Domain.Posture

Blog

short posts on the tools this site ships and the plumbing behind them.

Email authentication & deliverability

How the top AI companies authenticate their email

· dmarc · spf · email · email-security · ai · research

Every AI lab we scanned publishes SPF, DMARC and DKIM, but most stop at p=quarantine rather than p=reject. What the 18-company study reveals about a young industry's security posture.

MX record priority: the lowest number gets the mail first

· mx · dns · email · priority · mail-routing

An MX record's priority is a preference number, and the lowest number wins — senders try it first and fall over to higher numbers only on failure. Equal numbers share the load. The value says nothing about server quality.

Do I need a backup MX record? Usually not anymore

· mx · dns · email · backup-mx · mail-routing

For most domains a backup MX record is no longer worth it. Sending servers already queue and retry for days, so a backup adds little and can cause backscatter or relay abuse if it is not configured identically to the primary.

Google Workspace MX records are set but email isn't arriving

· google-workspace · mx · dns · email · troubleshooting

When Google Workspace mail won't deliver despite MX records being in place, the cause is usually leftover MX from the old host, records on the wrong hostname, a typo or missing trailing dot, or SPF/DMARC rejection. Here is the checklist.

MTA-STS testing vs enforce: roll out in testing first, then enforce

· mta-sts · tls-rpt · email-security · smtp · deliverability

Use MTA-STS testing mode first: it reports TLS failures via TLS-RPT but still delivers mail. Switch to enforce only once reports are clean, because enforce makes senders refuse delivery on any MX or certificate mismatch.

How to read a TLS-RPT (SMTP TLS) report

· tls-rpt · smtp · tls · email-security · mta-sts

A TLS-RPT report is a JSON document telling you how many inbound SMTP sessions to your domain succeeded or failed over TLS, and why. Read the summary counts first, then the failure-details to see exactly what broke.

SPF ~all vs -all: use hardfail once you've listed every sender

· spf · dmarc · email · deliverability · dns

SPF -all (hardfail) tells receivers to reject mail from unlisted senders; ~all (softfail) flags it as suspicious but usually still accepts it. Move to -all once you've enumerated every legitimate sender — ideally with DMARC already in place.

DMARC fails but SPF and DKIM pass: it is almost always alignment

· dmarc · alignment · spf · dkim · deliverability

When SPF and DKIM both pass yet DMARC still fails, the problem is not authentication — it is alignment. Here is why, and how to fix the return-path and DKIM signing domain so they match your From: header.

DMARC p=none vs quarantine vs reject: which policy you actually want

· dmarc · email · spoofing · deliverability · policy

p=none is monitoring only and stops zero spoofing; p=quarantine sends failing mail to spam; p=reject bounces it at the SMTP edge. Only reject actually protects your domain — here is the safe path to get there.

How to read a DMARC aggregate (rua) report

· dmarc · rua · email · deliverability · reporting

A DMARC aggregate report is an XML summary of who sent mail as your domain and whether it passed. Here is how to read every section and what to fix.

You set DMARC p=reject and you are still getting spoofed: why

· dmarc · spoofing · phishing · email · deliverability

DMARC reject only stops mail that forges your exact From domain at receivers that actually check it. Lookalike domains, display-name spoofing, and inbound phishing all sail right past it.

DKIM 'body hash did not verify': what causes it and how to fix it

· dkim · email · deliverability · authentication · canonicalization

A DKIM body-hash failure means the message body changed between signing and verification. The usual culprits are list footers, disclaimer appenders, and strict canonicalization — here is how to find and fix yours.

Do you need MTA-STS and TLS-RPT?

· mta-sts · tls-rpt · email · smtp · tls

MTA-STS and TLS-RPT secure the TLS connection between mail servers. What they do, how they differ from SPF/DKIM/DMARC, and when they are worth the effort.

Should you enable DNSSEC? The benefits and the real risks

· dnssec · dns · security · registrar · spoofing

DNSSEC cryptographically signs your DNS answers so resolvers can detect tampering — but a botched rollover takes your domain offline. When to enable it and when to be careful.

No MX record found: why inbound email bounces

· mx · dns · email · deliverability · bounces

No MX record found means receiving servers cannot locate where to deliver mail for your domain, so inbound email bounces. The common causes, the fixes, and how to verify in one dig.

Can your domain be spoofed? How to test it

· spoofing · dmarc · spf · dkim · email

A domain is spoofable when it lacks an enforced SPF and DMARC posture. How to test for the three records that stop it, and why p=none does not.

DNS

WHOIS shows 'redacted for privacy': how to find the domain owner

· whois · rdap · gdpr · domain-ownership · privacy

Since GDPR took effect in 2018, registrars redact registrant personal data by default. Here is what WHOIS still shows, and the legitimate ways to reach the owner — registrar abuse contacts, RDAP, the site itself, and legal disclosure.

