Notes from the DMARCify team
Mostly hands-on email-auth writing. Occasionally an opinion. Always something you can act on the same afternoon.
Use case8 min readAfter an acquisition: locking down the acquired company's email domains in 30 days
M&A integration plans cover Slack, GitHub, AWS, and HRIS. They rarely cover the email domains the acquired company collected over the years, until an attacker uses one to phish new colleagues.
The risk after an acquisition is not the well-known primary domain. It is the side domains, marketing campaign domains, and defensive registrations. The 30-day playbook: inventory everything, set unused domains to hard reject plus null SPF, and monitor what remains.Read the post
Tech7 min readThe SPF 10-lookup limit: why your record stopped working when nothing changed
SPF's 10-DNS-lookup limit is the common reason a valid-looking SPF record silently stops authorizing senders. Here is how to count it and how to fix it.
Each include, a, mx, ptr, exists, and redirect counts toward the 10-lookup ceiling, and includes count transitively. Once you exceed it, legitimate senders can fail SPF, but DKIM-aligned mail survives.Read the post
Tech7 min readDKIM key rotation: when, how, and the silent failure mode nobody warns you about
DKIM keys do not expire. That is the problem. Here is the selector rotation pattern that prevents old keys from staying valid for years.
Rotate DKIM keys on a fixed cadence, use a new selector each time, keep the old selector briefly for queued mail, then remove it. Rotation is not complete until the old selector is gone.Read the post
How DMARC works7 min readARC: the email standard that fixes forwarders
Authenticated Received Chain is the IETF answer to mailing-list and forwarding breakage. It is quietly carrying a meaningful share of forwarded mail.
ARC is not something most senders deploy themselves. It is a chain-of-custody signature the forwarder applies so downstream receivers can use original authentication results.Read the post
Compliance8 min readDORA and NIS2: where EU regulators land on email authentication in 2026
Neither DORA nor NIS2 names DMARC in the main regulation text, but the technical baseline points toward modern email authentication. Here is what in-scope teams should prepare.
DORA and NIS2 are outcome-based, but the email evidence is concrete: inventory domains, authenticate senders, collect reports, and prove that spoofing risk is being reduced.Read the post
Compliance7 min readPCI DSS 4.0.1 5.4.1: what "anti-phishing mechanisms" actually means
PCI DSS 4.0.1 made anti-phishing controls a hard requirement in March 2025. The guidance names DMARC, SPF and DKIM by example. Here's what auditors are usually asking for in 2026.
If you process card data, PCI 5.4.1 expects anti-phishing controls that actually enforce or quarantine. Monitor-only DMARC is visibility, not protection.Read the post
Standards7 min readDMARC is now an IETF Proposed Standard: what changed in RFC 9989, 9990, and 9991
In May 2026, DMARC moved from RFC 7489 to three Proposed Standard RFCs. Here's what changed in policy records, DNS discovery, aggregate reports, and failure reports.
The record still says DMARC1, but the standard around it is cleaner: no pct rollout tag, DNS Tree Walk replaces PSL discovery, PSD support is explicit, and reports carry more policy context.Read the post
How DMARC works5 min readForwarded vs spoofed: how to tell the difference in 30 seconds
Most DMARC failures are not attackers. They're mailing-list forwarders breaking SPF in a perfectly predictable way. Here's the pattern, and how DMARCify surfaces it.
Forwarding usually breaks SPF but preserves DKIM; spoofing fails alignment. That one distinction removes most false alarm.Read the post
Standards6 min readWhat BIMI actually requires (and why it's not a logo placement project)
BIMI's marketing pitch is "a logo next to your name in Gmail." The technical reality is much more interesting — and it starts with DMARC enforcement.
BIMI is mostly proof of control: enforced DMARC first, then a compliant SVG, certificate, and DNS record.Read the post
Playbook8 min readGoing from p=none to p=reject without breaking mail
A staged rollout that reliably gets a domain to DMARC enforcement — and the three checks to run at each stage so you never lose legitimate mail.
Treat p=reject as a rollout, not a switch: observe, fix alignment, quarantine, then enforce.Read the post
