Author: Brad Slavin

Advanced

What are the best practices illustrated by an SPF record example to avoid DNS lookup limits?

ByBrad Slavin March 9, 2026March 9, 2026 Reading Time: 10 minutes

The best practices to avoid SPF DNS lookup limits are to use only necessary lookup‑triggering mechanisms, prefer ip4/ip6 literals and CIDR ranges, apply TTL‑aware SPF flattening (automated where possible), consolidate via the redirect modifier, segment senders onto subdomains, continuously monitor lookup counts, and stage changes carefully—illustrated below with example SPF records and operational patterns. SPF…

Read More What are the best practices illustrated by an SPF record example to avoid DNS lookup limits?
Intermediate

NCSC is retiring Web Check and Mail Check: Here’s what it means for security teams

ByBrad Slavin March 6, 2026March 6, 2026 Reading Time: 5 minutes

Back in 2017, when the web wasn’t as structured as it is today from a security standpoint, many organizations didn’t have the right tools to analyze the security posture of their domains and websites. That’s when the UK government introduced Mail Check and Web Check as part of its Active Cyber Defence programme. These tools…

Read More NCSC is retiring Web Check and Mail Check: Here’s what it means for security teams
Intermediate

How can I interpret the results of an SPF lookup to find configuration errors?

ByBrad Slavin March 6, 2026March 9, 2026 Reading Time: 11 minutes

You can interpret SPF lookup results to find configuration errors by parsing the record’s mechanisms and qualifiers in order, comparing them to the connecting IP and envelope domain, mapping the resulting status (pass, fail, softfail, neutral, permerror, temperror) to likely delivery behavior, and then tracing the DNS resolution path (includes, redirects, lookups) for syntax mistakes,…

Read More How can I interpret the results of an SPF lookup to find configuration errors?
Intermediate

Avoid Email Spoofing with Sender Policy Framework Office 365 Configuration

ByBrad Slavin March 5, 2026March 5, 2026 Reading Time: 9 minutes

To avoid email spoofing with Sender Policy Framework (SPF) in Office 365, publish a correct SPF TXT record (typically v=spf1 include:spf.protection.outlook.com -all), add vetted third-party includes, enable DKIM and DMARC, continuously validate, and manage complexity and lookups with a purpose-built tool like AutoSPF. Office 365 (Microsoft 365) uses Exchange Online Protection (EOP) to authenticate inbound…

Read More Avoid Email Spoofing with Sender Policy Framework Office 365 Configuration
Intermediate

How To Set Up SPF For Avanan: Here’s What You Should Know

ByBrad Slavin March 5, 2026March 5, 2026 Reading Time: 6 minutes

It’s 2026, and companies no longer use traditional on-premise email servers; they have now moved to cloud platforms like Microsoft 365 and Google Workspace. This means that the conventional ways of protecting emails at the network boundary also don’t work anymore. To ensure that their emails are secure despite this, organizations have now shifted to…

Read More How To Set Up SPF For Avanan: Here’s What You Should Know
Advanced

Advanced SPF Record Testing: Protect Your Domain from Permerror Issues

ByBrad Slavin March 3, 2026March 3, 2026 Reading Time: 12 minutes

To protect your domain from SPF permerror issues, enforce strict syntax validation, cap DNS lookups to 10 with include minimization and judicious flattening/redirect, run CI/CD tests that simulate DNS failures and malformed tokens, monitor lookup counts and transient DNS behavior in production, and use AutoSPF to automate detection, dynamic flattening, alerting, and safe rollouts. SPF…

Read More Advanced SPF Record Testing: Protect Your Domain from Permerror Issues
Foundational

SPF Lookup in 2026: Best Practices for Secure Email Authentication

ByBrad Slavin March 2, 2026March 2, 2026 Reading Time: 11 minutes

In 2026, the best practices for secure SPF lookups are to keep SPF within the 10-DNS-lookup limit by optimizing and (selectively) flattening includes, prefer explicit ip4/ip6 over a/mx/ptr/exists, avoid ptr entirely, design for dual‑stack (IPv4/IPv6) senders, constrain third‑party chains, rely on DKIM for DMARC alignment across forwarding (ARC/SRS where available), continuously lint and monitor with…

Read More SPF Lookup in 2026: Best Practices for Secure Email Authentication
Advanced

How should you implement DMARC as an MSP or an enterprise?

ByBrad Slavin February 27, 2026February 27, 2026 Reading Time: 6 minutes

Most guides treat DMARC deployment as a two-step process: publishing the DNS record and monitoring its performance. But this is only the starting point and not a complete implementation. In fact, for enterprises and MSPs, DMARC implementation cannot be seen as a one-and-done task. As a large enterprise, you rarely send emails from a single domain…

Read More How should you implement DMARC as an MSP or an enterprise?
Intermediate

Why Multiple SPF Records Lead to Authentication Failures

ByBrad Slavin February 27, 2026February 27, 2026 Reading Time: 10 minutes

Multiple SPF records lead to authentication failures because RFC 7208 requires exactly one “v=spf1” policy per domain, so publishing more than one causes a standards-defined PermError at evaluation time—which most receivers treat as a non-pass that can break DMARC alignment. Context and background Sender Policy Framework (SPF) is a DNS-published authorization list that lets receiving…

Read More Why Multiple SPF Records Lead to Authentication Failures
Foundational

When SPF Permerror Disrupts Delivery: Hidden Causes You’re Missing

ByBrad Slavin February 26, 2026February 26, 2026 Reading Time: 12 minutes

SPF permerror disrupts delivery when your SPF record has syntax faults (missing v=spf1, invalid qualifiers, malformed ip4/ip6 or macros), exceeds the 10-DNS-lookup budget due to include/redirect/mx/a/ptr/exists or loops, contains conflicting TXT/SPF records, suffers DNS-layer failures that cross implementation limits, relies on brittle flattening or massive IP lists, hits parser edge limits, or is misaligned with…

Read More When SPF Permerror Disrupts Delivery: Hidden Causes You’re Missing