Article covers the three major components of modern email domain security: DKIM for signing, SPF for sender verification, and DMARC for stricter enforcement of the other two. It is assumed the reader has a basic understanding of DNS and has experience using email with their own domain.

An illustrated guide to of how DNS over HTTPS works.

High-level introduction to DNS in the form of a comic.

How to setup DNS records to ensure that domains that do not send email cannot be used for spoofing.

Smart devices manufacturers often “hard-code” in a public DNS server, like Google’s 8.8.8.8, and their devices ignore whatever DNS server is assigned by the router. Fortunately, with a few simple firewall rules, you can intercept these hardcoded DNS queries and redirect them to your DNS resolver. These instructions are for pfSense, but can be adapted to other firewall/routers.

Example script to use the livedns API from Gandi to dynamically update subdomains with dynamic IPs.

Bitsquatting refers to the registration of a domain names one bit different than a popular domain. The name comes from typosquatting: the act of registering domain names one key press different than a popular domain. Bitsquatting frequently resolved domain names makes it possible to exploit computer hardware errors via DNS.

This paper covers how DNS works: first at a high level, then by picking apart an individual packet exchange field by field. Next, we’ll use this knowledge to see how weaknesses in common implementations can lead to cache poisoning.