Learn
Reference primers and step-by-step playbooks for email authentication, lookalike-domain protection, and takedowns. Every page PhishFence operators need, in one place.
Watch the 2-minute explainers
Hand-drawn walkthroughs of how email spoofing works and how PhishFence stops it.
Why PhishFence
Email security, brand protection, and domain health, all in one place.
From spoofable to bulletproof: a 3-month DMARC rollout
Watch a brand-new domain go from no DMARC and fully spoofable to enforced p=reject and Grade A+, one safe step at a time.
Email authentication in 90 seconds: SPF, DKIM, and DMARC
What SPF, DKIM, and DMARC each do, and why you need all three set and passing so an attacker cannot spoof your exact domain.
Product tour: add a domain and turn on Email Security
A two-minute tour: add a domain, see its DNS posture, and turn on DMARC monitoring with one click to start the safe path to enforcement.
Get set up with PhishFence in minutes
The full setup walkthrough: add your domain, scan for lookalikes, turn on Email Security, and ramp DMARC to enforcement.
Gmail and Yahoo sender requirements
What the Gmail and Yahoo bulk-sender rules require (SPF, DKIM, DMARC, one-click unsubscribe, low spam rates) and how to stay compliant.
DMARC
DMARC tells receiving mail servers what to do when an inbound message claims to be from your domain but fails SPF and DKIM authentication checks.
DMARCbis
DMARCbis is the 2026 revision of DMARC, published as RFC 9989 (core), RFC 9990 (aggregate reporting), and RFC 9991 (the report schema), replacing the original RFC 7489. It is now a full IETF standard, and it changes four things in the record you publish.
SPF
SPF lists which servers are authorised to send email on behalf of your domain. Receivers check the inbound IP against your SPF record and accept or flag the message accordingly.
DKIM
DKIM cryptographically signs every outbound message with a private key; receivers verify the signature against your public key in DNS. Survives forwarding, unlike SPF.
ARC
ARC lets a forwarder vouch for the authentication state of a message it received, so the next hop can trust the upstream verdict even when SPF and DKIM are broken by forwarding.
BIMI
BIMI lets receivers display your brand logo next to authenticated messages in the inbox. Requires DMARC at p=quarantine or p=reject.
MTA-STS
MTA-STS forces sending servers to use TLS when delivering mail to your domain, blocking downgrade attacks that would otherwise let an attacker intercept inbound mail in plaintext.
TLS-RPT
TLS-RPT asks sending servers to send you daily aggregate reports of every TLS failure they hit when delivering mail to your domain. The visibility complement to MTA-STS.
DANE
DANE pins a hash of your TLS certificate in DNS via TLSA records. Receivers can then validate the cert without trusting public Certificate Authorities. The DNSSEC chain is the trust anchor.
ARF
ARF is the standardised email format mailbox providers use to report abuse and authentication failures back to senders. The structured payload that powers DMARC's ruf= reports.
DNSSEC
DNSSEC adds cryptographic signatures to DNS responses so resolvers can verify the data wasn't tampered with in transit. Foundation for DANE, MTA-STS, and trust in DNS-published security policies.
DMARC alignment
Alignment is the rule that decides whether an SPF or DKIM pass actually counts as a DMARC pass. Most domains that get spoofed have SPF and DKIM working but mis-configured alignment.
TLS-RPT vs MTA-STS
MTA-STS enforces TLS on inbound mail to your domain. TLS-RPT tells you when TLS fails. They solve different halves of the same problem and you publish both, but the deployment order matters.
BIMI prerequisites
BIMI displays your brand logo next to your email in supporting inboxes (Gmail, Apple Mail, Yahoo, AOL). It only works if your domain is at DMARC enforcement AND your logo is a properly-formatted SVG Tiny PS. As of early 2025, Gmail and Yahoo display the logo with a Verified Mark Certificate (VMC) or a Common Mark Certificate (CMC); Apple Mail requires a VMC, and Gmail's blue verified checkmark requires a VMC.
Common XML report errors
Most DMARC aggregate reports parse cleanly, but a handful of receiver-specific quirks trip up parsers. This is what each error usually means and whether it's safe to skip.
