ISO 27001: 12 Email DNS Records That Matter
Annex A auditors do not want a policy PDF about email. They want twelve DNS objects mapped to controls, with evidence you reviewed them.
Your ISO 27001 Stage 2 auditor asks for "email transfer controls." You open the ISMS folder and slide over a 40-page acceptable use policy. A 28-person logistics SaaS in Rotterdam passed Stage 1 in October 2025. SPF and DKIM were live on the root domain. DMARC sat at p=none. No TLS-RPT. DNSSEC disabled because "our DNS host makes it hard." MTA-STS was a draft Confluence page, not a published record. Stage 2 in March 2026 spent two days on Annex A.5.14 and A.8.16 alone. The finding was not missing awareness. It was missing DNS evidence tied to operating controls. ISO 27001 email DNS is where abstract Annex A language becomes TXT records someone can query. Auditors map those records to 2022 controls like A.5.14 (information transfer), A.8.7 (malware and spoofing), and A.8.16 (monitoring). If you cannot name the twelve DNS objects that prove email security, your ISMS is describing intent, not implementation.
Why Auditors Start at DNS (Not Your Policy PDF)
2022 Annex A vs. 2013 leftovers
ISO/IEC 27001:2022 reorganized Annex A into four themes. Email DNS still lands hardest under Organizational controls (A.5), Technological controls (A.8), and sometimes A.13 network language in older gap analyses. Auditors certified on 2022 will cite A.5.14 and A.8.x. If your Statement of Applicability still references 2013 A.13.1.1, update it before Stage 2 or expect a translation conversation on day one.
What "implemented" means
A control is not implemented because someone knows how to fix SPF. It is implemented when the record exists, enforcement matches risk appetite, changes are logged, and monitoring outputs get reviewed. We've seen teams pass penetration tests and fail ISO on DMARC because p=none was documented as "temporary" for fourteen months.
Overlap with NIS2 and SOC2
The same twelve records satisfy parallel frameworks with different control IDs. If you already built a NIS2 DNS baseline, reuse it: zerohook.org/blog/nis2-email-security-requirements-checklist-2026. SOC2 Type II wants continuous proof on the same objects: zerohook.org/blog/soc2-cc6-6-dns-monitoring-evidence.
The 12 Email DNS Records (And Annex A Mapping)
Authentication stack (records 1-4)
| # | Record | Host / example | Annex A tie-in |
|---|---|---|---|
| 1 | SPF | example.com TXT v=spf1 include:spf.protection.outlook.com -all | A.5.14 secure transfer, A.8.7 anti-spoofing |
| 2 | DKIM (primary) | selector1._domainkey.example.com TXT | A.8.24 cryptography |
| 3 | DKIM (rotation) | selector2._domainkey.example.com TXT | A.8.24 key lifecycle |
| 4 | DMARC | _dmarc.example.com TXT v=DMARC1; p=quarantine; rua=mailto:... | A.8.7 enforcement, A.8.16 monitoring |
Record 1 must end with -all on production senders in 2026. Record 4 must not stay at p=none through your certification window if you claim spoofing controls are in place.
Transport and reporting (records 5-7)
| # | Record | Host / example | Annex A tie-in |
|---|---|---|---|
| 5 | MTA-STS | _mta-sts.example.com TXT v=STSv1; id=20260301 | A.8.24 / transport integrity |
| 6 | TLS-RPT | _smtp._tls.example.com TXT v=TLSRPTv1; rua=mailto:[email protected] | A.8.16 monitoring |
| 7 | MX | example.com MX 10 mail.example.com | A.8.20 network routing |
MTA-STS needs a hosted policy file at https://mta-sts.example.com/.well-known/mta-sts.txt with mode: enforce. DNS alone without the HTTPS file is half a control.
Infrastructure integrity (records 8-10)
| # | Record | Host / example | Annex A tie-in |
|---|---|---|---|
| 8 | DNSSEC | DS at registrar + signed zone | A.8.24, zone integrity |
| 9 | CAA | example.com CAA 0 issue "letsencrypt.org" | A.8.24 certificate governance |
| 10 | BIMI (optional) | default._bimi.example.com TXT v=BIMI1; l=... | A.5.14 brand authenticity |
DNSSEC and CAA are the records ISO assessors increasingly expect on primary domains handling customer email. BIMI is optional unless marketing claims verified brand badges in Gmail.
Operational split (records 11-12)
| # | Record | Host / example | Annex A tie-in |
|---|---|---|---|
| 11 | Subdomain SPF | mail.example.com TXT separate v=spf1 for ESP | A.5.14 scoped transfer |
| 12 | Subdomain DMARC | _dmarc.mail.example.com TXT or sp= on root | A.8.7 scoped enforcement |
Record 11 and 12 matter when marketing mail leaves a subdomain while corporate mail stays on M365. Crowding every ESP into root SPF is how permerror happens (and how A.5.14 evidence falls apart under lookup limits).
