Security

Email authentication, encryption, and threat prevention best practices.

67 articles

April 2026

Diagram showing the process of obtaining a VMC or CMC certificate for BIMI

CaptainDNS · April 1, 2026

VMC and CMC Certificates for BIMI: How to Choose, Buy and Deploy

Complete guide to obtaining and deploying a VMC or CMC certificate: CA comparison, pricing, prerequisites and free hosting.

March 2026

CaptainDNS · March 31, 2026

BIMI logo hosting: where and how to host your SVG logo and certificate

Hosting is BIMI's overlooked weak link. This guide compares 5 options, covers HTTPS requirements, and walks you through a step-by-step tutorial with CaptainDNS.

Diagram showing the structure of an email header with key fields annotated: From, Received, Authentication-Results

CaptainDNS · March 29, 2026

Understanding email headers: the complete guide to reading and analyzing every field

Every email carries an invisible logbook. This guide teaches you how to extract it, read it field by field, and diagnose deliverability or security issues.

Table showing 10 subtle email header signals that security gateways fail to detect

CaptainDNS · March 28, 2026

10 email filter gaps: the subtle header signals your gateway misses

Your email gateway blocks 99% of threats. But the 1% that gets through is what matters. Here are the 10 header indicators that most filters ignore.

Diagram showing how an attacker exploits indirect MX routing to spoof an internal domain in Microsoft 365

CaptainDNS · March 28, 2026

Misconfigured Email Routing: Microsoft's Warning on Internal Spoofing (January 2026)

In January 2026, Microsoft revealed that indirect MX configurations allow attackers to spoof internal identities by bypassing SPF, DKIM, and DMARC.

Diagram showing a shortened link hiding a phishing URL behind multiple redirect layers

CaptainDNS · March 25, 2026

URL Shorteners: Why bit.ly, t.ly and Their Peers Have Become Phishing's Weapon of Choice

t.ly, Is.gd, Goo.su: URL shorteners fuel phishing, malware, and security filter evasion. Learn the exploitation techniques and how to verify every link before you click.

CaptainDNS · March 23, 2026

Gmail Verified vs Google Verified: understanding the real differences

The Gmail blue checkmark and the Google verified badge rely on entirely different mechanisms. This guide breaks down the technical prerequisites, costs, and steps for each verification.

Illustration of the 5 pillars of NIST SP 800-81r3 for DNS security

CaptainDNS · March 21, 2026

NIST SP 800-81r3: what the new DNS security guide changes

Full analysis of NIST SP 800-81r3, released March 19, 2026. Protective DNS, DNSSEC, encrypted DNS: the key recommendations for securing your infrastructure.

Diagram showing an HTTP redirect loop with detection and resolution steps

CaptainDNS · March 20, 2026

HTTP redirects: how to detect loops, chains and suspicious shortened links

Complete guide to identifying redirect loops, excessive chains and suspicious shortened links. Diagnosis, fixes and security best practices.

Diagram showing the link between DNSSEC, certificate authorities, and TLS certificate issuance after Ballot SC-085v2

CaptainDNS · March 19, 2026

Ballot SC-085v2: certificate authorities now verify DNSSEC before issuing a TLS certificate

Since March 15, 2026, the CA/Browser Forum requires CAs to verify DNSSEC during domain validation. This guide covers the context, impact, and how to check your configuration.

Timeline showing TLS certificate lifetime reduction from 398 to 47 days between 2026 and 2029

CaptainDNS · March 19, 2026

SC-081v3: 47-day TLS certificates, why it matters and how to prepare

The CA/Browser Forum voted to progressively reduce TLS certificate lifetimes from 398 to 47 days by March 2029. Timeline, rationale, impact, and practical guide.

DMARCbis: complete guide, migration and DNS Tree Walk

CaptainDNS · March 18, 2026

DMARCbis: the complete guide to understanding and migrating to the new DMARC standard

DMARCbis replaces RFC 7489, drops the PSL in favor of the DNS Tree Walk, adds three tags and splits reporting into three documents. This guide covers everything: how it works, migration, compliance.

Domain name lifecycle diagram: registration, expiration, grace period, redemption, pending delete, release

CaptainDNS · March 17, 2026

Domain name lifecycle: expiration, protection, and best practices

From registration to release: understand every stage of the domain lifecycle, the risks at each phase, and the protections to enable.