Ramp to p=reject
Going from p=none to p=reject in one step will bounce real customer mail. The right ramp is observe, fix gaps, escalate gradually. Typically 6-12 weeks for a domain with multiple senders.
Microsoft 365 gotchas
Microsoft 365 DMARC setup is mostly mechanical, but four specific behaviours trip up almost every tenant: SPF include depth, custom-domain DKIM, the legacy MX rewriting, and Exchange Online's group-message handling.
Google Workspace gotchas
Google Workspace DKIM is opt-in per domain. Until you turn it on, every message signs only with google.com. Which never aligns with your From. Most other gotchas come from the SPF include and from Groups.
SendGrid gotchas
SendGrid sends from sendgrid.net IPs by default and signs with d=sendgrid.net. Neither aligns with your From. You need to set up Domain Authentication so SendGrid signs with d=yourdomain via CNAME-delegated DKIM.
Mailchimp gotchas
Mailchimp's DKIM setup is CNAME-only. You publish two CNAMEs at k1._domainkey and k2._domainkey and Mailchimp signs with d=yourdomain. SPF is NOT required if DKIM aligns; in fact Mailchimp's docs recommend skipping the SPF include.
Postmark gotchas
Postmark gives you DKIM CNAME delegation and a Return-Path CNAME so both DKIM and envelope-from align with your domain. It's one of the cleanest ESP setups. Most issues come from the optional SPF step.
Resend gotchas
Resend uses a per-domain MX + TXT + DKIM CNAME pattern under a sending subdomain (default: send.yourdomain). Both SPF and DKIM must be set up for DMARC to align cleanly.
DMARC, SPF, DKIM setup
Walkthrough for publishing DMARC, SPF, and DKIM on a domain. Covers record syntax, common ESP setups, and verification.
DMARC rollout playbook
How to safely move from p=none to p=reject without breaking real mail. The 6-12 week ramp every domain should follow.
Report registrar abuse
Find the right abuse contact, write a takedown report registrars will act on, and escalate if they don't.
Report a phishing site
Filing with Google Safe Browsing, Microsoft SmartScreen, Cloudflare, hosting providers, and CDNs to get a phishing site offline fast.
UDRP complaint
When abuse reports fail, UDRP is the trademark-based path to transfer a malicious domain to you. The full filing walkthrough.
Defensive registration
Which lookalike domains are worth registering yourself, which to monitor, and the budget every brand needs for proactive coverage.
Confidence levels
What each alert confidence band (registered, suspected, likely, confirmed) means, what signals drive it, and how to triage.
Typosquatting: The Cheapest Attack That Still Works
Attackers register domains that look almost identical to yours, then use them to steal credentials from your customers. It takes less than a minute to set up, and most businesses never find out until the damage is done.
How to Detect Phishing Using Certificate Transparency (CT) Logs
Monitor CT logs to catch phishing domains the moment their SSL certificates are issued, hours before the phishing site goes live. Free queries, a monitoring setup, and triage steps.
How to Tell a Real Phishing Threat From a Harmless Lookalike
A registered lookalike domain is not the same as an active phishing site. Understanding the signals that separate real threats from noise is critical to an effective response.
How DNS Works and How Attackers Use It Against You
DNS is the system that translates domain names into addresses your computer can find. It is also one of the most exploited layers in phishing attacks. This article explains both, starting with the basics.
How to Check if an Email Is DKIM Signed (and Why It Matters)
DKIM is one of the three pillars of email authentication, but most people have never opened a raw email to verify a signature. Here is exactly how to check, what the result actually means, and how phishers exploit the gaps.
How to Stop Typosquatting Domains Targeting Your Brand
There is no magic button that makes typosquats disappear. What exists is a repeatable workflow: detect early, evaluate fast, file abuse reports, and, when the domain matters, register it yourself. Here is how to run that loop in practice.
UDRP Complaint Filing: A Practical Guide for Brand Owners
UDRP is the domain-dispute process that recovers a cybersquatted domain without going to court. It is slower and more expensive than an abuse report, but it is the right tool when a registrar will not act and the squatter will not sell or remove.
