DMARC Guardian
Field notes · email authentication

The things that quietly break your domain — and how to fix them.

Practical notes from the people who built DMARC Guardian. Real failure modes from real reports — written for the operator on call at 22:47, not the analyst writing a whitepaper. No fluff, no RFCs cited unless they actually help.

10 articles Roughly one per week
May 25, 2026 9 min read dmarc

SPF passes, DMARC fails: the alignment trap every DevOps engineer hits

You added SendGrid or Amazon SES, SPF is passing, but DMARC reports still show failures. This is the alignment problem — and it's not a bug in your SPF record. Here's what's actually happening and how to fix it.

Read the post

All notes

Newest first
MAY 25 · 2026 Monday 9 min

SPF passes, DMARC fails: the alignment trap every DevOps engineer hits

You added SendGrid or Amazon SES, SPF is passing, but DMARC reports still show failures. This is the alignment problem — and it's not a bug in your SPF record. Here's what's actually happening and how to fix it.

dmarcspf
9 minRead →
MAY 25 · 2026 Monday 7 min

Your DMARC is set to reject — but attackers are phishing from your subdomains

You locked down your root domain with DMARC p=reject. But mail.yourdomain.com, helpdesk.yourdomain.com, and every other subdomain might still be wide open. Here is the sp= tag you've never heard of, and why skipping it is the most common DMARC blind spot in 2026.

dmarcsubdomain
7 minRead →
MAY 22 · 2026 Friday 2 min

Reading DMARC aggregate reports without drowning in XML

How aggregate (RUA) reports differ from forensic (RUF) data and what operators should focus on first.

dmarcreports
2 minRead →
MAY 18 · 2026 Monday 8 min

DKIM key rotation: the security step most admins skip after setup

You configured DKIM once and it's been "working" ever since. But DKIM private keys age out, leak, and get compromised — and most teams have no rotation process in place. Here's what the risk looks like and how to fix it before it matters.

dkimsecurity
8 minRead →
MAY 17 · 2026 Sunday 6 min

SPF permerror: why adding one SaaS tool breaks your email authentication

Your SPF record hit the 10-lookup limit and now DMARC reports show permerror for a growing chunk of your mail. Here is exactly what happened and how to fix it without breaking the senders you already have.

spfsaasflattening
6 minRead →
APR 20 · 2026 Monday 7 min

Moving from DMARC p=none to p=reject without killing legitimate email

A step-by-step guide for DevOps engineers and solo admins who set up DMARC monitoring months ago and still haven't enforced it — and why that matters.

dmarcenforcement
7 minRead →
APR 18 · 2026 Saturday 1 min

Welcome to the DMARC Guardian blog

Notes on email authentication, deliverability, and how we ship DMARC Guardian.

meta
1 minRead →
APR 11 · 2026 Saturday 5 min

My emails kept landing in spam — here's what I found out (no tech background needed)

A plain-English walkthrough for non-technical founders whose customer emails disappear into spam folders. No acronyms until explained.

deliverabilityfor non-technical founders
5 minRead →
APR 04 · 2026 Saturday 5 min

SPF + DKIM + DMARC — the bootstrap for startups

A practical checklist for DevOps engineers and solo admins who need email authentication done right without drowning in RFC specs.

spfdkimdmarc
5 minRead →
MAR 28 · 2026 Saturday 4 min

Why your transactional emails land in spam — and how to fix it

If your onboarding emails, password resets, or invoices keep hitting spam folders, SPF, DKIM, and DMARC misconfiguration is the likely cause. Here's how to diagnose and fix it without reading an RFC.

deliverabilityspfdkim
4 minRead →

Is a scammer emailing from your domain right now?

Type your domain. We will tell you — in plain English — whether anyone can forge a fake invoice from it today. 15 seconds. No signup, no card.

Check my domain →