Visual comparison between the WHOIS protocol (legacy, plain text) and RDAP (modern, structured JSON) with the ICANN transition timeline

CaptainDNS · March 17, 2026

RDAP vs WHOIS: the complete guide to the transition (EPP codes, GDPR, domain locks)

WHOIS is retiring. RDAP replaces it. This guide covers everything: technical comparison, EPP codes, GDPR impacts, domain locks, and a migration plan.

The 4 email security tools managed by CaptainDNS: MTA-STS, BIMI, TLS-RPT and DMARC

CaptainDNS · March 13, 2026

Email Security: 4 Free Managed Tools to Protect Your Domains

CaptainDNS offers four free tools to secure your emails: MTA-STS hosting, BIMI hosting, TLS-RPT monitoring and DMARC monitoring. No infrastructure to manage.

Diagram showing the progression of MTA-STS deployment from testing mode to enforce mode

CaptainDNS · March 10, 2026

From testing to enforce: a progressive MTA-STS deployment strategy

Testing mode monitors, enforce mode blocks. This guide details the four steps to deploy MTA-STS progressively, from the initial policy to TLS-RPT reports, through to switching to enforce.

Comparative diagram of MTA-STS and DANE protocols for email transport security

CaptainDNS · March 10, 2026

MTA-STS vs DANE: which protocol to choose for securing email transport?

MTA-STS uses HTTPS, DANE relies on DNSSEC. Both enforce mandatory TLS encryption between email servers, but they deploy differently. Complete comparison to make the right choice.

Diagram of an SMTP downgrade attack showing an attacker intercepting the STARTTLS connection between two email servers

CaptainDNS · March 9, 2026

SMTP Downgrade Attacks: How They Work and How to Defend Against Them

STARTTLS encrypts your emails, but a network attacker can strip that protection away. Learn how SMTP downgrade attacks work and what solutions block them.

CaptainDNS · March 8, 2026

BIMI Logo Not Showing: 5 Common Errors and How to Fix Them

Valid DMARC, published BIMI record, but still no logo in the inbox. This guide identifies the 5 most common causes and details what to do.

Visual comparison of RSA 2048 and Ed25519 algorithms for DKIM signing

CaptainDNS · March 6, 2026

RSA vs Ed25519 for DKIM: which signing algorithm should you choose?

Technical comparison of RSA 2048 and Ed25519 algorithms for DKIM signing: performance, security, compatibility, and migration strategy.

Diagram showing how DKIM works: cryptographic signing and DNS verification

CaptainDNS · March 5, 2026

The Complete DKIM Guide: Understanding and Configuring Email Authentication

Everything you need to know about DKIM: how it works, step-by-step setup, key selection, integration with SPF and DMARC, and deliverability best practices.

Diagram of DKIM setup on Office 365 and Google Workspace with DNS verification steps

CaptainDNS · March 5, 2026

Setting Up DKIM on Office 365 and Google Workspace: A Practical Guide

Step-by-step guide to enable and configure DKIM on Microsoft 365 and Google Workspace. Full procedure, verification, and common error troubleshooting.

Diagram of the 6 causes of an SPF PermError with a diagnostic tree and error indicators

CaptainDNS · March 4, 2026

SPF PermError: the complete guide to understanding, diagnosing and fixing this error

Diagnose and fix SPF PermError: the 6 causes, the impact on DMARC and the methods to repair your SPF record.

SPF Flattening vs SPF Macros comparison with workflow diagrams and decision matrix

CaptainDNS · March 3, 2026

SPF Flattening vs SPF Macros: Which Approach Should You Choose to Stay Within the 10 Lookup Limit?

Detailed comparison of SPF flattening and SPF macros: how they work, advantages, disadvantages, and a decision matrix to help you choose the right approach.

Diagram of the SPF 10 DNS lookup limit with a mechanism counter for include, a, mx, and redirect

CaptainDNS · March 3, 2026

SPF "Too Many DNS Lookups": The Complete Guide to Fixing the 10 Lookup Limit

Diagnose and fix the SPF "too many DNS lookups" error: how lookups are counted, what causes the limit to be exceeded, and 5 methods to stay within the limit of 10.

CaptainDNS · March 2, 2026

SVG Tiny-PS: understanding the security profile required by BIMI

An SVG file can contain JavaScript, phishing links and tracking pixels. Learn how the SVG Tiny-PS profile neutralizes these threats to secure BIMI logos.

February 2026

CaptainDNS · February 28, 2026

BIMI logo: create a compliant SVG Tiny-PS file in 4 steps

A regular SVG file won't work for BIMI. This guide explains how to create, convert, and validate a compliant SVG Tiny-PS file.

