I was testing our sender identification system and checked a mid-size ecommerce domain
47 distinct senders in their DMARC reports, only 12 were authorized
the rest? old trial ESPs, a former agency's Mailchimp account, two Chinese IPs spoofing their domain, and a dozen services they'd forgotten they'd onboarded
most domains have no idea how many systems send as them
check your DANE/TLSA records in 10 seconds
most people don't even know if their mail server has DANE configured
our free DANE checker tells you instantly
TLSA record presence, certificate association, usage type, matching type
but a one-time check misses the real risk: certificate rotation that breaks your TLSA record
when your cert renews and the TLSA hash doesn't update, encrypted connections fail silently
Microsoft's enforcement just changed the game
since May 2025, Microsoft requires DMARC, SPF, and DKIM for bulk senders hitting outlook.com
Google and Yahoo started in Feb 2024
that's the three largest consumer mailbox providers now aligned on authentication requirements
if your domain sends any email — newsletters, transactional, marketing — and you're still at p=none, you're not just risking spam folder placement
why I monitor 9 protocols, not 5
most DMARC platforms stop at SPF, DKIM, DMARC, BIMI, and MTA-STS
but DANE/TLSA, ARC chain validation, TLS-RPT, and hosted SPF management aren't extras
they're what separates "we have DMARC" from "our email authentication is actually complete."
NIS2 explicitly references transport-layer encryption verification
if your monitoring tool can't check DANE, you have a compliance blind spot
industry DMARC enforcement rates from 5.5M domains.
- financial services: 31.2% enforcement
- healthcare: 8.4%
- education: 6.1%
- government: 22.7%
the gap between finance and healthcare is staggering
and it maps almost perfectly to regulatory pressure
where auditors demand DMARC, adoption follows
where they don't, domains sit at p=none indefinitely
regulation drives adoption more than breaches do
your DKIM keys might be stuck in 2015
our free DKIM checker tells you the key length and algorithm in one lookup
but here's the thing: a passing check today doesn't mean you're safe tomorrow
keys should rotate every 6-12 months, and anything under 2048-bit RSA is living on borrowed time
DMARCguard monitoring tracks rotation gaps, flags weak keys, and alerts you when a selector goes stale
SPF permerror: the silent policy killer
RFC 7208 Section 2.6.7 is unforgiving
exceed 10 DNS lookups and your SPF result flips to permerror
which most receivers treat as a fail
the insidious part: you can be at exactly 10 lookups today, then a vendor adds a nested include and you're at 12 tomorrow
no notification, no warning
you either use sub-domain for sending emails, or you flatten them
🚨 NEWS: Phishing Avanzato: Spear Phishing, Whaling e Business Email Compromise — Guida Operativa
Ecco i punti chiave in breve:
💡 Ti arriva una mail dal tuo CFO. Urgente. Chiede un bonifico immediato per un fornitore che non ricordi. L'indirizzo è quello giusto, il nome è quello giusto, il tono è quello giusto. Lo fai. Poi...
PCI DSS 4.0.1 is 2 years old. are you compliant?
march 2025 came and went
PCI DSS 4.0.1 requirement 5.4.1 made anti-phishing controls mandatory
DMARC at p=reject is the clearest path to satisfy it
yet most merchants I check still sit at p=none
auditors are starting to flag this
the standard is enforceable now
if you process card payments, your DMARC policy is an audit line item
Meysam
Rad Web Hosting
Meteora Web