State of Email Authentication 2026: we scanned 994 of the web's top domains
· dmarc · spf · email · email-security · research
83% of top domains publish DMARC, but only 69% enforce it. MTA-STS adoption is near zero. Here's what we found.
short posts on the tools this site ships and the plumbing behind them.
· dmarc · spf · email · email-security · research
83% of top domains publish DMARC, but only 69% enforce it. MTA-STS adoption is near zero. Here's what we found.
· dmarc · spf · email · email-security · fintech · research
Banks are the gold standard—98.5% enforce DMARC, 86.6% at p=reject—yet not one publishes MTA-STS. Here's what we found in our first-party scan.
· dmarc · spf · email · email-security · news · research
95% of news organizations publish DMARC but 1 in 5 only monitor — leaving the From address spoofable. Detailed findings from our scan of 65 newsrooms.
· dmarc · spf · email · email-security · ai · research
Every AI lab we scanned publishes SPF, DMARC and DKIM, but most stop at p=quarantine rather than p=reject. What the 18-company study reveals about a young industry's security posture.
· dmarc · spf · email · email-security · big-tech · research
Big Tech leads on transport security — the only cohort meaningfully using MTA-STS — yet a few still only monitor at p=none.
· mx · dns · email · priority · mail-routing
An MX record's priority is a preference number, and the lowest number wins — senders try it first and fall over to higher numbers only on failure. Equal numbers share the load. The value says nothing about server quality.
· mx · dns · email · backup-mx · mail-routing
For most domains a backup MX record is no longer worth it. Sending servers already queue and retry for days, so a backup adds little and can cause backscatter or relay abuse if it is not configured identically to the primary.
· google-workspace · mx · dns · email · troubleshooting
When Google Workspace mail won't deliver despite MX records being in place, the cause is usually leftover MX from the old host, records on the wrong hostname, a typo or missing trailing dot, or SPF/DMARC rejection. Here is the checklist.
· mta-sts · smtp · tls · email-security · dns
MTA-STS needs three things to work: the _mta-sts TXT record with a current id, a policy file served over valid HTTPS, and a correct text/plain content type. If any one is missing or stale, senders skip enforcement.
· mta-sts · tls-rpt · email-security · smtp · deliverability
Use MTA-STS testing mode first: it reports TLS failures via TLS-RPT but still delivers mail. Switch to enforce only once reports are clean, because enforce makes senders refuse delivery on any MX or certificate mismatch.
· tls-rpt · smtp · tls · email-security · mta-sts
A TLS-RPT report is a JSON document telling you how many inbound SMTP sessions to your domain succeeded or failed over TLS, and why. Read the summary counts first, then the failure-details to see exactly what broke.
· spf · dmarc · email · deliverability · dns
SPF -all (hardfail) tells receivers to reject mail from unlisted senders; ~all (softfail) flags it as suspicious but usually still accepts it. Move to -all once you've enumerated every legitimate sender — ideally with DMARC already in place.
· bimi · dmarc · email · dns · branding
A BIMI logo needs three things in place: DMARC at enforcement (p=quarantine or p=reject, not p=none), a default._bimi TXT record pointing to an SVG Tiny PS logo, and — for Gmail and Apple Mail — a Verified Mark Certificate referenced in the record.
· dmarc · alignment · spf · dkim · deliverability
When SPF and DKIM both pass yet DMARC still fails, the problem is not authentication — it is alignment. Here is why, and how to fix the return-path and DKIM signing domain so they match your From: header.
· dmarc · email · spoofing · deliverability · policy
p=none is monitoring only and stops zero spoofing; p=quarantine sends failing mail to spam; p=reject bounces it at the SMTP edge. Only reject actually protects your domain — here is the safe path to get there.
· dmarc · rua · email · deliverability · reporting
A DMARC aggregate report is an XML summary of who sent mail as your domain and whether it passed. Here is how to read every section and what to fix.
· dmarc · spoofing · phishing · email · deliverability
DMARC reject only stops mail that forges your exact From domain at receivers that actually check it. Lookalike domains, display-name spoofing, and inbound phishing all sail right past it.
· spf · email · dmarc · deliverability · dns
Every SPF result a receiver can return, what each means for delivery, how DMARC treats it, and which qualifier you should actually publish.
· spf · email · dns · deliverability · permerror
RFC 7208 allows exactly one SPF record per domain. Publishing two produces a permerror that fails SPF entirely. Here is how to merge them back into one valid record.
· dkim · email · dmarc · authentication · deliverability
dkim=none means the message arrived with no DKIM-Signature header at all — distinct from dkim=fail. The causes, why it breaks DMARC, and how to make every sender sign.
· dkim · email · deliverability · authentication · canonicalization
A DKIM body-hash failure means the message body changed between signing and verification. The usual culprits are list footers, disclaimer appenders, and strict canonicalization — here is how to find and fix yours.
· dkim · dns · txt-record · email · deliverability
A 2048-bit DKIM public key is longer than a single DNS TXT character-string can hold. The fix is one TXT record split into multiple quoted strings, not multiple records.