Diagram of an email rejected by Gmail with 550 5.7.26 and UsernameCaseMapped errors

CaptainDNS · February 26, 2026

Gmail 550 5.7.26 and UsernameCaseMapped rejections: causes, diagnosis, and fixes

Gmail rejecting your emails with 550 5.7.26 or UsernameCaseMapped? Technical causes, step-by-step diagnosis, and SPF/DKIM/DMARC fixes to resolve these permanent bounces.

DNSSEC SERVFAIL diagnosis: decision tree to identify and fix the cause of a SERVFAIL after enabling DNSSEC

CaptainDNS · February 25, 2026

SERVFAIL after enabling DNSSEC: diagnosis and fix

A SERVFAIL after enabling DNSSEC points to a broken chain of trust. This guide covers the five causes, three diagnostic commands, and exact fixes for each scenario.

DNSSEC chain of trust: from the DNS root to your domain, each level verifies the next using cryptographic keys

CaptainDNS · February 22, 2026

Understand the DNSSEC chain of trust in 5 minutes

The chain of trust is the core principle behind DNSSEC. This guide explains every link, from the DNS root to your domain, with clear diagrams.

DANE/TLSA: authenticating email server TLS certificates via DNS and DNSSEC

CaptainDNS · February 21, 2026

DANE/TLSA: the complete guide to authenticating email certificates via DNS

DANE (RFC 6698/7672) binds TLS certificates to domain names using DNSSEC-signed TLSA DNS records. Learn how to deploy it to secure SMTP transport.

Enable DNSSEC with major registrars: Cloudflare, OVH, GoDaddy, Namecheap, Route 53, Google Domains

CaptainDNS · February 21, 2026

Enable DNSSEC: step-by-step guide by registrar

DNSSEC protects your visitors from DNS spoofing. This guide covers step-by-step activation for the 6 most popular registrars, with instant verification.

Diagram illustrating the transition from Basic Auth to OAuth 2.0 for SMTP AUTH on Exchange Online

CaptainDNS · February 20, 2026

End of Basic Auth SMTP on Microsoft Exchange Online: timeline, 550 5.7.30 error, and migration guide

Microsoft is retiring Basic authentication for SMTP AUTH on Exchange Online. Revised timeline, 550 5.7.30 error, OAuth alternatives, HVE, Graph API, and step-by-step migration checklist.

Visual comparison of old NIST password rules (rotation, complexity) versus the new 2025 recommendations (length, breach blocking)

CaptainDNS · February 20, 2026

NIST 2025 password recommendations: what's changed

The NIST has rewritten its password rules. No more mandatory rotation, no more complexity requirements. A complete breakdown of SP 800-63B-4 with a step-by-step compliance plan.

Visual comparison between a passphrase (multiple words) and a random password (mixed characters) with their respective entropy levels

CaptainDNS · February 20, 2026

Passphrase vs password: which one is actually safer?

A 16-character random password or a 5-word dice-generated phrase? A technical comparison with entropy calculations, use cases, and practical recommendations.

Diagnostic tree of DKIM failure causes with associated fixes

CaptainDNS · February 19, 2026

DKIM fail: all causes and how to fix them

Complete DKIM failure diagnosis: body hash, invalid key, expired signature, forwarding, alignment. Causes and step-by-step fixes.

Comparison between passkeys (cryptographic keys) and traditional passwords: security, usability, and adoption

CaptainDNS · February 19, 2026

Passkeys vs passwords: should you ditch your passwords in 2025?

Google, Apple, and Microsoft are pushing passkeys as the replacement for passwords. But are they ready for widespread use? Technical comparison, benefits, limitations, and transition strategy.

Diagram showing the 4 methods to find a DKIM selector

CaptainDNS · February 18, 2026

How to Find Your DKIM Selector: 4 Methods Explained Step by Step

Don't know your DKIM selector? Here are 4 methods to find it: email headers, admin console, manual DNS, and automatic discovery tool.

Diagram showing a server blocked on port 25 with arrows pointing to workaround solutions by hosting provider

CaptainDNS · February 18, 2026

Port 25 blocked: diagnosis and solutions by hosting provider

Port 25 is blocked by most cloud providers and ISPs to fight outbound spam. Here's how to diagnose the block and restore your sending capability.

Diagram showing how a DKIM record works in DNS

CaptainDNS · February 18, 2026

What is a DKIM record? The complete guide

Everything you need to know about DKIM records: how they work, tags, DNS format, RSA vs Ed25519, DMARC alignment, and key rotation.

