Coming soon
The canary for your domains
pks-agent-domain
Continuous watch over MX, SPF, DKIM, DMARC, DNSSEC, and TLS — it sings before mail fails or your domain can be spoofed.
You find the gap only when a customer does.
Domains fail quietly. SPF is missing and your mail lands in spam. DMARC isn't set and anyone can send as you. A certificate expires on a Sunday night. None of it makes noise — it just happens, and you find out when an invoice never arrived or a customer calls about a phishing mail with your name on it. Online checkers exist, but they run once and forget you. A dashboard only helps if you remember to look. pks-agent-domain inverts it: it keeps watch and speaks up before the gap becomes damage.
Missing MX or SPF means your mail can't get through — and your sender can be spoofed. Both are invisible until it's too late.
A one-off scan is a PDF that's stale the second a record changes.
An expired certificate or domain never makes noise — it just fails, usually outside working hours.
Three steps. Then it keeps watch on its own.
Point it at a domain.
Type the domain in. Kanariefugl looks up MX, SPF, DKIM, DMARC, DNSSEC, and TLS itself — no agent to install, nothing to configure.
Read one explanation, not six records.
Each finding becomes one plain sentence and one action: exactly which record to set, and what it protects against.
Let it sing.
It keeps the posture under watch and alerts the moment something changes or nears expiry — you never have to look.
Later: let it fix.
The next step writes the change directly via your DNS provider's API and can search and buy new domains — the same watch, now with hands.
What it does
Mail deliverability (MX)
Checks that your domain can receive mail at all, and that the MX records point somewhere that answers — not into the void.
Sender authenticity (SPF · DKIM)
Confirms that only the servers you've authorized can send as you, and that the signature holds — so your mail doesn't land in spam.
Spoofing protection (DMARC)
Reads your DMARC policy and tells you whether strangers can send phishing in your name — and which policy closes the gap.
Record integrity (DNSSEC)
Checks whether your DNS answers are signed, so no one can reroute your domain with forged records in transit.
Certificate & expiry (TLS)
Watches the TLS certificate's and the domain's expiry and counts down — warns you in good time, not at 2am on a Sunday.
Continuous watch & alerts
A fingerprint of each record's state catches changes over time, so you're told the second the posture degrades — not at the next manual scan.
Built from the foundation up, not a wrapper around a third-party scanner. The resolver, the posture rules, and the explanations are ours, so we own both the signal and the language it arrives in.
Explanation before record. We refuse to hand back raw DNS syntax: every finding becomes one sentence and one action, so an owner without a DMARC degree can fix it.
Owns its own state. Domains, snapshots, and alert history live in state you control — no external service that forgets your domains if the subscription lapses.
Layer on layer in the suite. It's the runtime layer for what you expose: while pks-agent-ops keeps your agents healthy, Kanariefugl keeps healthy the domains and mail they reach the world through.
Composes with
A scanner runs once. A canary keeps watch.
pks-agent-domain keeps continuous watch over your domains' DNS and email posture. It knows every record, notices when something changes, and tells you in plain language — what's wrong, why it's dangerous, and exactly which record fixes it. Born from a real finding: dronepoul.com couldn't receive mail, and its sender could be spoofed.