Email authentication guides
Practical, no-nonsense guides to SPF, DKIM and DMARC. Fix what is broken and keep your mail out of spam.
DMARC for Parked and Non-Sending Domains: The Day-One p=reject Setup
A domain that never sends email is a favorite target for spoofing. This guide gives you the copy-paste lockdown record set for a parked or non-sending domain: v=spf1 -all, an empty DKIM key, a null MX, and a straight-to-p=reject DMARC record with no monitoring rollout. You will also get a CNAME pattern to manage dozens of parked domains from one central record, plus how to confirm the lockdown with a free checker.
How to Set Up TLS-RPT: SMTP TLS Reporting DNS Record Step by Step
TLS-RPT tells sending mail servers where to send daily reports when TLS negotiation to your domain fails. Add one TXT record at _smtp._tls.yourdomain.com with v=TLSRPTv1 and a rua endpoint, point it at a dedicated reporting mailbox or HTTPS collector, and you get visibility into encryption failures. This guide gives you the exact copy-paste record, the operational details most guides skip, and how TLS-RPT works alongside MTA-STS and DANE.
How to Set Up DANE and TLSA Records for Email (SMTP)
DANE lets you pin your mail server's TLS certificate in DNS so sending servers refuse to deliver over a downgraded or spoofed connection. This guide gives you the exact build order: confirm DNSSEC end to end, generate the hash from your STARTTLS certificate with OpenSSL, publish a TLSA record at _25._tcp.your-mx-host, and pick the right usage, selector, and matching type. Includes validation steps and the DNSSEC mistake that breaks most first attempts.
Do Subdomains Need Their Own SPF Record?
SPF does not climb from a subdomain to your root domain, so a subdomain with no record returns "none" and is trivially spoofable. This guide shows why SPF inheritance is a myth, how to write per-subdomain records, how to lock down subdomains that never send mail, and how the DMARC sp= tag fills the gap SPF leaves open.
How to Set Up MTA-STS: Step-by-Step Guide with Policy File and DNS Records
A copy-paste walkthrough of all three MTA-STS parts: the _mta-sts TXT record, the mta-sts.txt policy file served over HTTPS at the well-known path, and the mx, mode, and max_age directives. Includes dig and curl validation steps to confirm each piece resolves before you switch from testing to enforce mode, plus how MTA-STS relates to TLS-RPT, DANE, and DMARC.
MTA-STS vs DANE: Which Email Transport Security Standard Should You Use?
MTA-STS and DANE both force encrypted SMTP delivery, but they trust different things. MTA-STS uses HTTPS and the public CA system with a trust-on-first-use gap. DANE uses DNSSEC-signed TLSA records with no first-use window. Gmail and Outlook honor MTA-STS as senders but do not validate DANE when receiving, so publish MTA-STS for reach and add DANE where your DNS and receivers support it.
Email Blacklist Check: How to Tell If You're Listed and Get Delisted From Every Major DNSBL
A blacklist (DNSBL) is a live list of IPs or domains that mail servers query to decide whether to reject or spam-folder your email. This guide shows how to check if your domain or sending IP is listed, which blocklists actually affect delivery (Spamhaus, Barracuda, SpamCop, Microsoft) versus vanity lists you can ignore, and the root-cause checklist that makes delisting stick.
Business Email Compromise (BEC): The Email Authentication Checklist That Actually Reduces Risk
Business email compromise is not one attack, it is three: exact-domain spoofing, cousin-domain spoofing, and a genuinely compromised account. DMARC at reject only stops the first. This checklist maps each control to the attack it actually blocks, then ranks them so you fix the highest-leverage gaps first, starting with a free authentication check of your own domain.
SPF +all Is the Most Dangerous Setting in Email: Here's Why
An SPF record ending in +all tells every receiving server that any IP on the internet is allowed to send mail as your domain. It is the one SPF setting that actively helps attackers spoof you. This guide shows the real phishing and reputation fallout, clears up the -all vs ~all vs ?all confusion, and gives you a safe migration path from softfail to hardfail you can confirm with a free lookup.
DKIM Key Rotation: How Often to Rotate Keys Without Breaking Mail
A practical DKIM key rotation guide: rotate every 6 months by default, every 3 months for 1024-bit keys, and monthly for high-value senders. Includes a zero-downtime dual-selector runbook, automated rotation with CNAME-hosted keys, and an emergency procedure for a suspected key compromise, all without bouncing legitimate mail.
Does DMARC Stop Phishing? What It Blocks and What It Doesn't
DMARC at p=reject stops attackers who forge your exact domain, including most CEO-fraud that spoofs your address. It does nothing about lookalike domains, display-name tricks, or a hijacked mailbox that logs in legitimately. This guide gives an honest yes/no matrix, pairs every gap with the control that actually closes it, and shows where DMARC fits in a layered defense so you stop treating it as a silver bullet.
How to Stop Someone From Spoofing Your Email Domain
A step-by-step playbook to stop attackers from sending email as your domain: audit every legitimate sending source, get SPF and DKIM passing and aligned, then move DMARC to a reject policy. Includes what this stops, what it does not (lookalike domains and display-name spoofing), and a free lookup to check your current status.