SMTP Encryption: STARTTLS, TLS 1.2, TLS 1.3, DANE and MTA-STS

CaptainDNS · February 17, 2026

STARTTLS, SSL/TLS and SMTP: which encryption for your emails?

SSL, TLS, STARTTLS, Implicit TLS, DANE, MTA-STS: email encryption in transit relies on mechanisms that are often confused. This guide clarifies each protocol, explains their vulnerabilities, and shows how to configure robust TLS encryption on Postfix, Exim and Exchange.

SMTP ports 25, 465, 587, and 2525: roles, encryption, and use cases

CaptainDNS · February 17, 2026

SMTP ports explained: 25, 465, 587, 2525, which one should you use?

Port 25, 465, 587, or 2525? Each SMTP port has a specific role. This guide breaks down how each port works, its encryption method, the relevant RFCs, and helps you pick the right port for your use case.

SMTP connectivity test of an MX server: banner, STARTTLS, TLS certificate and open relay

CaptainDNS · February 17, 2026

How to test the SMTP connectivity of your MX servers

Your DNS records are perfect, but emails aren't getting through? The problem might be at the transport layer. This guide shows you how to test SMTP connectivity for each MX server, step by step.

Phishing statistics and trends 2025-2026: charts showing attack evolution, targeted sectors and new techniques (AI, quishing, MFA bypass)

CaptainDNS · February 16, 2026

Phishing trends 2025-2026: APWG statistics and new techniques

Phishing has evolved: generative AI, malicious QR codes, MFA bypass. Explore the 2025 APWG figures and the techniques redefining the threat landscape in 2026.

The 4 anti-phishing threat intelligence databases: Google Safe Browsing, URLhaus, PhishTank and VirusTotal converging towards a protection shield

CaptainDNS · February 16, 2026

Google Safe Browsing, URLhaus, PhishTank, VirusTotal: how threat intelligence databases work

Every day, your browser queries threat intelligence databases to block malicious URLs. Learn how the 4 main databases work and why combining them is essential.

Alert screen after clicking a phishing link with emergency steps to follow

CaptainDNS · February 15, 2026

Clicked a phishing link: what to do right now?

3.4 billion phishing emails are sent every day. If you clicked a suspicious link, follow these emergency steps to limit the damage and secure your accounts.

Anatomy of a phishing email with annotated warning signs

CaptainDNS · February 15, 2026

How to spot a phishing email in 2026

91% of cyberattacks start with an email. Learn how to spot the warning signs, verify a suspicious link, and protect your inbox with the right protocols.

Analyzing a TLS-RPT report: JSON structure and TLS email error types

CaptainDNS · February 14, 2026

Analyze and leverage your TLS-RPT reports: detect issues before they impact your emails

A practical guide to reading and leveraging TLS-RPT reports: JSON structure, failure types, diagnosing certificate and STARTTLS errors, and a daily analysis workflow.

Set up TLS-RPT on Microsoft 365, Google Workspace, and OVHcloud

CaptainDNS · February 13, 2026

Set up TLS-RPT: step-by-step guide for Microsoft 365, Google Workspace, and OVHcloud

Hands-on tutorial to set up TLS-RPT (SMTP TLS Reporting) on Microsoft 365, Google Workspace, and OVHcloud. DNS record, verification, and troubleshooting included.

TLS-RPT: monitoring TLS encryption failures in email delivery

CaptainDNS · February 10, 2026

TLS-RPT: The Complete Guide to Monitoring Email TLS Security

TLS-RPT (RFC 8460) lets you receive reports on TLS encryption failures in your email delivery. Learn how to configure it, read reports, and take action.

MTA-STS troubleshooting: diagnosing and resolving common errors

CaptainDNS · February 9, 2026

MTA-STS Not Working? Complete Troubleshooting Guide

Your MTA-STS policy is unreachable, the TLS certificate is rejected, or enforce mode is blocking emails? This troubleshooting guide covers common errors and their solutions.

MTA-STS: securing email transport with mandatory TLS encryption

CaptainDNS · February 6, 2026

MTA-STS: the complete guide to securing your email transport

MTA-STS (RFC 8461) enforces TLS encryption for incoming emails. Learn how to configure it, choose between testing and enforce modes, and validate your deployment.

Delisting guide: how to remove an IP from email blacklists

CaptainDNS · February 3, 2026

How to Remove Your IP from a Blacklist: The Complete Delisting Guide

Is your IP on a blacklist and your emails getting rejected? This guide details the delisting procedures for each major blacklist, including processing times and best practices to avoid getting listed again.

