Tag Archives: monitoring

SPF, DMARC, and rDNS Checks Are Now Built Into Blacklist Monitoring

Leave a reply
Generator Labs email deliverability checks tab showing all 13 available checks

Getting listed on an RBL is one way mail stops delivering. There’s a longer list of DNS misconfigurations that cause mail to land in spam or get silently rejected, and most monitoring tools don’t catch them. Generator Labs has added 13 email deliverability checks directly into blacklist monitoring profiles, running alongside your RBL checks and feeding into the same alert pipeline.

What Gets Checked

IP-based checks (for IPv4 and IPv6 hosts):

  • Reverse DNS (rDNS): the IP has a PTR record
  • Forward-Confirmed rDNS (FCrDNS): the PTR resolves forward back to the original IP
  • Generic PTR Pattern: the PTR doesn’t look like a dynamic or consumer hostname
  • PTR Format: the PTR has at least two labels and a valid alpha TLD

Domain-based checks (for URIBL and URI hosts):

  • MX Health: MX records exist and at least one target resolves
  • SPF Record: domain publishes a valid SPF record
  • SPF Strict: SPF uses an enforcing policy (-all or ~all)
  • SPF Lookup Limit: SPF stays within RFC 7208’s 10-lookup cap
  • DMARC Record: domain publishes a valid DMARC record
  • DMARC Strict: DMARC uses an enforcing policy (p=quarantine or p=reject)
  • TLS-RPT Record: domain publishes a TLS Reporting record
  • MTA-STS Policy: domain publishes a valid MTA-STS policy
  • BIMI Record: domain publishes a valid BIMI record

How to Enable

All 13 checks are opt-in. Go to RBL Monitoring > Monitoring Profiles > Data Sources, click the Email Deliverability tab, and enable the ones you want. None of them run unless you explicitly turn them on.

The recommended approach is a dedicated profile for your mail-sending hosts so deliverability alerts don’t mix with RBL alerts from non-mail infrastructure. Failures trigger the same notifications and webhooks as blacklist listings, so they drop straight into your existing incident workflow.

Full documentation is at docs.generatorlabs.com/email-deliverability.

SSL Certificate Monitoring That Goes Beyond Expiration Dates

Leave a reply
Generator Labs certificate monitoring portal showing active monitors

Most certificate monitoring tools do one thing: alert you when a certificate is about to expire. That’s useful, but expiration is only one of the ways a certificate can fail. Generator Labs certificate monitoring runs eight independently configurable checks on every scan, so you catch problems that a basic expiry check misses entirely.

What Gets Checked on Every Scan

Each monitoring profile supports up to eight alert types:

  • Expiration: configurable thresholds anywhere from 0 to 90 days out, up to 10 per profile
  • Chain integrity: catches missing or expired intermediate certificates before clients do
  • Hostname mismatch: flags certificates that don’t cover the host they’re serving
  • CA trust failure: alerts when a certificate can’t be validated to a trusted root
  • Revocation: detects certificates that have been pulled by their issuing CA
  • Fingerprint changes: tracks renewals and unexpected replacements
  • Certificate flapping: multiple fingerprint changes in a short window, often a load balancer misconfiguration
  • Missing or misconfigured CAA records: ensures only authorized CAs can issue for your domains

All eight can be toggled independently per profile, so you can be aggressive on production hosts and quieter on staging or internal infrastructure.

Monitoring Profiles

Profiles group hosts with shared settings. A common pattern is a Production profile with tight thresholds and PagerDuty alerts, a Staging profile with looser thresholds and email-only, and a separate Internal profile for private CA hosts. Profile changes apply immediately across all assigned hosts.

Internal and Private Certificate Monitoring

External checks can’t reach internal services, self-signed certificates, or private CA infrastructure. The private certificate monitoring agent is a lightweight Docker container you deploy inside your network. It checks internal hosts and reports back to the platform over outbound HTTPS. No inbound firewall rules needed, and private keys never leave your network.

Protocol Coverage

The monitor handles direct TLS on any port, plus STARTTLS for SMTP, IMAP, POP3, LMTP, FTP, and LDAP, and the implicit TLS variants: SMTPS, IMAPS, POP3S, FTPS, LDAPS. If TLS is running on it, you can monitor it.

Pricing

Certificate monitoring is $0.01 per host per day. No contracts, no minimums, no flat fees. You pay for active hosts only. Full details on the certificate monitoring pricing page.

Monitoring Internal and Private CA Certificates with Generator Labs

Leave a reply

External certificate monitoring works well for public-facing infrastructure, but it has an obvious blind spot: it can’t reach anything inside your private network. Internal APIs, databases with TLS-encrypted connections, mail servers on non-public ports, self-signed certificates, and infrastructure issued by a private CA all go completely unmonitored. Those certificates still expire. When they do, the failures tend to be worse, because internal services rarely have the same visibility as public ones.

Generator Labs internal certificate monitoring solves this with a lightweight on-premise agent you deploy as a Docker container inside your network.

How It Works

Diagram showing the Generator Labs private monitoring agent connecting internal hosts to the platform over outbound HTTPS

The agent runs inside your private network, connects to your internal hosts, retrieves their certificates, and reports the data back to the Generator Labs platform over outbound HTTPS. No inbound firewall rules are required. Private keys never leave your network. From the platform’s side, internal monitors look and behave exactly like external ones.

What It Can Monitor

The agent connects to any TLS endpoint your network can reach:

  • Internal web servers and APIs
  • Databases with TLS connections (PostgreSQL, MySQL, MongoDB, Redis)
  • Internal mail servers (SMTP, IMAP, POP3 with STARTTLS or implicit TLS)
  • IoT devices and embedded systems serving TLS on custom ports
  • Any service running TLS on any port

It runs the same eight checks as external monitoring: expiration, chain integrity, hostname validation, CA trust, revocation, fingerprint changes, flapping, and CAA records.

Private CA Support

If your internal certificates are issued by a private CA, you can import that CA’s root certificate into the platform. The agent then validates certificate chains all the way to your private root, so chain integrity checks work correctly for internally-issued certificates, not just publicly-trusted ones.

Alerts

All the same notification channels are available: email, Slack, PagerDuty, Discord, webhooks, AWS SNS, and more. Internal certificate expiration or chain failures trigger the same alert pipeline as any other monitoring event.

Getting Started

The agent is open source and available at github.com/generator-labs/agent. Deploying it takes a few minutes: pull the Docker image, set your API credentials as environment variables, and configure the hosts you want to monitor. Full setup instructions are on the internal certificate monitoring page.