Lookalike Domain Monitoring: What to Look For in a Service
Domain monitoring services range from free CLI tools to $20K/year enterprise platforms. The features that actually matter are detection coverage, signal quality, takedown workflow, and whether the alerts will wake you up for real threats without crying wolf.
NIS 2 Email Security: A Compliance Playbook
NIS 2 Article 21 mandates technical measures for secure electronic communications. Here is exactly which email-security controls map to which clauses, what evidence auditors look for, and how to produce it.
DORA Phishing Protection: A Playbook for Financial Entities
The Digital Operational Resilience Act (DORA) expects financial entities to detect and respond to impersonation and phishing attacks. Here is how to map that expectation to a concrete control program.
Fixing 'SPF PermError: Too Many DNS Lookups'
RFC 7208 caps SPF evaluation at 10 DNS lookups. Hit that limit and DMARC fails on the SPF side for every recipient. Here's how the cap actually counts and the two-line fix.
Typosquatting vs. Combosquatting: Two Attacker Patterns You Need to Know
Typosquatting tricks people who misspell URLs. Combosquatting tricks people who think the URL looks legitimate. The detection logic for each is different. Here's how attackers use both and how monitoring catches them.
The SMB Domain Security Checklist: 5 Things to Do This Week
Domain security advice usually targets enterprises with full security teams. Here's the pragmatic version for small-to-mid-sized businesses: five things you can do this week, in order, that close 80% of the risk.
What Is DMARC Monitoring?
DMARC monitoring tracks how your domain is used to send email and whether SPF and DKIM are passing. Here is what it is, how the six email authentication protocols fit together, and what a monitoring tool does day to day.
Best DMARC Monitoring and Brand Protection Platform for SMBs: A Buyer's Guide
A practical buyer's guide to choosing DMARC monitoring and domain brand protection as an SMB: the criteria that matter, the free-tier question, and why most tools cover only half the problem.
Subdomain Takeover: The Forgotten DNS Record Attackers Exploit
You pointed blog.yourcompany.com at a third-party service, then tore the service down and left the DNS record behind. An attacker claims the now-unclaimed resource and serves their own content on your subdomain, with a valid TLS certificate.
How to Read an Email Header (SPF, DKIM, and DMARC)
The From line you see is not the address SPF actually checks. Learn to read the headers that decide whether a message is real: Return-Path, the Received hops, and the Authentication-Results that record spf, dkim, and dmarc.
Domain Health Monitoring: The Checks Attackers Count On You Ignoring
A lapsed registration, an expired certificate, a blocklist listing, missing DNSSEC, a dangling subdomain. None of these make headlines, and all of them are openings an attacker is happy you never check.
Brand Monitoring: Catching Lookalike Domains Before Your Customers Do
Attackers register domains that impersonate yours, then use them to phish your customers. Continuous brand monitoring generates the likely lookalikes, watches Certificate Transparency logs for the rest, and surfaces the ones worth acting on.
Authenticate Your Email Service Providers (SendGrid, Mailchimp) for DMARC
Your ESP passes SPF and DKIM, just for its own domain, not the one in your From line. That is unaligned, so DMARC fails even though authentication passed. The durable fix is a DKIM CNAME that lets the ESP sign as your domain.
GoDaddy default DMARC
Since April 2025 GoDaddy auto-publishes a p=quarantine DMARC record on new domains, but the reports go to GoDaddy, not you. Here is how to fix it.
Third-party senders on GoDaddy
Added an ESP and your mail is going to spam? On a GoDaddy p=quarantine domain, DMARC needs alignment. Here is how to authenticate Mailchimp, HubSpot, and Zendesk with DKIM.
Find lookalike domains
Worried about fake versions of your brand? Here is how to find lookalike and typosquat domains yourself for free, using Certificate Transparency logs and crt.sh, and what to do next.
Email-auth and DNS-security FAQ
Short definitions of the protocols people search for the most. Each links to the full explainer.
What is DMARC?
What is SPF?
What is DKIM?
What is BIMI?
What is MTA-STS?
What is TLS-RPT?
Ready to put these into practice?
PhishFence implements all of these protocols for monitored domains: continuous DMARC reporting, SPF + DKIM auditing, MTA-STS enforcement guidance, BIMI checks, and lookalike-domain monitoring on top.