Domain Governance Reflection Resource
Public-Signal Review Sheet
Use this sheet to record what can be observed from outside the organisation and what needs internal confirmation. A visible signal is evidence for a conversation, not proof of governance quality.
Public-signal observations
Separate the observation from interpretation. Preserve uncertainty where the signal does not tell the full story.
| Domain | Signal reviewed | Observation | Evidence source / date | What this may suggest | What this does not prove | Owner to confirm | Action required |
|---|---|---|---|---|---|---|---|
| Nameservers | Provider choice alone does not prove control quality. | ||||||
| MX records | MX does not prove all authorised sending sources. | ||||||
| SPF | SPF presence does not prove review or least privilege. | ||||||
| DKIM | Missing discovered selectors may reflect selector uncertainty. | ||||||
| DMARC | A policy value does not prove reporting is reviewed. | ||||||
| RDAP / registrar | Public registration data does not identify internal accountability. | ||||||
| DNSSEC | Presence or absence does not describe broader DNS governance. | ||||||
| Certificate transparency | Certificate issuance does not prove service ownership. | ||||||
| Other public dependency | A third-party signal needs internal supplier context. |
Interpretation boundary
Observations that need internal confirmation
Potential governance conversations
Signals not reviewed in this pass