All Guides

Reference guides, how-tos, and deep dives on DNS, TLS, IP, and email security.

Email Security

Email Authentication: SPF, DKIM, and DMARC — How the three email authentication protocols work together, why they matter, and how to debug delivery failures.
How to Diagnose Email Deliverability Problems — A systematic approach to finding why your email lands in spam or gets rejected.
MTA-STS: Enforcing Encrypted Email Transport — How MTA-STS prevents downgrade attacks on SMTP and how to publish and verify the policy.
DKIM Deep Dive: Keys, Selectors, and Rotation — RSA vs Ed25519 key types, selector naming conventions, key rotation strategy, and testing with dig.
BIMI: Brand Indicators for Message Identification — How BIMI displays your brand logo in email clients, VMC requirements, and SVG Tiny PS constraints.
TLS-RPT: SMTP TLS Reporting — RFC 8460 overview, DNS record format, setting up reporting endpoints, and interpreting JSON reports.
DNS Blocklists (DNSBL): How They Work — How reverse-IP lookups work, major blocklists, checking reputation manually, and the delisting process.

TLS Certificate Chain Explained — What leaf, intermediate, and root certificates are, how chain validation works, and why incomplete chains break things.
HSTS Preloading: A Practical Guide — How HTTP Strict Transport Security works, how to configure it correctly, and what preloading means for your domain.
Understanding Certificate Transparency — How CT logs work, what SCTs are, and how to monitor for unauthorized certificates issued for your domain.
Let's Encrypt vs Commercial CAs — When free automated certificates are the right choice and when a commercial CA still makes sense.
Understanding Multi-IP TLS Consistency — Why CDN and load-balanced deployments can serve different certificates and how to detect mismatches.
TLS Protocol and Cipher Suite Guide — TLS version negotiation, forward secrecy, and AEAD cipher suites explained.
Encrypted Client Hello (ECH) — How ECH hides the hostname from network observers and how to enable it via HTTPS DNS records.
Certificate Management: Expiry, Lifetime, SAN, AIA — Monitoring certificate expiry windows, understanding lifetime limits, validating SAN lists, and checking AIA reachability.

Security Headers Overview — X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and the baseline header set every site needs.
Content Security Policy (CSP): A Complete Guide — Directives reference, common mistakes with unsafe-inline and unsafe-eval, report-uri vs report-to, and CSP levels.
Cross-Origin Resource Sharing (CORS) Explained — Same-origin policy, preflight flow, credentialed requests, wildcard pitfalls, and common misconfigurations.
Cookie Security: Flags, Prefixes, and Best Practices — Secure, HttpOnly, SameSite attributes, __Host- and __Secure- prefixes, and session hardening.
HTTP Redirects and HTTPS Upgrade — 301 vs 302 vs 307 vs 308 semantics, redirect chain costs, and HSTS interaction.

DNS Record Types Reference — A practical reference covering A, AAAA, CNAME, MX, TXT, NS, SOA, SRV, CAA, TLSA, and more.
DNSSEC: How to Enable and Verify It — How DNSSEC signs DNS responses, how to enable it, and how to verify the chain of trust is intact.
How to Check DNS Propagation — Why DNS changes take time, how TTLs work, and how to verify propagation across resolvers.
CAA Records: Locking Down Certificate Issuance — How CAA records restrict which CAs can issue certificates for your domain and how to configure them.
DNS Lame Delegation: What It Is and How to Fix It — What causes lame delegations, why they break resolution, and how to diagnose and fix them.

What Your IP Address Reveals — Geolocation, ASN, network classification, and how IP reputation systems categorise cloud, VPN, Tor, and residential addresses.
What Is an ASN and Why Does It Matter? — How autonomous system numbers work, what they reveal about IP ownership, and how routing policy is published.
VPN Leak Detection: What Your IP Reveals — How DNS, WebRTC, and IPv6 leaks expose your real location and how to check for them.

How to Audit Your Domain Security in 5 Minutes — A step-by-step walkthrough of DNS, TLS, and IP health checks you can run right now to find issues before they become incidents.
DANE/TLSA: Binding Certificates to DNS — How DANE uses TLSA records in DNS to pin certificates, and how to verify DANE is configured correctly.
A Suspicious Domain Investigation Checklist — A systematic checklist for investigating an unfamiliar or potentially malicious domain using DNS, TLS, and IP data.