NIS2 Article 21: DNS Auditors Ask For

Article 21(2) lists measure categories: risk analysis, incident handling, business continuity, supply chain security, security in network acquisition and maintenance, policies on cryptography, human resources, and access control policies.

Paragraph 2(g) adds use of cryptography and encryption where appropriate. Paragraph 2(h) covers human resources and access control.

Where DNS and email fit

• Transmission security (2(g)): MTA-STS, TLS-RPT, SMTP TLS posture for domains that receive or relay sensitive mail.
• Network acquisition and maintenance (2(d)): DNS records are part of your network configuration. Unauthorized or accidental changes to SPF/DKIM/DMARC are incidents waiting to happen.
• Risk analysis (2(a)): Spoofing and BEC via your domain are identified risks. Authentication records are controls.
• Incident handling (2(b)): DMARC aggregate and forensic signals (where used) feed detection of abuse.

No single annex lists "ten TXT records." Assessors map your controls to these paragraphs and ask for proof they ran in the period under review.

From NIS2-focused reviews we see in 2026, these requests recur:

1. Current authentication records

Exports or screenshots of SPF, DKIM selectors, and DMARC TXT with dates. They check for -all on sending domains, published rua=, and whether policy is none, quarantine, or reject.

2. Alignment evidence

Test messages or Authentication-Results headers showing dmarc=pass on production paths (M365, Google Workspace, ESP). Failures without remediation tickets raise flags.

3. DMARC aggregate history

30-90 days of RUA summaries: pass/fail volumes, unknown senders, trend lines. "We receive reports" is not enough if nobody parsed them.

4. Change management for DNS

Who approved the Mailchimp include added in January? Ticket ID, approver, rollback plan. Ad-hoc Cloudflare edits without logs fail mature assessments.

5. Continuous monitoring proof

Alerts when SPF, DKIM, DMARC, MX, or MTA-STS changed. Point-in-time scans before the audit are weak. Daily or weekly monitoring with retained history is what SOC2-trained auditors increasingly expect.

6. MTA-STS and TLS-RPT (inbound)

Policy file URL, mode (testing vs. enforce), and whether TLS failure reports are reviewed.

7. Named accountable role

Job title responsible for mail DNS posture, not a shared mailbox from 2019.

"Show continuous monitoring of email-related DNS."

They want timestamps: what the record was on March 1, what changed on March 14, who was notified, what you did. Excel snapshots without history are incomplete.

"How do you detect unauthorized sending from your domain?"

DMARC reports plus blocklist monitoring plus incident playbook. p=none without a roadmap to enforcement is a finding in regulated sectors in 2026.

"Who reviews DMARC aggregate reports and how often?"

Weekly is a credible answer for production domains. "The IT director when they have time" is not.

"Prove encryption for email transmission."

MTA-STS enforce mode or documented SMTP TLS requirements for outbound relays. PCI and health data environments get extra scrutiny.

"What happens if SPF returns PermError?"

They are testing whether you understand authentication failures. Know the 10 lookup limit and your remediation process. Reference: zerohook.org/fix/spf-permerror.

Fail: DMARC p=none for three years, no enforcement plan.

Fix: Document staged rollout (quarantine with pct=, then reject) with dates. Link to zerohook.org/blog/dmarc-p-reject-rollout-8-weeks.

Fail: Marketing ESP not in SPF, DKIM unsigned.

Fix: Authenticate domain in ESP, publish records, re-test alignment.

Fail: No evidence between annual audits.

Fix: Monitoring tier with retained history ($29/month Deliverability for single domain baseline; Evidence tier at $199/month for auditor PDFs and 365-day tamper-proof logs).

Fail: Controls described in policy but no owner.

Fix: RACI line in the control narrative: Responsible, Accountable, Consulted, Informed.