Field notes.
Practical writing on email authentication. DMARC enforcement, SPF lookup limits, DKIM rotation, and the operational reality of p=reject.
MTA-STS and TLS-RPT: Closing the Transport Gap
DMARC authenticates senders. It does nothing for transport encryption. Here is how MTA-STS and TLS-RPT close the gap — and the misconfigurations that quietly break them.
Field notes on email authentication.
One concise dispatch on DMARC, SPF, DKIM, and the Agent. Whenever something changes that actually matters.
SPF's 10-Lookup Limit: Why Your Auth Breaks Silently
RFC 7208 caps SPF at 10 DNS lookups. Nested includes blow past that invisibly — and when you exceed it, authentication just stops working, silently.
What DMARC Aggregate Reports Actually Tell You
RUA reports contain far more than a pass/fail count. Read them correctly and they tell you about forwarders, shadow IT, volume anomalies, and the health of every sender on your domain.
Forensic DMARC (RUF): The PII Trap Most Guides Miss
RUF reports contain real message headers and often real message bodies. Enable them without a redaction strategy and you have a GDPR problem you didn't know you were signing up for.
The Road to p=reject: A Practical Guide
Moving from monitoring to enforcement is the most critical step in email security. Here is how to do it without losing mail.
Why 1024-bit DKIM Keys are No Longer Enough
Computing power has made shorter keys vulnerable. It is time to move to 2048-bit RSA or Ed25519.
Understanding the Google and Yahoo Sender Requirements
Bulk senders now face mandatory DMARC requirements from the two largest mailbox providers. Here is what changed and what it means.
The Rise of BIMI: More Than Just a Logo
BIMI is the carrot for DMARC enforcement. It rewards authenticated senders with verified brand logos in the inbox.