Compare Baseline: a beginner's guide
Evaluate current scan against a declarative policy baseline
Baseline comparison: the before-and-after check every change needs
A baseline comparison is the practice of defining what a "good" configuration looks like in the abstract — a policy document, a declarative YAML file, a compliance framework — and then checking whether the current live configuration actually matches the baseline. It's the inverse of drift analysis: drift asks "what changed since yesterday?" while baseline comparison asks "what's different from what we said it should be?" The distinction matters because drift catches surprising changes from the recent past, while baseline comparison catches long-standing gaps that have been present since day one and never got remediated. Formal configuration management frameworks like NIST SP 800-128 codify this as a core control.
You should care because without a baseline, "the configuration looks okay" is just opinion. A SOC 2 auditor asking "does every domain you operate have DMARC at enforcement?" expects a yes-or-no answer with evidence — not "I just looked and the five domains I happened to check all had DMARC enforced." Baseline comparison automates that audit: declare the policy once, check it against every domain every day, produce the passing/failing list with timestamps. Done well, it converts compliance from a manual annual scramble into a continuous signal.
The four things every baseline comparison looks at:
Required values. "DMARC policy MUST be `quarantine` or `reject`." "TLS version MUST be 1.2 or higher." "DNSSEC MUST be enabled." Hard requirements with clear pass/fail semantics.
Forbidden values. "SPF MUST NOT end in `+all`." "HSTS max-age MUST NOT be zero." "No TLS 1.0 or 1.1 cipher suites."
Conditional requirements. Policies that depend on other state — e.g., BIMI is only required if DMARC is at enforcement AND the domain is used for marketing email.
Exceptions and their expiry. Every baseline eventually grows exceptions. Tracking each exception with a justification and expiry date is the difference between a living baseline and an aspirational document.
Three questions a baseline comparison answers:
Does this domain meet our declared security and compliance baseline right now?
Which specific requirements are failing, and which of those failures are known exceptions versus surprising gaps?
Across my whole portfolio, what percentage of domains pass the baseline — and is that percentage going up or down over time?
The cost of not having a baseline comparison is treating compliance as an opinion rather than a measurement. The fix is a declarative policy file, a daily comparison workflow, and a dashboard that shows pass/fail trends. The same pattern underlies modern infrastructure-as-code (Terraform drift detection, Pulumi policy-as-code) and modern compliance tooling (OpenSCAP, Chef InSpec). Applied to DNS and email-security configuration, it produces the same "is the declared state the actual state?" answer on a schedule.
The Compare Baseline endpoint, in plain language
In one sentence: Evaluate current scan against a declarative policy baseline
Compares a domain's current posture against a declarative policy baseline and returns per-rule pass/fail. Baselines cover DMARC (Domain-based Message Authentication, Reporting and Conformance) policy minimums, SPF (Sender Policy Framework) strictness, required DKIM (DomainKeys Identified Mail) presence, DNSSEC (Domain Name System Security Extensions) signing, MTA-STS (Mail Transfer Agent Strict Transport Security) enforcement, minimum email and security scores, and severity-count thresholds.
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Accepts a domain plus a baseline object (POST body) describing required minimums. Runs the relevant checks (SPF (Sender Policy Framework), DMARC (Domain-based Message Authentication, Reporting and Conformance), DKIM (DomainKeys Identified Mail), MTA-STS (Mail Transfer Agent Strict Transport Security), DNSSEC (Domain Name System Security Extensions)). For each baseline rule, evaluates pass/fail and records expected vs. actual. Returns the rule-level verdict list, overall compliance (pass or fail), and a summary line suitable for automated deployment workflows gating.
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the Compare Baseline tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
Lets security teams encode their standards as a reusable baseline, then apply it uniformly to every domain. A baseline file becomes the definition of compliant.
Picture this in real life. Imagine a platform team. Here's the situation they're walking into: Run baseline checks against every managed domain nightly; fail the pipeline on any regression. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the Compare Baseline tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the Compare Baseline tool is built for you:
Can I get the entire story about a domain in a single report instead of running ten checks?
What is the single document I would share with my team, my client, or my board?
Where should I focus my next hour of work to make the biggest difference?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Account executives prepping a sales call, agencies producing a monthly client deliverable, investors doing diligence, and founders building a board deck. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and you have to assemble the same snapshot by hand every time you need it — which means you stop bothering. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the enterprise plan. The technical details: `POST /v1/reports/compare-baseline`.
When would I actually use this?
If you're still on the fence about whether the Compare Baseline tool belongs in your toolbox, this section is for you. Below you'll meet three real people — a platform team and an IT integration lead — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: Compliance Gating in CI/CD
Imagine you're a platform team. Run baseline checks against every managed domain nightly; fail the pipeline on any regression.
Why it matters: Continuous assurance that every domain meets organizational email-auth standards.
Story 2: M&A Integration Gate
Imagine you're an IT integration lead. Evaluate acquired-company domains against the acquirer's baseline; scope uplift work.
Why it matters: Quantified integration debt before close.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the Compare Baseline tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
Right before a sales call, to walk in already knowing the prospect.
For a monthly client status update or executive summary.
During M&A or investor diligence on a target domain.
When you want to share "everything we know about this domain" in a single link.
If you can see yourself in even one of those bullets, the Compare Baseline tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the Compare Baseline tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the Compare Baseline tool to check example.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/reports/compare-baseline?domain=example.com"What you need to provide
There's just one piece of information you need to provide. The table below explains exactly what it is and what a real value looks like.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
domain | string | Yes | The domain to evaluate. Baseline rules are passed in the JSON (JavaScript Object Notation) POST body. | example.com |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
domain | string | The evaluated domain |
compliant | boolean | Whether all baseline rules pass |
rules | array | Per-rule verdict: rule, expected, actual, status (pass/fail) |
summary | string | One-line pass/fail summary |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
SPF (Sender Policy Framework) — A list, published in your DNS, of which servers are allowed to send email pretending to be you. Helps stop spammers from forging your address.
DKIM (DomainKeys Identified Mail) — A digital signature added to every email you send. The receiving mail server checks the signature to make sure the message really came from you and was not changed in transit.
DMARC (Domain-based Message Authentication, Reporting and Conformance) — An email rulebook you publish in your DNS. It tells receiving servers what to do with email that fails SPF or DKIM checks — ignore it, send it to spam, or block it entirely.
MTA-STS (Mail Transfer Agent Strict Transport Security) — A way to tell other mail servers "always use encryption when sending email to me, and refuse to fall back to unencrypted delivery."
DNSSEC (Domain Name System Security Extensions) — A way to digitally sign DNS records so attackers can't trick your computer into looking up the wrong server.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.