Your domain expired but the site still resolves: here is why

· whois · dns · ttl · domain-expiry · redemption

An expired domain can keep resolving for days because DNS records stay cached at TTL and the registry lifecycle has grace periods before deletion. The site only goes dark once the registrar applies clientHold or the domain drops.

SERVFAIL after enabling DNSSEC: DS mismatch and expired signatures

· dnssec · dns · servfail · ds-record · troubleshooting

A SERVFAIL only from validating resolvers after enabling DNSSEC means the validation chain is broken. The usual culprit is a DS record at your registrar that no longer matches your zone's DNSKEY, or expired RRSIG signatures. How to diagnose and fix it.

CAA records: what they do and whether you need one

· caa · dns · certificates · tls · security

A CAA record names which certificate authorities are allowed to issue certificates for your domain. The format, why it limits mis-issuance, and whether you should publish one.

Dangling CNAMEs and subdomain takeover: how to find them

· subdomain-takeover · dns · cname · attack-surface · security

A dangling CNAME points your subdomain at a third-party service you no longer control. How takeover works, how to fingerprint vulnerable records, and how to fix and prevent it.

DNS over HTTPS: a Cloudflare JSON API primer

· dns · doh · cloudflare · privacy

Classic DNS is plaintext anyone can read or forge. DoH encrypts it over HTTPS — here's how Cloudflare's JSON endpoint works for browser-side tools.

TLS & certificates

Wildcard vs SAN certificate: which one you actually need

· tls · ssl · certificates · wildcard · san

A wildcard cert covers one level of subdomains under a single key; a SAN cert lists explicit names (including unrelated domains). Use a wildcard for many same-level subdomains, a SAN for a fixed set of distinct hostnames — or combine both.

Self-signed certificate browser warning: how to fix it properly

· tls · ssl · certificates · self-signed · acme

Browsers warn on a self-signed certificate because it chains to no trusted CA (ERR_CERT_AUTHORITY_INVALID). For anything public, install a free CA-issued cert via ACME; for internal-only, add your root to the device trust store — never train users to click through.

A TLS handshake failure is a negotiation breakdown, not a single error

· tls · ssl · handshake · openssl · certificates

A TLS handshake fails when client and server cannot agree on a protocol version, cipher, or curve, or when the server's certificate is rejected. Here are the real causes and how to diagnose each one with openssl s_client.

Why your HTTP to HTTPS redirect isn't working

· redirects · https · hsts · tls · http

An HTTP to HTTPS redirect usually fails for a handful of reasons: it only covers the apex or only www, there's no listener on port 80, a CDN in Flexible SSL mode causes a loop, HSTS isn't set yet, or a cached old response. Here's how to diagnose each.

Should you enable HSTS? max-age, includeSubDomains, and preload

· hsts · https · security-headers · tls · web-security

HSTS forces browsers to use HTTPS for your domain, killing downgrade attacks. How to roll it out safely with max-age, includeSubDomains, and preload — without locking yourself out.

Security headers every site should have in 2026

· security · http · headers · csp · hsts

The HTTP response headers that protect modern web apps — HSTS, CSP, X-Content-Type-Options, Referrer-Policy, Permissions-Policy — with a safe value for each.

HTTP & headers

Credentialed CORS requests forbid a wildcard origin — you must echo the exact origin

· cors · credentials · access-control-allow-origin · cookies · headers

When a cross-origin request sends cookies or credentials, the CORS spec forbids Access-Control-Allow-Origin: * — the server must echo the specific origin and add Access-Control-Allow-Credentials: true. Wildcards are also banned for allowed headers and methods in credentialed mode.

Permissions-Policy: disable the browser features your site never uses

· permissions-policy · security-headers · feature-policy · browser-features · privacy

Permissions-Policy is the successor to Feature-Policy and controls which powerful browser features the page and its iframes may use. A sane baseline switches off everything you do not need.

Use strict-origin-when-cross-origin for Referrer-Policy

· referrer-policy · security-headers · privacy · referer · http-headers

The modern browser default, strict-origin-when-cross-origin, is the right Referrer-Policy for almost every site: full URL same-origin, only the origin cross-origin, and nothing leaked on an HTTPS-to-HTTP downgrade.

CSP 'Refused to load': why default-src does not cover script-src

· csp · security-headers · browser · xss · http-headers

The Content-Security-Policy "Refused to load" error means a resource was blocked by the directive that governs it. The gotcha is that once you set script-src explicitly, it stops inheriting from default-src.

Reading the real client IP from Vercel edge headers

· vercel · edge · http-headers · nextjs

Behind a CDN the socket address is always the edge node. The real client IP rides in x-forwarded-for — here's how to read it safely in a Next.js 15 handler.

Developer utilities

UUIDv4 vs UUIDv7: which to use for database primary keys

· uuid · postgres · databases · performance

UUIDv4 is random and scatters inserts across your index; UUIDv7 adds a time-ordered prefix so rows insert sequentially. Here is when to pick each — and how to migrate.