Ground Control / Sentinel / Email Security
Monitoring active — checks running every 6 hours

Is someone
sending emails
pretending to be you?

Sentinel monitors your domain's email authentication, DNS configuration, and SSL certificates — continuously, automatically, and for free.

No credit card
No installation
Results in 60 seconds
01 / The Problem

What happens when
email authentication fails.

01

Domain spoofing

DMARC p=reject stops this completely.

Attackers send emails from your domain without touching your servers.

A missing or weak DMARC record means anyone can set your domain as the sender address. No login required. No access to your infrastructure. Just a free AWS account and a CSV of email addresses.

We experienced this attack twice on our own domain. The second time, 10,000 emails were sent in a single day.

02

SSL expiry

Sentinel alerts you 30 days and 7 days before expiry.

Your certificate expires on a Friday evening. Nobody notices until Monday.

Let's Encrypt renewals fail silently. Cron jobs stop running. Certificates expire. Your customers see browser security warnings and assume you've been hacked. Your support inbox fills up over the weekend.

SSL expiry is the most preventable outage in software. 65% of organisations have experienced it.

03

Silent M365 misconfiguration

Sentinel checks your M365 DKIM status and Conditional Access gaps.

DKIM signing was never enabled for your custom domain.

Microsoft 365 doesn't enable DKIM for custom domains by default. Your emails are signed with the onmicrosoft.com key. They fail DMARC alignment. They go to spam. You don't know because there's no alert — the emails just quietly underperform.

This is the most common misconfiguration we find. It affects most M365 tenants that migrated from another provider.

02 / How It Works
01

Add your domain

Enter yourcompany.com. No DNS changes required. No installation. No agents to deploy on your servers. Sentinel reads your public DNS records — that's it.

60 seconds to add
02

We scan continuously

SPF, DKIM, DMARC, SSL certificates, MX records, MTA-STS, and Microsoft 365 configuration — checked every 6 hours from multiple locations. Results stored with full history.

Every 6 hours, automatically
03

Get alerted before problems become incidents

Email, Slack, webhook, or Microsoft Teams when anything changes or degrades. SSL expiry warnings at 30 days and 7 days. DMARC failures within the hour they happen.

Alert within minutes of detection
03 / What We Check

Every check.
No surprises.

Available
Coming soon
Email authentication
SPF record presence and syntax
SPF enforcement level (-all vs ~all)
Multiple SPF records detection
M365 include verification
Brevo / Mailersend include check
DKIM selector detection (M365)
DKIM selector detection (third-party)
DMARC policy strength (p=)
DMARC duplicate record detection
DMARC subdomain policy (sp=)
DMARC aggregate reporting (rua=)
DMARC coverage (pct=)
DNS integrity
MX record presence and resolution
MX pointing to correct provider
DNS record change detection
NS record monitoring
MTA-STS policy Soon
TLS-RPT record Soon
BIMI record Soon
SSL / TLS
Certificate validity
Expiry warnings (30 days / 7 days)
Certificate chain validation
TLS version check (1.2+ enforced)
Domain expiry monitoring
Microsoft 365
DKIM signing enabled for custom domain
Secure Score tracking
Conditional Access gap detection
MFA configuration check
Outbound sending limit monitoring
OAuth app consent audit Soon
04 / NIS2 Compliance

NIS2 compliance
isn't optional.
We make it less painful.

If your company falls under NIS2 — or supplies to companies that do — Article 21 requires demonstrable technical controls around email security, encryption, and asset management.

Sentinel maps every finding to the relevant NIS2 article and generates a report you can share with customers, auditors, or the ACN. No consultant required. No six-month implementation.

Note: Sentinel assesses technical controls only. Formal NIS2 compliance requires organisational measures and may require an accredited auditor. This report documents your technical posture — it does not constitute legal certification.

Download sample report →

Available on the Team plan — €79/month

NIS2 Article 21 — Coverage map
Art. 21(2)(h) Cryptography & encryption
Covered
DKIM signingSSL/TLS enforcementMTA-STS policy
Art. 21(2)(c) Business continuity
Covered
Domain expiryMX record healthSSL expiry monitoring
Art. 21(2)(i) Asset management
Covered
Domain inventoryCertificate trackingSubdomain monitoring
Art. 21(2)(j) Multi-factor authentication
Covered
M365 Conditional AccessMFA gap detectionSign-in policy check

Ready to monitor continuously?

Free for 3 domains. Checks run every 6 hours. No credit card required.

See all plans →
EU data residency · Frankfurt, Germany
06 / FAQ

Common questions.

Still have questions? hello@groundcontrol.land