Meysam

Saturday DMARC tip: check your subdomains your main domain might be at p=reject but what about https://t.co/v5hq0LCJaY? or https://t.co/NvLrJpkJg0? or that staging subdomain from 2023 nobody decommissioned? DMARC policies automatically cascade to subdomains (but not all MTA providers respect it!) you are strongly recommended to explicitly set `sp=reject` in your organizational domain's record without it, every subdomain inherits p=none by default quick check: look at your DMARC record do you see an `sp=` tag? If not, your subdomains are unprotected add `sp=reject` if no subdomain sends mail, or publish individual DMARC records for those that do one DNS change. measurable impact. https://t.co/5W0Lrzogs7 #DMARC #EmailSecurity #DNSTips #SecurityTip

$199/month for 8 domains and 5 protocols I was pricing out DMARC monitoring solutions before I decided to build my own. one well-known vendor charges $199/month for 8 domains and covers 5 protocols. another gutted their free tier entirely... zero domains at the free level now. meanwhile, the protocols you actually need for complete visibility: - ARC - DANE - MTA-STS - TLS-RPT ... are often missing or locked behind enterprise tiers at $5K+/year I built DMARCguard with a different model. - free tier: 7 protocols, 2 domains - Pro: 9 protocols, 10 domains, 10 members, $69/month. all protocols included at every paid level. I think email security monitoring should be priced for the IT admin at a 50-person company, not just the enterprise CISO. https://t.co/NyG5cizxba #DMARC #EmailSecurity #SaaS #Pricing

4.8% of domains have broken SPF records across 5.5M domains scanned, 4.8% have SPF records with lookup errors - exceeding the 10-mechanism limit - circular includes - syntax errors - or void lookups that's roughly 149,000 domains with SPF records that actively fail evaluation their email authentication is worse than having no SPF at all, because a permerror result is treated differently than a "none" result by receiving MTAs the most common cause: include chains a domain includes their ESP, which includes their sub-processor, which includes a CDN three levels deep, eight lookups consumed, and then the domain adds one more SaaS tool and everything breaks silently SPF flattening resolves this by replacing nested includes with direct IP declarations but you need to re-flatten whenever your providers update their IP ranges https://t.co/GvWnq84idQ #DMARC #SPF #EmailSecurity #DNS

ARC chain analyzer: trace authentication through forwarders. email forwarding breaks DMARC. when a message is forwarded through a mailing list or university relay, the original SPF alignment is lost. ARC (Authenticated Received Chain, RFC 8617) preserves the authentication results across hops. DMARCguard's ARC chain analyzer validates the entire chain — each ARC-Seal, ARC-Message-Signature, and ARC-Authentication-Results header — and tells you if the chain is intact, broken, or tampered with. real scenario: your DMARC reports show failures from a university domain. is it forwarding or spoofing? paste the email headers into the ARC analyzer. if there's a valid ARC chain from a trusted forwarder, it's legitimate. no chain? investigate further. zero other DMARC platforms offer ARC chain analysis. I built it because forwarding is the #1 source of false-positive DMARC failures. https://t.co/2hniQmYYlT #DMARC #EmailSecurity #ARC #RFC8617 #EmailForwarding

named senders changed everything. the moment that made me rethink DMARC tooling: crying my eyes out looking at a report full of IP addresses - 52.24.128.5, 198.2.177.0, 149.72.134.0 - trying to figure out which services were sending on behalf of my domain every platform shows you IPs. I wanted to see names. Mailchimp, Google Workspace, Salesforce, SendGrid. not CIDR blocks. so I built a sender identification system. it maps IPs to known ESPs and cloud providers automatically. when you look at your DMARC report in DMARCguard, you see "Mailchimp sent 4,200 messages, 98% aligned". not a wall of numbers. this is the kind of decision that takes weeks to build and saves minutes every day. bootstrapping means I get to make that trade. https://t.co/ANZBoW6Usx #DMARC #EmailSecurity #BootstrappedStartup #ProductDesign

MTA-STS: forcing TLS on your inbound mail. SMTP was designed without encryption. hmmm, year 1982... STARTTLS added opportunistic encryption, but it's trivially downgraded by a MITM stripping the STARTTLS response. MTA-STS (RFC 8461) fixes this. you publish a policy file at https://t.co/PeydfupXCL and a DNS record at _mta-sts.yourdomain.com declaring that senders MUST use TLS when delivering to your MX hosts ``` version: STSv1 mode: enforce mx: https://t.co/v5hq0LCJaY max_age: 604800 ``` combined with TLS-RPT (RFC 8460), you get reports when senders fail to establish TLS. without TLS-RPT, MTA-STS enforcement is blind... you won't know when legitimate mail is being rejected due to certificate issues. I built both checkers and generators because they work as a pair. https://t.co/z0G7IuLxxU #DMARC #EmailSecurity #MTASTS #TLSRPT #RFC8461

