Email authentication guides
Practical, no-nonsense guides to SPF, DKIM and DMARC. Fix what is broken and keep your mail out of spam.
Business Email Compromise (BEC): The Email Authentication Checklist That Actually Reduces Risk
Business email compromise is not one attack, it is three: exact-domain spoofing, cousin-domain spoofing, and a genuinely compromised account. DMARC at reject only stops the first. This checklist maps each control to the attack it actually blocks, then ranks them so you fix the highest-leverage gaps first, starting with a free authentication check of your own domain.
How to Read a DMARC Aggregate (RUA) Report: The XML Decoded Field by Field
A DMARC aggregate report is a daily XML file listing every IP that sent mail as your domain and whether each passed DMARC. This guide walks a real annotated sample field by field: report_metadata, policy_published, and record rows, including the difference between raw and aligned results. Then it gives three triage patterns so you can tell legitimate-but-failing senders from spoofing and know the exact action for each, no paid dashboard required.
Does DMARC Stop Phishing? What It Blocks and What It Doesn't
DMARC at p=reject stops attackers who forge your exact domain, including most CEO-fraud that spoofs your address. It does nothing about lookalike domains, display-name tricks, or a hijacked mailbox that logs in legitimately. This guide gives an honest yes/no matrix, pairs every gap with the control that actually closes it, and shows where DMARC fits in a layered defense so you stop treating it as a silver bullet.
How to Read the Authentication-Results Header: Decode SPF, DKIM and DMARC
The Authentication-Results header is your receiving mail server's verdict on whether SPF, DKIM and DMARC passed. This guide annotates real headers from Gmail, Outlook and Yahoo field by field, gives a lookup table for every result value from pass to permerror, explains smtp.mailfrom, header.i and dis=, and ends with an if-X-failed-fix-Y decision tree so you can turn a confusing string into a fix.
How to Stop Someone From Spoofing Your Email Domain
A step-by-step playbook to stop attackers from sending email as your domain: audit every legitimate sending source, get SPF and DKIM passing and aligned, then move DMARC to a reject policy. Includes what this stops, what it does not (lookalike domains and display-name spoofing), and a free lookup to check your current status.
How to Set Up BIMI and Get a VMC So Your Logo Shows in Gmail
BIMI puts your brand logo next to your emails in Gmail, Apple Mail and Yahoo, but only after DMARC is at enforcement and, for Gmail, only with a verified mark certificate. This guide covers the full pipeline: the DMARC prerequisite, prepping an SVG Tiny P/S logo, choosing a VMC versus the cheaper CMC, publishing the v/l/a record, and a troubleshooting checklist for when the logo still will not show.
SPF, DKIM and DMARC Explained
The three records that decide whether your email is trusted or spoofed. What each one does, how they work together, and how to check yours.
How to Set Up DMARC
DMARC turns SPF and DKIM into a real defense and shows you who sends as your domain. Here is how to set it up from scratch and advance it safely.
How to Fix a Missing DMARC Record
No DMARC record found means your domain has no spoofing policy and no visibility. Here is why it happens and the exact record to publish.
DMARC Policy: Moving from p=none to Reject Safely
p=reject is the only DMARC policy that stops spoofing. Here is how to get there in stages without blocking your own legitimate mail.
How to Fix DKIM Alignment Failures
DKIM can pass while DMARC still fails. The reason is alignment. Here is what alignment means and how to make your signature match your From domain.
Google and Yahoo Sender Requirements
Since 2024, Google and Yahoo require senders to authenticate their mail. Here is what the rules actually ask for and how to comply.