DNS

In this post, you will learn what BIMI is, how it works, and the benefits it brings to your domain, including increased trust and brand visibility. We live in a time where most first impressions happen online, and emails are usually the first touchpoint. The problem is, inboxes are crowded, and getting someone to notice your message isn’t easy. That’s exactly why BIMI (Brand Indicators for Message Identification) was created. It gives companies a simple way to show who they are and build trust the moment their email lands. ...

This blog post explains how an MTA-STS policy works and how to implement it on GitHub Pages. MTA-STS (Mail Transfer Agent Strict Transport Security) is a transport security mechanism (TLS enforcement) that protects SMTP delivery, it allows a sending (outbound) mail server to enforce the use of TLS by retrieving a secured HTTPS policy file published by the domain of the receiving (inbound) mail server. When MTA-STS is in enforce mode, the sending (outbound) mail server must validate that the receiving (inbound) mail server’s TLS certificate is valid, trusted, and matches the domain (the domain name in the TLS certificate must match the MX record of the domain). ...

In this post, you will learn how to enable and use SMTP DANE with DNSSEC in Exchange Online. While outbound SMTP DANE with DNSSEC in Exchange Online has been enabled since 2022, Microsoft is has rolling out inbound SMTP DANE with DNSSEC in Exchange Online since late 2024. For a deeper understanding of DNSSEC and DANE, take a look at my earlier blog post. How SMTP DANE with DNSSEC works SMTP DANE is a transport security mechanism (TLS enforcement) that protects SMTP delivery to a domain by using DNSSEC validated TLSA records. It enables a sending (outbound) mail server to verify the TLS certificate of a receiving (inbound) mail server using TLSA records published in the DNS on the MX host of the receiving domain. The sending (outbound) mail server validates the connection by comparing the TLS fingerprints obtained from the TLSA records with the fingerprints presented by the receiving (inbound) mail server. ...

This blog post explains the role and benefits of ARC sealing. ARC (Authenticated Received Chain) is an email authentication protocol that preserves the authentication results of an email as it travels through multiple intermediaries, such as forwarding services. This allows your recipients to accept the ARC Seal from your relaying or intermediate server. Using ARC helps organizations handle the complexities of email authentication, especially when emails are forwarded. ARC involves multiple servers working together based on mutual trust. In this blog post, we will explore the basics of ARC, how it works, and the benefits it provides. ...

In this post, you find out how DNSSEC and DANE cooperate, and learn how to set up DANE TLSA DNS records. DNSSEC (DNS Security Extensions) The domain name system (DNS) is often described as the phone book of the internet for translating friendly domain names into IP addresses. Unfortunately, it also accepts any address given to it. DNSSEC adds a security layer to this phonebook. It uses digital signatures to make sure the information in the phonebook can be trusted and has not been tampered with, to prevent DNS spoofing. ...

In this post, I will share my best practices for getting a handle on your SPF record. Why it makes sense to have a good SPF procedure in place In a previous blog post, I explained the limitations of SPF and how it works with DKIM and DMARC. It’s crucial to have a well-structured SPF procedure to avoid future problems, especially since exceeding the DNS lookup limit of 10 can cause issues, such as: ...

In this post you will learn to understand how the DNS protocols SPF, DKIM and DMARC work together to protect your domain from phishers and spammers. Why deploy SPF, DKIM, and DMARC? SPF, DKIM, and DMARC are essential authentication protocols for outbound email that help prevent spoofing in phishing attacks. When enabled together, these protocols strengthen your domain’s security and build trust with receiving mail servers by ensuring that email sent from your domain is legitimate and trustworthy. ...