"Harvest now, decrypt later": attackers record your encrypted traffic today to crack it once quantum computers arrive. Post-quantum TLS starts now, often as a config change. Enable hybrid key exchange (X25519 + ML-KEM): https://t.co/VoTLxKH7kz
A valid certificate can show a green padlock in your browser and still fail for a mobile app or API client. Browsers cache intermediate certs and paper over a missing one. A fresh container has no cache. Verify the chain from outside, not from the browser that's hiding the gap.
You can now query your blacklist and certificate monitoring straight from an AI assistant over MCP. "Which of my IPs are listed?" "What certs expire in the next 30 days?" Answered from live data, no dashboard tab required.
DMARC at p=none protects nobody. It's monitoring mode: reports flow in, but receivers still deliver mail that fails authentication. A year at p=none gives you visibility, not enforcement. Read the reports, fix your alignment, then move to quarantine.
A Spamhaus listing isn't one verdict. SBL is a manual spam listing, CSS is automated reputation, XBL means a compromised host, PBL means the IP shouldn't send mail directly. The zone is the diagnosis. See which one fired: https://t.co/2MIa6PM3tc
Microsoft moved SNDS to a new URL and set automated access links to expire after 30 days. A 404 in a forgotten cron job is exactly how reputation data stops flowing with nobody noticing. What to audit now: https://t.co/OFiCAdhD0G
Add IPv6 to your mail servers and you start cold. New IPv6 addresses have zero sending reputation, and most blacklists track it at the /64 or /48 level, not per address. If your RBL monitoring is IPv4-only, an IPv6 listing can sink delivery and you'd never see it.
Happy Canada Day.
Proudly Canadian, and today we're stepping back to celebrate it. To everyone marking the day: enjoy the long weekend, the fireworks, and some well-earned time off. From our team to yours, we hope it's a good one.
OCSP is going away. Let's Encrypt shut down its responder and browsers moved revocation into CRLSets and CRLite. The lever that matters now is short lifetimes: a cert that rotates every few weeks limits exposure better than a revocation check that failed open ever did.
A clean sending IP won't save you if a link in your email points at a domain someone else burned.
IP and domain reputation are scored separately and fail separately. Listed IP, clean domain? Host issue. Clean IP, listed domain? don't fix the mail server.
https://t.co/cJsFaFJzhp
Cert lifetimes are dropping toward 47 days. Manual renewal is now a backlog, not a workflow.
ACME automates issuance, but it fails quietly: a reload that never runs, a flaky dns-01 challenge, a rotated key. Monitor the endpoint, not the script.
https://t.co/zzZVlDhDgP
Most certificate outages aren't sophisticated. A cert expires on a forgotten load balancer, an intermediate drops from the chain, a renewal fails quietly for weeks.
Monitor the endpoint users connect to, not the script meant to renew it.
https://t.co/U76TCiFrbu
Microsoft's 2026 SNDS changes can silently break your Outlook reputation monitoring:
- New portal URL
- Automated links now expire in 30 days (404 in your cron job)
- New OAuth 2.0 REST API
- Privacy-focused JMRP
What to fix:
https://t.co/OFiCAdiaQe
STARTTLS is opportunistic: if the TLS handshake fails, most mail servers just send your email in plaintext anyway. Downgrade attacks love that.
MTA-STS changes the rule to "encrypt or fail."
How to roll it out (testing mode first), in the new post:
https://t.co/U8bOaTwtlq
Adding IPv6 to your mail stack without updating RBL monitoring creates blind spots. IPv6 DNSBL lookups work differently, lists track /64 blocks not individual IPs, and new addresses start with zero reputation.
https://t.co/r1QjYmbqSk
DMARC is now Standards Track. RFCs 9989/9990/9991 replace RFC 7489.
Key changes: DNS Tree Walk replaces the PSL, `pct` removed (use `t=y`), new `np` tag for non-existent subdomains, mandatory Identity-Alignment in failure reports.
https://t.co/tKr1oOEC8m
#DMARC#EmailSecurity
SPF ✓ DKIM ✓ DMARC ✓ — and still landing in spam?
Authentication is the floor. Engagement is the ceiling.
What actually determines inbox placement: https://t.co/iuPkKtNqFk
Your mail server silently falls back to plaintext when TLS fails. You never know it happened.
TLS-RPT fixes that: one DNS record, and sending servers report every failure: type, MX host, session count.
Most orgs have never enabled it. Takes 5 minutes.
https://t.co/KdFcrmJWni
We just connected Claude, ChatGPT, Cursor, and Copilot to your infrastructure monitoring data via MCP.
Ask which hosts are blacklisted. Check certificate expiry. Get live answers inside your AI tools.
No portal. No API calls. Just ask.
https://t.co/cx9qLanAZx
#DevOps#MCP#AI