Blog

Notes from the DMARCify team

Mostly hands-on email-auth writing. Occasionally an opinion. Always something you can act on the same afternoon.

How DMARC works18 May 20265 min read
Forwarded vs spoofed: how to tell the difference in 30 seconds
Most DMARC failures are not attackers. They're mailing-list forwarders breaking SPF in a perfectly predictable way. Here's the pattern, and how DMARCify surfaces it.
Forwarding usually breaks SPF but preserves DKIM; spoofing fails alignment. That one distinction removes most false alarm.
Read the post
Standards11 May 20266 min read
What BIMI actually requires (and why it's not a logo placement project)
BIMI's marketing pitch is "a logo next to your name in Gmail." The technical reality is much more interesting — and it starts with DMARC enforcement.
BIMI is mostly proof of control: enforced DMARC first, then a compliant SVG, certificate, and DNS record.
Read the post
Playbook4 May 20268 min read
Going from p=none to p=reject without breaking mail
A five-week ramp that reliably gets a domain to DMARC enforcement — and the three checks to run at each stage so you never lose legitimate mail.
Treat p=reject as a rollout, not a switch: observe, fix alignment, sample quarantine, sample reject, then enforce.
Read the post