“Annex A does not ask whether you like DMARC. It asks whether unauthorized mail claiming your domain gets stopped and whether you can prove you watch for failures.”
Evidence Auditors Accept for Each Record
Minimum evidence per record
For each of the twelve objects, prepare three artifacts: (1) query output or panel screenshot with timestamp, (2) change ticket or approval showing who authorized the value, (3) monitoring log proving weekly or daily re-check during the audit period.
High-risk gaps assessors flag first
- DMARC at p=none while A.8.7 is marked "implemented"
- SPF with more than ten DNS lookups (permerror risk)
- DKIM 1024-bit keys still live in 2026
- MTA-STS in testing mode during Stage 2
- TLS-RPT pointing at an unmonitored mailbox
- No CAA while claiming certificate issuance is controlled
Statistic worth knowing
According to Vanta's 2025 Trust Maturity Report, 38% of organizations in the earliest security maturity tier already hold ISO 27001 certification. Most enter Stage 2 with SPF and DKIM live. DMARC enforcement, TLS reporting, and DNSSEC gaps still drive major findings.
Fix the Gaps Before Stage 2
Inventory senders
List M365, Google Workspace, HubSpot, SendGrid, and transactional pipes. Unknown senders break SPF evidence fast.
Enforce DMARC
Move to p=quarantine, then p=reject when alignment holds two weeks. Verify:
dig _dmarc.example.com TXT +shortComplete DKIM coverage
Enable signing in each platform. Publish both active and standby selectors before rotation. Check at zerohook.org/dns-visualizer.
Harden SPF
One record per domain, -all ending, under ten lookups. Split marketing to subdomain if includes stack up.
Publish MTA-STS and TLS-RPT
Enforce mode on MTA-STS. Assign an owner for TLS-RPT inbox review monthly.
Enable DNSSEC and CAA
Turn on DNSSEC at Cloudflare, Route53, or your registrar chain. Add CAA restricting issuance to approved CAs.
Document and monitor
Map each record to Annex A control IDs in your SoA. Run automated scans weekly. Export evidence monthly.
Common ISO 27001 DNS Mistakes (Still Breaking in 2026)
Treating ESP DKIM as "good enough"
DKIM passing on d=sendgrid.net while your From: says @example.com does not satisfy alignment. Auditors testing A.5.14 want d= on your domain or strict alignment via DMARC.
Policy without review cadence
Pointing rua= at a shared inbox nobody owns fails A.8.16. Monitoring is a process, not a TXT tag.
Ignoring subdomain takeover paths
Forgotten CNAMEs to defunct SaaS apps are not one of the twelve email auth records, but assessors link them to A.8.20 network controls. Clean dangling DNS before certification.
Excel-only evidence
Spreadsheets edited the week before Stage 2 do not demonstrate operating effectiveness. Hash-verified logs or exported scan history with immutable timestamps hold up better. Cost context vs. manual consulting: zerohook.org/blog/securityscorecard-vs-manual-audit-cost.
Frequently Asked Questions
Do we need all 12 records for ISO 27001 certification?
Not every record applies to every scope. BIMI is optional. DANE is rare for SMBs. You still must justify exclusions in your SoA. Skipping DMARC enforcement while claiming anti-spoofing controls is not a defensible exclusion.
Which Annex A controls map to email DNS?
Most audits center on A.5.14, A.8.7, A.8.16, and A.8.24. Transport records (MTA-STS, TLS-RPT) support A.8.24 cryptography arguments. MX and DNSSEC support network integrity narratives.
Is ISO 27001:2013 Annex A still valid?
Certifications issued under 2022 use the 2022 control set. Migrate your SoA and risk treatment. Auditors will map DNS evidence to 2022 IDs even if your internal docs lag.
How often should we re-check DNS records?
Weekly automated checks are a practical minimum during certification windows. Daily during migrations. Annual manual review alone is weak evidence for A.8.16.
Can we reuse NIS2 DNS work?
Yes. Records overlap. Map the same evidence to different framework IDs. Start at zerohook.org/nis2-guide if you need an EU parallel checklist.
Key takeaways
ISO 27001 email audits reduce to twelve queryable DNS objects, not policy length.
DMARC enforcement, TLS reporting, and DNSSEC/CAA are the 2026 gaps that trap SPF/DKIM-only shops.
Map each record to Annex A 2022 controls in your SoA with named owners.
Split marketing to subdomains before root SPF hits lookup limits.
Export timestamped monitoring evidence monthly, not screenshots the week before Stage 2.
Map your domain against all twelve records with the free DNS visualizer at zerohook.org/dns-visualizer, then align Annex A evidence in your ISMS before Stage 2.
Share this analysis
Help others discover this content
About the author
The ZeroHook Team tracks NIS2, ISO 27001, SOC2, and GDPR evidence requirements for EU SMBs. We write what auditors actually ask for, not what vendor decks claim.
