Field notes on email security.
What's changing in DMARC and deliverability, how operators are responding, and how to read your reports — written for the people who actually run email.
- 01dmarc5 min read
How to Set Up SPF, DKIM & DMARC for Microsoft 365
The exact SPF record, the two DKIM CNAMEs, and the DMARC record Microsoft 365 needs — plus the Defender-portal step that actually turns DKIM signing on for your domain. A no-consultant setup.
- 02security6 min read
Anatomy of a Domain Spoofing Attack — and What It Looks Like in Your DMARC Reports
A spoofed email isn't magic — it's a forged From: header. Here's how a domain-spoofing attack is staged, what the target sees, and exactly how it shows up in your DMARC aggregate reports so you can spot it.
- 03dmarc6 min read
How to Set Up SPF, DKIM & DMARC for Google Workspace (2026 Guide)
The exact SPF, DKIM, and DMARC records Google Workspace needs — in the right order, with the gotchas that quietly break authentication. A no-consultant setup you can finish in an afternoon.
- 04dmarc6 min read
Subdomain DMARC: Why the sp= Tag Matters More Than You Think
Does p=reject cover your subdomains? Usually yes — but one tag can silently undo it. How subdomain policy inheritance really works, and how to lock down the dormant subdomains attackers love.
- 05deliverability5 min read
Microsoft 365 Sender Requirements Are Now Enforced — Are You Compliant?
Microsoft now requires SPF, DKIM, and an aligned DMARC record to deliver bulk mail to Outlook.com and Hotmail. Who's affected, how it compares to the Google and Yahoo rules, and a checklist to confirm you pass.
- 06dmarc4 min read
Reading DMARC aggregate reports: what the XML is actually telling you
Aggregate reports are how you find out who is sending as your domain — legitimate or not. Here's how to read the XML, what each field means, and how to spot spoofing.
- 07dmarc6 min read
The DMARC rollout playbook: none to reject without breaking mail
Moving from p=none to p=reject is where most DMARC projects stall — usually from fear of blocking legitimate mail. Here's a staged, evidence-driven path to full enforcement.
- 08deliverability4 min read
Yahoo & Google Sender Requirements 2026: SPF, DKIM, DMARC
The 2026 Yahoo & Google bulk-sender rules — SPF, DKIM, DMARC alignment, one-click unsubscribe, and the 0.3% spam-rate limit — in one checklist to confirm you comply.