Guides d'authentification des e-mails
Des guides pratiques et sans détour sur SPF, DKIM et DMARC. Corrigez ce qui ne fonctionne pas et gardez vos e-mails hors du spam.
Phishing vs Spoofing: What Is the Difference?
Spoofing is the technique of forging a sender identity; phishing is the fraud it enables. This guide explains the difference, how they overlap, and which defenses stop each.
What Is Email Spoofing and How It Works
Email spoofing forges the visible From address by exploiting how plain SMTP separates the envelope from the message header. Learn how the forgery works, whether it is illegal, and how SPF, DKIM, and DMARC at p=reject actually stop it.
What Is Email Authentication? A Complete Guide
A plain-language pillar guide to email authentication: why open SMTP has no built-in identity, and how SPF, DKIM, DMARC, and supporting signals like PTR, ARC, BIMI, and MTA-STS work together to prove a message really came from your domain.
DMARC for Parked and Non-Sending Domains: The Day-One p=reject Setup
A domain that never sends email is a favorite target for spoofing. This guide gives you the copy-paste lockdown record set for a parked or non-sending domain: v=spf1 -all, an empty DKIM key, a null MX, and a straight-to-p=reject DMARC record with no monitoring rollout. You will also get a CNAME pattern to manage dozens of parked domains from one central record, plus how to confirm the lockdown with a free checker.
How to Set Up TLS-RPT: SMTP TLS Reporting DNS Record Step by Step
TLS-RPT tells sending mail servers where to send daily reports when TLS negotiation to your domain fails. Add one TXT record at _smtp._tls.yourdomain.com with v=TLSRPTv1 and a rua endpoint, point it at a dedicated reporting mailbox or HTTPS collector, and you get visibility into encryption failures. This guide gives you the exact copy-paste record, the operational details most guides skip, and how TLS-RPT works alongside MTA-STS and DANE.
How to Set Up DANE and TLSA Records for Email (SMTP)
DANE lets you pin your mail server's TLS certificate in DNS so sending servers refuse to deliver over a downgraded or spoofed connection. This guide gives you the exact build order: confirm DNSSEC end to end, generate the hash from your STARTTLS certificate with OpenSSL, publish a TLSA record at _25._tcp.your-mx-host, and pick the right usage, selector, and matching type. Includes validation steps and the DNSSEC mistake that breaks most first attempts.
Do Subdomains Need Their Own SPF Record?
SPF does not climb from a subdomain to your root domain, so a subdomain with no record returns "none" and is trivially spoofable. This guide shows why SPF inheritance is a myth, how to write per-subdomain records, how to lock down subdomains that never send mail, and how the DMARC sp= tag fills the gap SPF leaves open.
How to Set Up MTA-STS: Step-by-Step Guide with Policy File and DNS Records
A copy-paste walkthrough of all three MTA-STS parts: the _mta-sts TXT record, the mta-sts.txt policy file served over HTTPS at the well-known path, and the mx, mode, and max_age directives. Includes dig and curl validation steps to confirm each piece resolves before you switch from testing to enforce mode, plus how MTA-STS relates to TLS-RPT, DANE, and DMARC.
MTA-STS vs DANE: Which Email Transport Security Standard Should You Use?
MTA-STS and DANE both force encrypted SMTP delivery, but they trust different things. MTA-STS uses HTTPS and the public CA system with a trust-on-first-use gap. DANE uses DNSSEC-signed TLSA records with no first-use window. Gmail and Outlook honor MTA-STS as senders but do not validate DANE when receiving, so publish MTA-STS for reach and add DANE where your DNS and receivers support it.
Email Blacklist Check: How to Tell If You're Listed and Get Delisted From Every Major DNSBL
A blacklist (DNSBL) is a live list of IPs or domains that mail servers query to decide whether to reject or spam-folder your email. This guide shows how to check if your domain or sending IP is listed, which blocklists actually affect delivery (Spamhaus, Barracuda, SpamCop, Microsoft) versus vanity lists you can ignore, and the root-cause checklist that makes delisting stick.
Business Email Compromise (BEC): The Email Authentication Checklist That Actually Reduces Risk
Business email compromise is not one attack, it is three: exact-domain spoofing, cousin-domain spoofing, and a genuinely compromised account. DMARC at reject only stops the first. This checklist maps each control to the attack it actually blocks, then ranks them so you fix the highest-leverage gaps first, starting with a free authentication check of your own domain.
SPF +all Is the Most Dangerous Setting in Email: Here's Why
An SPF record ending in +all tells every receiving server that any IP on the internet is allowed to send mail as your domain. It is the one SPF setting that actively helps attackers spoof you. This guide shows the real phishing and reputation fallout, clears up the -all vs ~all vs ?all confusion, and gives you a safe migration path from softfail to hardfail you can confirm with a free lookup.