T

The Email Security Geek

Ramblings, guides and more about email security

So you've got a bounce... now what?

One of the questions I constantly see being asked in deliverability resource groups is What does this bounce mean? followed by the text of the bounce. While bounces come in all shapes, sizes, forms and some are more useful than others, this guide will try to help you troubleshoot them before you ask for help. Let's start with the basics: what is a bounce and why do they happen? A bounce occurs when a sent email message can’t be successfully delivered to the intended recipient. Bounces are cl...
Read post

Using dnscontrol with 1Password CLI

This is Part 2 on how to get the most out of dnscontrol. You can read Part 1 here, on how to use dnscontrol with GitHub Actions. After Benny showed me dnscontrol, I shared it with a group of like-minded friends. One of those friends was Jack. Being the tinkerer that he is, he started thinking how could he integrate 1Password into dnscontrol so that secrets don't have to be hard-coded in plain text. You can read his journey on the 1Password blog. This guide is based on Jack's findings of how ...
Read post

Managing DNS records with dnscontrol and GitHub Actions

This article was updated in December 2024 to switch to a more up to date GitHub Action package Like any respectable tech geek, I have dozens of domains spread across multiple registrars and DNS hosts. A few weeks ago, I asked a group of friends what DNS hosting platform were they using lately. My friend Benni mentioned that he was using dnscontrol and that he only used providers that were compatible with it. Curious, I dug in to see what it was all about; little did I know this tool would chang...
Read post

Setting up WKD for automated key fetching

Web Key Directory (WKD) allows hosting of public PGP keys without maintinaing a Web Key Server (WKS). This way, compatible services can automatically fetch a recipient's public PGP key and seamlessly encrypt messages without needing to ask the recipient for their key beforehand. Requirements Like with an MTA-STS policy, you will need a web hosting plan or a web server where to host the keys. It is possible to use GitHub Pages, using a similar setup than the one I wrote about for MTA-STS. Alte...
Read post

Hosting your MTA-STS policy using GitHub Pages

Part of deploying MTA-STS is having access to a web server that is secured by SSL. If you don't currently have access to one, it becomes a roadblock in the deployment process. This article will show you how to use GitHub Pages to host the MTA-STS policy if you don't have a web server available. Note: This article will use the deployment steps described in my earlier article about deploying MTA-STS. If want to learn more about what MTA-STS is, read that article first. Setting up GitHub To st...
Read post

Configuring MTA-STS and SMTP TLS-RPT

MTA-STS (Mail Transfer Agent Strict Transport Security) is a new standard (defined in RFC8461) that aims to improve the security of SMTP by enabling domains to opt into a mode that requires authentication with valid public certificates and encryption (TLS). MTA-STS forces a TLS connection, preventing suppression of the STARTTLS upgrade, and defines what the MX records should be for a domain, therefore preventing DNS query interception to redirect to another MX record by a malicious party. Much...
Read post