· mta-sts · tls-rpt · email · smtp · tls
MTA-STS and TLS-RPT secure the TLS connection between mail servers. What they do, how they differ from SPF/DKIM/DMARC, and when they are worth the effort.
· dnssec · dns · security · registrar · spoofing
DNSSEC cryptographically signs your DNS answers so resolvers can detect tampering — but a botched rollover takes your domain offline. When to enable it and when to be careful.
· mx · dns · email · deliverability · bounces
No MX record found means receiving servers cannot locate where to deliver mail for your domain, so inbound email bounces. The common causes, the fixes, and how to verify in one dig.
· spoofing · dmarc · spf · dkim · email
A domain is spoofable when it lacks an enforced SPF and DMARC posture. How to test for the three records that stop it, and why p=none does not.
· authentication-results · dmarc · spf · dkim · spoofing
The Authentication-Results header your mail server stamps on inbound mail records spf, dkim, and dmarc results. How to read it, and why dmarc=pass is the only signal that proves the visible From address is genuine.
· email · spf · dkim · dmarc · deliverability
Mail landing in spam is almost always an incomplete auth stack. Configure SPF, DKIM, and DMARC in the right order, with a verification check at each step.
· dkim · email · dns · cryptography
A DKIM signature names its key with a selector you can't look up anywhere. How selectors work, why discovery is hard, and the ones common senders use.
· spf · email · dns · deliverability
RFC 7208 caps SPF at ten DNS lookups; exceed it and you get PermError, which DMARC treats as a hard fail. Why it happens, and three practical fixes.
· dmarc · email · spf · dkim · deliverability
DMARC tells receiving servers what to do when SPF or DKIM fails. The record format, policy levels, reporting, and how to verify your setup in thirty seconds.
· whois · rdap · gdpr · domain-ownership · privacy
Since GDPR took effect in 2018, registrars redact registrant personal data by default. Here is what WHOIS still shows, and the legitimate ways to reach the owner — registrar abuse contacts, RDAP, the site itself, and legal disclosure.
· whois · dns · ttl · domain-expiry · redemption
An expired domain can keep resolving for days because DNS records stay cached at TTL and the registry lifecycle has grace periods before deletion. The site only goes dark once the registrar applies clientHold or the domain drops.
· dns · ttl · propagation · nameservers · caching
There is no global DNS push. Resolvers cache each record until its TTL expires, so the real wait is the record's TTL plus how recently resolvers last queried it. Nameserver changes are slower.
· dns · cname · apex · alias · aname
RFC 1034 forbids a CNAME from coexisting with other records, and the apex must hold SOA and NS, so a literal apex CNAME is invalid. Providers solve it with CNAME flattening, ALIAS, or ANAME records.
· dnssec · dns · servfail · ds-record · troubleshooting
A SERVFAIL only from validating resolvers after enabling DNSSEC means the validation chain is broken. The usual culprit is a DS record at your registrar that no longer matches your zone's DNSKEY, or expired RRSIG signatures. How to diagnose and fix it.
· caa · dns · certificates · tls · security
A CAA record names which certificate authorities are allowed to issue certificates for your domain. The format, why it limits mis-issuance, and whether you should publish one.
· subdomain-takeover · dns · cname · attack-surface · security
A dangling CNAME points your subdomain at a third-party service you no longer control. How takeover works, how to fingerprint vulnerable records, and how to fix and prevent it.
· mcp · claude · ai · dns
Claude Desktop speaks remote MCP. Point it at domainposture.com's endpoint and fifteen domain-dossier checks become first-class chat commands. Here's the setup.
· dns · doh · cloudflare · privacy
Classic DNS is plaintext anyone can read or forge. DoH encrypts it over HTTPS — here's how Cloudflare's JSON endpoint works for browser-side tools.
· tls · ssl · certificates · wildcard · san
A wildcard cert covers one level of subdomains under a single key; a SAN cert lists explicit names (including unrelated domains). Use a wildcard for many same-level subdomains, a SAN for a fixed set of distinct hostnames — or combine both.
· tls · ssl · certificates · self-signed · acme
Browsers warn on a self-signed certificate because it chains to no trusted CA (ERR_CERT_AUTHORITY_INVALID). For anything public, install a free CA-issued cert via ACME; for internal-only, add your root to the device trust store — never train users to click through.
· tls · ssl · handshake · openssl · certificates
A TLS handshake fails when client and server cannot agree on a protocol version, cipher, or curve, or when the server's certificate is rejected. Here are the real causes and how to diagnose each one with openssl s_client.
· redirects · https · hsts · tls · http
An HTTP to HTTPS redirect usually fails for a handful of reasons: it only covers the apex or only www, there's no listener on port 80, a CDN in Flexible SSL mode causes a loop, HSTS isn't set yet, or a cached old response. Here's how to diagnose each.
· tls · ssl · certificates · nginx · openssl
A renewed certificate that still presents as expired almost always means the web server was never reloaded, or an old cert is still being served by a load balancer, CDN edge, or the wrong vhost.