PCI DSS 4.0 Section 5.4.1: anti-phishing is mandatory. since March 2025, PCI DSS 4.0 Section 5.4.1 requires organizations processing cardholder data to implement anti-phishing mechanisms. DMARC at enforcement (p=quarantine or p=reject) with aligned SPF and DKIM is the most direct way to satisfy this control. if your QSA asks how you prevent domain spoofing and you don't have DMARC enforcement, that's a finding. it's not a recommendation anymore. it's a requirement. the compliance path: publish DMARC at p=none, analyze reports for 30-60 days, fix alignment issues, move to p=quarantine, then p=reject. document every step. your auditor wants evidence of the journey, not just the destination. https://t.co/ATnY0Uc1qq #DMARC #EmailSecurity #PCIDSS #Compliance

what's your biggest DMARC frustration? I talk to admins every week who are stuck somewhere in the DMARC journey the common ones I hear: - "I've been at p=none for 18 months and don't know if it's safe to enforce" - "my SPF record keeps breaking when marketing adds new tools" - "I can't tell which aggregate report failures are real threats vs. forwarding" what's yours? drop it below. I read every response and the most common ones will become blog posts with actual solutions. https://t.co/ofVcDXN9qa #DMARC #EmailSecurity #SysAdmin #EmailAdmin

The protocol gap nobody talks about most DMARC monitoring platforms cover 5-6 protocols they'll check your SPF, DKIM, and DMARC. maybe BIMI. that's it. but ARC chain validation? zero competitors offer it. DANE/TLSA checking for EU NIS2 compliance? rare. MTA-STS and TLS-RPT together for transport encryption visibility? often missing or bolted on this isn't a feature gap. it's a visibility gap. if your monitoring tool doesn't cover MTA-STS, you won't know when your transport encryption policy is being downgraded. if it doesn't parse ARC chains, you can't trace authentication through forwarders. 9 protocols exist for a reason. each one covers a different attack surface. https://t.co/CVvBRTv5BP #DMARC #EmailSecurity #ARC #DANE #MTASTS

12.8% enforcement: the real DMARC number I see "DMARC adoption is growing" headlines everywhere and sure, 30.4% of the 5.5M domains I scanned have a DMARC record sounds decent. but adoption without enforcement is monitoring without action only 12.8% of those domains are at `p=quarantine` or `p=reject` the rest sit at `p=none`... collecting reports, taking no action, providing no protection against spoofing that means 87.2% of domains are either unprotected or watching attacks happen without responding the gap between "has DMARC" and "enforces DMARC" is where phishing lives the full data is in the 2026 research report https://t.co/9xSsHNyOsJ #DMARC #EmailSecurity #CyberSecurity #DataResearch

your domain health in one check the domain health check runs all 9 email authentication protocols against your domain in a single query - SPF syntax - DMARC policy - DKIM selectors - MTA-STS mode - TLS-RPT reporting - BIMI record - DANE/TLSA - and ARC chain validation real scenario: you just onboarded a new ESP and updated your SPF record - did you break alignment? - did you exceed 10 lookups? - is your DMARC policy still appropriate given the new mail stream? run the health check one domain, 9 protocols, 30 seconds no account required https://t.co/nij3YlhUj8 #DMARC #EmailSecurity #EmailAuthentication #DomainHealth

why I built a 9-protocol platform!? when I started building DMARCguard, every competitor I evaluated covered 5-6 protocols. DMARC, SPF, DKIM... the basics. maybe BIMI if you paid extra. but email authentication is a system of 9 interlocking protocols, and monitoring only half of them gives you a partial picture. so I built coverage for all 9: DMARC, SPF, DKIM, BIMI, MTA-STS, TLS-RPT, ARC, DANE, and ARF. not because it was efficient... it added many hours to the roadmap. because partial visibility creates false confidence. I'm bootstrapping this. no VC telling me to ship fast and add protocols later. I shipped when the coverage was complete. that decision cost me speed but bought correctness. https://t.co/CVvBRTv5BP #DMARC #EmailSecurity #BootstrappedStartup #IndieFounder

SPF has a 10-lookup limit here's why it breaks RFC 7208 Section 4.6.4 is clear: SPF evaluation must not exceed 10 DNS mechanisms that cause lookups (include, a, mx, redirect, exists). exceed it and the result is permerror meaning your SPF record is effectively invalid my scan of 5.5M domains found 2.7% have SPF lookup errors, most from nested includes every SaaS tool you authorize (Mailchimp, Salesforce, Zendesk) adds includes stack five or six and you're over the fix: flatten your record replace nested includes with the resolved IP ranges but those IPs change, so you need ongoing monitoring. `v=spf1 include:_spf.google.com include:https://t.co/XJ4cmn6JEb include:https://t.co/avwjiMe9np ~all` count the lookups before you publish. https://t.co/8j41jGLr0A #DMARC #SPF #EmailSecurity #DNS #RFC7208