. A DNS record published two years ago says nothing about whether it’s still accurate, whether it covers every authorized sender, or whether anyone reviewed it last quarter.
This guide is for compliance officers, risk leads, and IT operations teams responsible for producing audit evidence that holds up to scrutiny.
Sendmarc’s free Domain Checker shows the current authentication posture of any domain in seconds. It is a practical way to establish a starting point before building out a full evidence collection process.
Most email authentication programs reach a functional state and stop. SPF records are published. DKIM keys are rotated when someone remembers. A DMARC policy is set to p=quarantine or p=reject. The team moves on.
The problem surfaces at audit time. An auditor reviewing email security controls may ask for:
None of these exist automatically. They require deliberate collection and maintenance. A business can have a technically sound authentication setup and still fail an audit – simply because it has no evidence.
This is the audit evidence gap. Closing it is an operational and governance problem, not a technical one.
Before building an audit evidence collection workflow, define what each of these needs to contain.
A configuration inventory is the foundation of audit evidence. It documents the current authentication state of every domain the company sends email from.
For audit purposes, this should include:
p= value, rua= and ruf= addresses)This domain inventory needs to be versioned. A snapshot from today has limited audit value unless it demonstrates a consistent posture over time.
Every change to an SPF record, DKIM key, or DMARC policy needs to be documented: What changed, when, who authorized it, and why. This matters most when moving from p=none to p=quarantine to p=reject. Enforcement progression should be deliberate and staged, with each step producing a documented sign-off.
DMARC aggregate reports show, per reporting period, which sources sent messages claiming to be from your domain and whether those sources passed or failed SPF and DKIM alignment. These reports contain structured data about every sending source, not just failures.
For audit evidence, teams need:
A DMARC aggregate report sitting unread in a mailbox doesn’t constitute monitoring. Auditors typically ask whether reports were acted on, not merely received.
Enterprise organizations rarely operate a single domain. Subsidiaries, acquired businesses, and regional brands each have their own domain portfolio. In delegated models, individual divisions may own their authentication independently.
This creates two audit evidence problems.
For multi-tenant environments, the evidence requirement extends to demonstrating that every domain in scope, including recently acquired domains and those under delegated management, is covered by a consistent monitoring and review process. Maintaining DMARC compliance across domains requires a centralized view. Individual domain checks done ad hoc aren’t sufficient.
Start with a complete list of every domain the business owns, regardless of whether it sends email. Domains that don’t send email still require a DMARC record with a p=reject policy to prevent spoofing. Gaps in the non-sending domain inventory are audit findings.
For sending domains, document the full sender inventory: Every third-party platform, SaaS tool, CRM, and ticketing system that sends on behalf of the domain.
For each domain, document the current DMARC policy and the justification. A domain at p=none should have a documented reason, such as active remediation, a known forwarding issue under investigation, or a legacy system awaiting decommissioning. Undocumented p=none policies read as inaction to an auditor and are treated as audit findings.
Establish a formal monitoring cadence: Who reviews aggregate reports, how often, and what the review covers. Monthly is practical for most enterprise environments. High-risk domains warrant weekly review.
Each review cycle should produce a documented output: A brief record of what was reviewed, whether any new or unauthorized senders appeared, and what action, if any, was taken. This doesn’t need to be elaborate.
Schedule periodic verification across the full domain inventory to confirm that the DNS records match the documented configuration. Records drift. Senders are added without updating SPF. DKIM keys are rotated, but old selectors are left active. The gap between what’s documented and what’s actually published in the DNS are audit findings.
The compliance team’s job isn’t just to collect audit evidence, but to translate it into documentation that a board, audit committee, or external regulator can review.
This means:
Maintaining audit evidence across dozens or hundreds of domains consumes time that stretched security and IT teams don’t have.
Sendmarc provides a centralized view of authentication posture across a full domain portfolio, updated continuously. SPF results, DKIM status, and DMARC enforcement level are visible in a single interface.
For compliance and IT teams mapping current authentication posture ahead of an audit cycle, start with the domain inventory. Use the Sendmarc Platform to see where your domain portfolio stands today.