· redirects · cloudflare · ssl · https · debugging
ERR_TOO_MANY_REDIRECTS means a page redirects to a page that redirects back. The classic cause is Cloudflare SSL set to Flexible, plus a handful of www and HTTPS rules fighting each other.
· certificate-transparency · tls · ssl · ct-logs · mis-issuance
Every publicly-trusted certificate is logged to public Certificate Transparency logs. Search and monitor those logs to catch certificates issued for your domain that you never requested.
· tls · certificates · ssl · openssl · nginx
An incomplete chain means your server sends the leaf certificate but skips an intermediate CA, so clients can't build a path to a trusted root. Browsers often hide it; curl, Java, and older Android don't.
· hsts · https · security-headers · tls · web-security
HSTS forces browsers to use HTTPS for your domain, killing downgrade attacks. How to roll it out safely with max-age, includeSubDomains, and preload — without locking yourself out.
· tls · ssl · certificates · security
A cert outage is predictable, not unlucky. What to inspect on a live TLS certificate, and the surprises that only show up in the final week before expiry.
· security · http · headers · csp · hsts
The HTTP response headers that protect modern web apps — HSTS, CSP, X-Content-Type-Options, Referrer-Policy, Permissions-Policy — with a safe value for each.
· cors · access-control-allow-origin · browser · api · headers
When the browser says no Access-Control-Allow-Origin header is present, the API is not returning the CORS header the browser requires. CORS is enforced client-side but configured server-side, so the fix lives on the API, not in your JavaScript.
· cors · credentials · access-control-allow-origin · cookies · headers
When a cross-origin request sends cookies or credentials, the CORS spec forbids Access-Control-Allow-Origin: * — the server must echo the specific origin and add Access-Control-Allow-Credentials: true. Wildcards are also banned for allowed headers and methods in credentialed mode.
· permissions-policy · security-headers · feature-policy · browser-features · privacy
Permissions-Policy is the successor to Feature-Policy and controls which powerful browser features the page and its iframes may use. A sane baseline switches off everything you do not need.
· referrer-policy · security-headers · privacy · referer · http-headers
The modern browser default, strict-origin-when-cross-origin, is the right Referrer-Policy for almost every site: full URL same-origin, only the origin cross-origin, and nothing leaked on an HTTPS-to-HTTP downgrade.
· redirects · seo · http
A 301 is a permanent redirect — browsers cache it hard and search engines transfer ranking signals to the target. A 302 is temporary and keeps the original URL indexed. Pick by intent, and use 308/307 when you must preserve the HTTP method.
· csp · security-headers · browser · xss · http-headers
The Content-Security-Policy "Refused to load" error means a resource was blocked by the directive that governs it. The gotcha is that once you set script-src explicitly, it stops inheriting from default-src.
· cors · http · browsers · api
The OPTIONS request a browser fires before a non-simple cross-origin fetch. What triggers it, what the server must return, and the five ways it fails.
· redirects · http · seo · performance
Long redirect chains bleed SEO equity and add latency. What counts as too many hops, how browsers and crawlers follow them, and how to trace one end-to-end.
· vercel · edge · http-headers · nextjs
Behind a CDN the socket address is always the edge node. The real client IP rides in x-forwarded-for — here's how to read it safely in a Next.js 15 handler.
· git · dotfiles · secrets · web-security · attack-surface
Yes, an exposed /.git/ or /.env on your site is dangerous: a reachable .git lets anyone reconstruct your full source code, and a served .env leaks credentials directly. Block dotfiles at the server or CDN, keep the .git directory out of deploys, and rotate anything that leaked.
· mcp · ai · workflow · networking
AI assistants hold context, reason about failures, and call tools in parallel — turning network diagnostics from twenty browser tabs into one chat thread.
· json · logging · observability
Logs serve two masters — a pipeline that wants compact lines and an engineer reading them mid-incident. When to use each format, and how to get both.
· ip · networking · geolocation · asn
IP geolocation is inference from routing data — city-level at best, worse on mobile. What ASN, ISP, and org fields really mean, and when to trust each.
· url · javascript · encoding
encodeURIComponent vs encodeURI — different character sets, and using the wrong one is a security bug, not a style nit. Which to use when, with examples.
· jwt · auth · tokens
The standard JWT claims from RFC 7519 — what iss, sub, aud, exp, nbf, and iat mean, and the subtle differences between iat, nbf, and exp.
· base64 · encoding · security
Base64 is a reversible encoding — anyone can decode it in one line. If a value is secret, Base64 does nothing to protect it. Here's the proof.
· jwt · auth · security
Reading a JWT's payload is decoding; verifying the signature is a separate trust decision. Here's how to inspect a token safely without conflating them.
· uuid · postgres · databases · performance
UUIDv4 is random and scatters inserts across your index; UUIDv7 adds a time-ordered prefix so rows insert sequentially. Here is when to pick each — and how to migrate.