Drift Detection
Drift Detection
Drift detection catches silent changes to your clients' email security records — weakening that doesn't trigger a new violation but represents a real regression.
How it works
After each scan, SenderFortify compares the current findings against a stored snapshot of the previous scan. For each finding that changed, a drift event is recorded with one of three classifications:
- WEAKENED — severity increased (e.g. MODERATE → HIGH)
- STRENGTHENED — severity decreased (e.g. HIGH → MODERATE)
- CHANGED — same severity, but the underlying record details changed
What triggers a drift event
Common examples that generate drift events:
- A DMARC policy changes from
p=quarantinetop=none - An SPF
pct=value is lowered - A previously absent
rua=tag is added (STRENGTHENED) - SPF lookup count changes without a severity change
- MTA-STS mode changes from
enforcetotesting
Viewing drift history
Drift events are visible in the domain detail view under the Drift tab. Each event shows the before and after state, the classification, and which scan run detected it.
Drift events do not fire alerts directly. Alerts fire when
violation severity changes — which is the most common consequence of drift.
The drift log is an audit trail for changes that may not have changed severity.