CaptainDNS · February 2, 2026

6 Scenarios to Anticipate Before Applying for a .brand

Lost auction, 5-year abandonment, migration failure: anticipate the risks of an ICANN 2026 gTLD application with detailed contingency plans.

January 2026

CaptainDNS · January 28, 2026

.brand TLD: why major brands create their own domain extension

From .dvag (10,562 domains) to .ferrari, .zara, and .google: discover why 494 global companies have invested in their own .brand TLD.

Illustration: Surfshark DNS (public DNS resolver) with IPv4/IPv6 endpoints, DoH, and deployment options.

CaptainDNS · January 9, 2026

Surfshark DNS: how it works, benefits, and setup

Surfshark DNS is a free public DNS resolver (IPv4/IPv6, DoH) focused on privacy. Here's when to use it, how to configure it, and what to check.

Illustration: DNS4EU, European DNS resolver with Protective/Child/NoAds variants and encrypted DNS DoH/DoT.

CaptainDNS · January 7, 2026

DNS4EU: the European DNS resolver (DoH/DoT), profiles and setup

DNS4EU is a European public DNS with 5 variants (security, kids, ad blocking, neutral) and IPv4/IPv6 + DoH/DoT addresses. Deployment and verification guide.

Illustration: Gmail address change with alias and account retention

CaptainDNS · January 6, 2026

Change your Gmail address: an option rolling out at Google

Google documents a long-awaited feature: replace your @gmail.com while keeping your account, emails, and services. Here's how to prepare.

December 2025

Illustration: NextDNS, a customizable DNS resolver (DoH/DoT), filtering and profiles.

CaptainDNS · December 26, 2025

NextDNS DNS: how it works, benefits, and setup

NextDNS is a customizable DNS resolver: DoH/DoT encryption, filtering, profiles, and logs. Here's how to deploy it cleanly at home or in an SMB.

Illustration: 1.1.1.1 (Cloudflare), a public DNS resolver with DoH/DoT/ODoH options and a privacy focus

CaptainDNS · December 23, 2025

Cloudflare DNS (1.1.1.1): privacy, DoH/DoT, deployment

1.1.1.1 is Cloudflare's public DNS resolver. Here's how to use it properly (addresses, DoH/DoT/ODoH, tests, pitfalls) and deploy it.

Illustration: Quad9 (9.9.9.9), a secure DNS resolver with filtering and encrypted transports (DoT/DoH).

CaptainDNS · December 19, 2025

Quad9 DNS (9.9.9.9): how it works, benefits, alternatives

Quad9 (9.9.9.9) is a public DNS resolver focused on security and privacy: malware blocking, DNSSEC validation, and encrypted DoT/DoH options. Here's how to deploy it properly.

CaptainDNS · December 16, 2025

BIMI, VMC, CMC: compatibility and DNS prerequisites (Gmail, Yahoo, Apple Mail)

Putting your logo in the inbox: what you actually need to configure in DNS for BIMI, and how to choose between VMC and CMC.

Diagram showing Gmail stopping POP fetching from external accounts in 2026

CaptainDNS · December 5, 2025

Gmail ends POP fetching from other accounts in 2026: impact and action plan

Starting January 2026, Gmail will no longer continuously fetch messages from external mailboxes via POP ("Check mail from other accounts"). Impacts, timeline, and alternatives for Gmail and Google Workspace users and admins.

Diagram comparing DoH3, DoQ and DoT in a modern DNS architecture

CaptainDNS · December 1, 2025

DoH3, DoQ and DoT: everything changing by late 2025

Panorama of encrypted DNS transports at the end of 2025: performance, network impact, security, and an action plan for infra teams.

November 2025

BIMI October 2025: lps=, ABNF, SVG/SVGZ formats and headers

CaptainDNS · November 13, 2025

BIMI Draft -11 dated 9 October 2025: what's changing and how to prepare

Revision -11 formalizes Local-Part Selectors (lps=), clarifies the discovery path, reaffirms SVG/SVGZ logos and reiterates DMARC and header requirements.

DKIM2: What's new, removals, timeline and impact

CaptainDNS · November 3, 2025

DKIM2: what's new, what's changing and key dates

Everything you need to know about DKIM2 at the end of 2025: principles, new headers, coexistence with DKIM/DMARC, the IETF draft timeline and a readiness plan.

October 2025

What Is ARC (Authenticated Received Chain)?

CaptainDNS · October 23, 2025

ARC: keeping trust in an email as it crosses intermediaries

ARC (Authenticated Received Chain) lets every relay forward, sign, and seal the authentication results it observed so the final server can decide whether to trust the message.