Authentication
Email authentication
SPF, DKIM, DMARC, BIMI, ARC and the DNS records that prove your mail is yours.
DMARC rollout: from p=none to p=reject without breaking mail
The exact six-week schedule for moving from monitoring-only DMARC to full enforcement, with the report-reading checkpoints that keep you safe.
Read pillar- ·1 min read
DMARC aggregate reports: finding unknown senders
How to use DMARC aggregate reports to find forgotten SaaS tools, misaligned ESPs, and suspicious sources before moving to enforcement.
Read - ·4 min read
DKIM key rotation: a safe, zero-downtime playbook
Why rotating DKIM keys matters, when to do it, and the exact two-selector cutover that keeps signatures valid through the change.
Read - ·5 min read
SPF record syntax: a complete cheat sheet (with examples)
Every SPF mechanism, qualifier, and modifier — what they mean, when to use them, and the four mistakes that break 90% of records.
Read - ·3 min read
Understanding SPF, DKIM & DMARC
The three records every sender needs — what they do, how they interact, and how to set them up without breaking your existing mail flow.
Read - ·4 min read
BIMI explained: putting your logo in the inbox
What BIMI does, what it costs (a VMC), and the four DNS records and SVG constraints you need to ship it.
Read - ·3 min read
MTA-STS and TLS-RPT: enforcing TLS for inbound mail
How to require TLS for messages sent to your domain, and how to get reports when receivers can't honor your policy.
Read - ·2 min read
DMARC alignment, explained without the jargon
Why DMARC can pass when SPF fails, why strict alignment exists, and how to read alignment errors in your aggregate reports.
Read - ·3 min read
ARC: how forwarded mail still passes DMARC
What Authenticated Received Chain does, who actually uses it, and why mailing lists and forwarders are the only place it matters.
Read - ·4 min read
DNSSEC for email: when it matters and when it doesn't
What DNSSEC actually protects in your mail flow, the receivers that care, and the ops cost of keeping it healthy.
Read - ·2 min read
DMARC p=quarantine vs p=reject: when to graduate
p=none monitors. p=quarantine warns. p=reject blocks. The decision tree for moving between them and the metrics that tell you it is safe.
Read - ·2 min read
MX records: priority, fallbacks, and the mistakes that lose mail
MX records tell the world where to send mail addressed to your domain. Misconfigured priorities, missing TTLs, and CNAME traps cause silent loss every day.
Read