| meysam.io | https://meysam.io |
| dmarcguard.io | https://dmarcguard.io |
| X | https://x.com/@meysamazing |
| GitHub | https://github.com/meysam81 |
BIMI: your logo in the inbox, verified
DMARCguard BIMI checker validates your BIMI record, SVG format, and VMC certificate chain
getting your brand logo to appear next to your emails in Gmail and Apple Mail requires correct DMARC enforcement plus a verified mark certificate
the checker tells you where you stand
but BIMI records reference certificates that expire, and when they do, your logo disappears
MTA-STS enforce vs. testing: know before you switch
RFC 8461 defines two modes: testing and enforce
in testing mode, failures are reported via TLS-RPT but mail still delivers
in enforce mode, the sending server must abort if TLS negotiation fails
I always recommend at least 30 days in testing mode with TLS-RPT active before switching
the reports show you exactly who will break
no guessing required
CISA BOD 18-01 turns 9 this year. Federal DMARC is still incomplete.
CISA mandated DMARC for federal domains in 2017
nine years later, adoption in .gov is strong but enforcement is uneven
many agencies sit at p=quarantine, not p=reject
sub-domains are often unprotected entirely
and the mandate didn't cover DANE, MTA-STS, or TLS-RPT, protocols that didn't exist or weren't mature then
the directive needs an update
I was testing our sender identification system and checked a mid-size ecommerce domain
47 distinct senders in their DMARC reports, only 12 were authorized
the rest? old trial ESPs, a former agency's Mailchimp account, two Chinese IPs spoofing their domain, and a dozen services they'd forgotten they'd onboarded
most domains have no idea how many systems send as them
check your DANE/TLSA records in 10 seconds
most people don't even know if their mail server has DANE configured
our free DANE checker tells you instantly
TLSA record presence, certificate association, usage type, matching type
but a one-time check misses the real risk: certificate rotation that breaks your TLSA record
when your cert renews and the TLSA hash doesn't update, encrypted connections fail silently
Microsoft's enforcement just changed the game
since May 2025, Microsoft requires DMARC, SPF, and DKIM for bulk senders hitting outlook.com
Google and Yahoo started in Feb 2024
that's the three largest consumer mailbox providers now aligned on authentication requirements
if your domain sends any email — newsletters, transactional, marketing — and you're still at p=none, you're not just risking spam folder placement
why I monitor 9 protocols, not 5
most DMARC platforms stop at SPF, DKIM, DMARC, BIMI, and MTA-STS
but DANE/TLSA, ARC chain validation, TLS-RPT, and hosted SPF management aren't extras
they're what separates "we have DMARC" from "our email authentication is actually complete."
NIS2 explicitly references transport-layer encryption verification
if your monitoring tool can't check DANE, you have a compliance blind spot
industry DMARC enforcement rates from 5.5M domains.
- financial services: 31.2% enforcement
- healthcare: 8.4%
- education: 6.1%
- government: 22.7%
the gap between finance and healthcare is staggering
and it maps almost perfectly to regulatory pressure
where auditors demand DMARC, adoption follows
where they don't, domains sit at p=none indefinitely
regulation drives adoption more than breaches do
your DKIM keys might be stuck in 2015
our free DKIM checker tells you the key length and algorithm in one lookup
but here's the thing: a passing check today doesn't mean you're safe tomorrow
keys should rotate every 6-12 months, and anything under 2048-bit RSA is living on borrowed time
DMARCguard monitoring tracks rotation gaps, flags weak keys, and alerts you when a selector goes stale
