Reference primers and step-by-step playbooks for email authentication, lookalike-domain protection, and takedowns. Every page PhishFence operators need, in one place.
DMARC tells receiving mail servers what to do when an inbound message claims to be from your domain but fails SPF and DKIM authentication checks.
SPF lists which servers are authorised to send email on behalf of your domain. Receivers check the inbound IP against your SPF record and accept or flag the message accordingly.
DKIM cryptographically signs every outbound message with a private key; receivers verify the signature against your public key in DNS. Survives forwarding, unlike SPF.
ARC lets a forwarder vouch for the authentication state of a message it received, so the next hop can trust the upstream verdict even when SPF and DKIM are broken by forwarding.
BIMI lets receivers display your brand logo next to authenticated messages in the inbox. Requires DMARC at p=quarantine or p=reject.
MTA-STS forces sending servers to use TLS when delivering mail to your domain, blocking downgrade attacks that would otherwise let an attacker intercept inbound mail in plaintext.
TLS-RPT asks sending servers to send you daily aggregate reports of every TLS failure they hit when delivering mail to your domain. The visibility complement to MTA-STS.
DANE pins a hash of your TLS certificate in DNS via TLSA records. Receivers can then validate the cert without trusting public Certificate Authorities. The DNSSEC chain is the trust anchor.
ARF is the standardised email format mailbox providers use to report abuse and authentication failures back to senders. The structured payload that powers DMARC's ruf= reports.
DNSSEC adds cryptographic signatures to DNS responses so resolvers can verify the data wasn't tampered with in transit. Foundation for DANE, MTA-STS, and trust in DNS-published security policies.
Alignment is the rule that decides whether an SPF or DKIM pass actually counts as a DMARC pass. Most domains that get spoofed have SPF and DKIM working but mis-configured alignment.
MTA-STS enforces TLS on inbound mail to your domain. TLS-RPT tells you when TLS fails. They solve different halves of the same problem and you publish both, but the deployment order matters.
BIMI displays your brand logo next to your email in supporting inboxes (Gmail, Apple Mail, Yahoo, AOL). It only works if your domain is at DMARC enforcement AND your logo is a properly-formatted SVG Tiny PS. And for Gmail / Apple Mail, you also need a Verified Mark Certificate (VMC).
Most DMARC aggregate reports parse cleanly, but a handful of receiver-specific quirks trip up parsers. This is what each error usually means and whether it's safe to skip.
Going from p=none to p=reject in one step will bounce real customer mail. The right ramp is observe, fix gaps, escalate gradually. Typically 6-12 weeks for a domain with multiple senders.
Microsoft 365 DMARC setup is mostly mechanical, but four specific behaviours trip up almost every tenant: SPF include depth, custom-domain DKIM, the legacy MX rewriting, and Exchange Online's group-message handling.
Google Workspace DKIM is opt-in per domain. Until you turn it on, every message signs only with google.com. Which never aligns with your From. Most other gotchas come from the SPF include and from Groups.
SendGrid sends from sendgrid.net IPs by default and signs with d=sendgrid.net. Neither aligns with your From. You need to set up Domain Authentication so SendGrid signs with d=yourdomain via CNAME-delegated DKIM.
Mailchimp's DKIM setup is CNAME-only. You publish two CNAMEs at k1._domainkey and k2._domainkey and Mailchimp signs with d=yourdomain. SPF is NOT required if DKIM aligns; in fact Mailchimp's docs recommend skipping the SPF include.
Postmark gives you DKIM CNAME delegation and a Return-Path CNAME so both DKIM and envelope-from align with your domain. It's one of the cleanest ESP setups. Most issues come from the optional SPF step.
Resend uses a per-domain MX + TXT + DKIM CNAME pattern under a sending subdomain (default: send.yourdomain). Both SPF and DKIM must be set up for DMARC to align cleanly.
Walkthrough for publishing DMARC, SPF, and DKIM on a domain. Covers record syntax, common ESP setups, and verification.
How to safely move from p=none to p=reject without breaking real mail. The 6-12 week ramp every domain should follow.
Find the right abuse contact, write a takedown report registrars will act on, and escalate if they don't.
Filing with Google Safe Browsing, Microsoft SmartScreen, Cloudflare, hosting providers, and CDNs to get a phishing site offline fast.
When abuse reports fail, UDRP is the trademark-based path to transfer a malicious domain to you. The full filing walkthrough.
Which lookalike domains are worth registering yourself, which to monitor, and the budget every brand needs for proactive coverage.
What each alert confidence band (registered, suspected, likely, confirmed) means, what signals drive it, and how to triage.
Attackers register domains that look almost identical to yours, then use them to steal credentials from your customers. It takes less than a minute to set up, and most businesses never find out until the damage is done.
Every SSL certificate issued is recorded in a public ledger. If you know where to look, you can detect phishing infrastructure before it goes live.
A registered lookalike domain is not the same as an active phishing site. Understanding the signals that separate real threats from noise is critical to an effective response.
DNS is the system that translates domain names into addresses your computer can find. It is also one of the most exploited layers in phishing attacks. This article explains both, starting with the basics.
DKIM is one of the three pillars of email authentication, but most people have never opened a raw email to verify a signature. Here is exactly how to check, what the result actually means, and how phishers exploit the gaps.
There is no magic button that makes typosquats disappear. What exists is a repeatable workflow: detect early, evaluate fast, file abuse reports, and, when the domain matters, register it yourself. Here is how to run that loop in practice.
UDRP is the domain-dispute process that recovers a cybersquatted domain without going to court. It is slower and more expensive than an abuse report, but it is the right tool when a registrar will not act and the squatter will not sell or remove.
Domain monitoring services range from free CLI tools to $20K/year enterprise platforms. The features that actually matter are detection coverage, signal quality, takedown workflow, and whether the alerts will wake you up for real threats without crying wolf.
NIS 2 Article 21 mandates technical measures for secure electronic communications. Here is exactly which email-security controls map to which clauses, what evidence auditors look for, and how to produce it.
The Digital Operational Resilience Act (DORA) expects financial entities to detect and respond to impersonation and phishing attacks. Here is how to map that expectation to a concrete control program.
RFC 7208 caps SPF evaluation at 10 DNS lookups. Hit that limit and DMARC fails on the SPF side for every recipient. Here's how the cap actually counts and the two-line fix.
Typosquatting tricks people who misspell URLs. Combosquatting tricks people who think the URL looks legitimate. The detection logic for each is different. Here's how attackers use both and how monitoring catches them.
Domain security advice usually targets enterprises with full security teams. Here's the pragmatic version for small-to-mid-sized businesses: five things you can do this week, in order, that close 80% of the risk.
Short definitions of the protocols people search for the most. Each links to the full explainer.
PhishFence implements all of these protocols for monitored domains: continuous DMARC reporting, SPF + DKIM auditing, MTA-STS enforcement guidance, BIMI checks, and lookalike-domain monitoring on top.