Guides

Email authentication guides

Practical, no-nonsense guides to SPF, DKIM and DMARC. Fix what is broken and keep your mail out of spam.

security

MTA-STS vs DANE: Which Email Transport Security Standard Should You Use?

MTA-STS and DANE both force encrypted SMTP delivery, but they trust different things. MTA-STS uses HTTPS and the public CA system with a trust-on-first-use gap. DANE uses DNSSEC-signed TLSA records with no first-use window. Gmail and Outlook honor MTA-STS as senders but do not validate DANE when receiving, so publish MTA-STS for reach and add DANE where your DNS and receivers support it.

Mar 6, 20267 min read
deliverability

Email Warm-Up Schedule: How to Warm a New Domain or IP Without Landing in Spam

A copy-paste 4 to 6 week warm-up schedule for a new sending domain or IP, with the exact daily volumes, segment targeting, and engagement tactics that Gmail and Outlook reward. Verify SPF, DKIM and DMARC alignment first, then ramp slowly and read your progress in Postmaster Tools.

Mar 4, 20268 min read
deliverability

Email Blacklist Check: How to Tell If You're Listed and Get Delisted From Every Major DNSBL

A blacklist (DNSBL) is a live list of IPs or domains that mail servers query to decide whether to reject or spam-folder your email. This guide shows how to check if your domain or sending IP is listed, which blocklists actually affect delivery (Spamhaus, Barracuda, SpamCop, Microsoft) versus vanity lists you can ignore, and the root-cause checklist that makes delisting stick.

Mar 1, 20268 min read
security

Business Email Compromise (BEC): The Email Authentication Checklist That Actually Reduces Risk

Business email compromise is not one attack, it is three: exact-domain spoofing, cousin-domain spoofing, and a genuinely compromised account. DMARC at reject only stops the first. This checklist maps each control to the attack it actually blocks, then ranks them so you fix the highest-leverage gaps first, starting with a free authentication check of your own domain.

Feb 27, 20268 min read
spf

Why Email Forwarding Breaks SPF (and How SRS and ARC Fix It)

Email forwarding breaks SPF because the forwarding server sends from an IP that was never listed in the original domain's SPF record, so the check fails by design under RFC 7208. This guide explains envelope sender versus header From, why aliases and mailing lists fail, and how SRS repairs SPF while DKIM and ARC restore DMARC alignment.

Feb 25, 20266 min read
security

SPF +all Is the Most Dangerous Setting in Email: Here's Why

An SPF record ending in +all tells every receiving server that any IP on the internet is allowed to send mail as your domain. It is the one SPF setting that actively helps attackers spoof you. This guide shows the real phishing and reputation fallout, clears up the -all vs ~all vs ?all confusion, and gives you a safe migration path from softfail to hardfail you can confirm with a free lookup.

Feb 22, 20266 min read
dkim

DKIM Key Rotation: How Often to Rotate Keys Without Breaking Mail

A practical DKIM key rotation guide: rotate every 6 months by default, every 3 months for 1024-bit keys, and monthly for high-value senders. Includes a zero-downtime dual-selector runbook, automated rotation with CNAME-hosted keys, and an emergency procedure for a suspected key compromise, all without bouncing legitimate mail.

Feb 20, 20267 min read
dkim

Multiple DKIM Selectors on One Domain: Signing for Google, SendGrid, Mailchimp and More

DKIM is designed for many keys on one domain. Each sending service publishes its own public key under a unique selector, so Google, SendGrid, Mailchimp and every other stream can sign mail independently. This guide maps the common selector conventions per provider, explains the one rule you cannot break, and shows how to verify every stream.

Feb 18, 20267 min read
dkim

DKIM Fails but SPF Passes: Why It Happens and How to Fix the Signature

When DKIM fails but SPF passes, the sending IP was authorized but the signature broke. This guide diagnoses the signature-level causes: body hash mismatch from list footers and forwarding, altered headers, missing selectors, truncated keys, and l= body-length quirks. Includes a symptom-to-cause table, a step-by-step verification loop, and how signature failures differ from DMARC alignment failures so you fix the right thing.

Feb 15, 20268 min read
dmarc

How to Read a DMARC Aggregate (RUA) Report: The XML Decoded Field by Field

A DMARC aggregate report is a daily XML file listing every IP that sent mail as your domain and whether each passed DMARC. This guide walks a real annotated sample field by field: report_metadata, policy_published, and record rows, including the difference between raw and aligned results. Then it gives three triage patterns so you can tell legitimate-but-failing senders from spoofing and know the exact action for each, no paid dashboard required.

Feb 13, 20266 min read
dmarc

Does DMARC Stop Phishing? What It Blocks and What It Doesn't

DMARC at p=reject stops attackers who forge your exact domain, including most CEO-fraud that spoofs your address. It does nothing about lookalike domains, display-name tricks, or a hijacked mailbox that logs in legitimately. This guide gives an honest yes/no matrix, pairs every gap with the control that actually closes it, and shows where DMARC fits in a layered defense so you stop treating it as a silver bullet.

Feb 11, 20267 min read
deliverability

How to Read the Authentication-Results Header: Decode SPF, DKIM and DMARC

The Authentication-Results header is your receiving mail server's verdict on whether SPF, DKIM and DMARC passed. This guide annotates real headers from Gmail, Outlook and Yahoo field by field, gives a lookup table for every result value from pass to permerror, explains smtp.mailfrom, header.i and dis=, and ends with an if-X-failed-fix-Y decision tree so you can turn a confusing string into a fix.

Feb 8, 20267 min read
PreviousPage 6 of 8Next