Education
SPF and DMARC stop criminals from sending email as you. MTA-STS stops attackers from intercepting email sent to you. They defend different things, and you need all three. Here’s what each one actually protects against — and why MTA-STS, the one almost nobody has enabled, is the obvious next step.
Read more “Lock Down Your Email: SPF and DMARC as the Baseline — Then Turn On MTA-STS”
Leadership
Most organizations treat email authentication as a checkbox exercise. Deploy SPF, publish DMARC in reporting mode, call it done. But the real story isn’t about maturity tiers—it’s about what you unlock at each phase of implementation. And frankly, the gap between where organizations are and where they need to be is brutal.
This post outlines an enablement journey: each phase builds on the previous one and creates new capabilities that weren’t possible before.
Read more “Email Security: An Enablement Journey, Not a Maturity Ladder”
Research
A position snapshot of the full Majestic Million across three layers — DNSSEC signing, email authentication (SPF / DMARC / MTA-STS), and DANE. This is the scorecard: what is deployed, on how many domains, and how it’s distributed by rank and TLD. Remember Majestic Million is a bit old so a chunk of the domains no longer resolve, but the data gives a good thematic view.
Read more “The State of DNS Security — Where the Top Million Stands: DNSSEC, Email Authentication & DANE by the Numbers”
Research
Ok, this is a topic I’ve looked at for years, my views have been built up based on a range of things from the theory, the reality of what I find/see and the incidents I respond to and hear about.
I’ve used Claude largely for this because it’s meant as a quick snapshot in time and a high level thematic view. SPF, DMARC, MTA-STS and DNSSEC (and DNS/Domain management in general) are complex topics and there’s lots of nuance in things.
That said, who wants to see what ‘scanning’ 1 million domains looks like? Let’s take a look at what Claude has come up with:
Read more “Email and Domain Security”
Leadership
‘You are totally compromised!’ because you don’t have DNSSEC configured on domain…..
The implication is that you’re one packet away from catastrophe. It’s alarming. It’s also, for the overwhelming majority of organisations, not true. I have been talking about this for years and years!
Here’s the quickest way to see through it. I scanned the Majestic Million – the top one million domains on the internet – for DNSSEC. About 6.75% were signed (around 8.2% if you only count domains that actually resolve). The .com zone, which is half the list, sits at 4.6%. And the unsigned set includes google.com, amazon.com and microsoft.com.
So if “no DNSSEC” means “totally compromised,” then the three most-attacked, best-defended companies on the planet are totally compromised, and have been for years, on purpose. They aren’t. The finding is measuring conformance to a checklist, not risk. Let’s understand why this is!
Read more “DNSSEC”
Cybercrime
When we look at ‘sextortion’ and ’email based extortion’ tactics used by threat actors we see a common pattern, one that leverages shame & fear. I’ve worked with some victims of this and it’s really not nice for them, the impacts are not just financial, they are emotional and sometimes more. It’s fortunately (for me) don’t however deal with this in volume, however I wanted to highlight something, the similarities between extortion and what I would describe as ‘Security Scanning’ shame scamming. Now you might think, that’s a massive leap… but bear with me, I’ve been looking at this (CTI/OSINT) plus working with ‘victims’ for years…
I’ll be posting about some research I’ve done on DNSSEC shortly too, I’ve kind of figured this topic was over years ago, but it’s recently come back on my radar, you know sometimes ‘duty calls’. But let’s look at shame based extortion patterns for now:
Read more “Using shame to enable extortion”
Education
DNSSEC (Domain Name System Security Extensions) has been around since the mid-2000s and technically works well: it cryptographically signs DNS records so resolvers can verify that the answer they got really came from the authoritative server and wasn’t tampered with. Despite that, adoption and real-world deployment remain surprisingly low outside a few countries (notably .se, .nl, .cz and some others). Here’s why it never took off broadly, and why the rise of DNS over HTTPS (DoH) has made many people conclude that pushing DNSSEC further isn’t worth the effort anymore.
Read more “All your DNSSEC base are belong to us”
Threat Intel
https://www.icann.org/resources/pages/dnssec-what-is-it-why-important-2019-03-05-en
Ok read all that good. What we are talking about here is signing a DNS zone to “assure” that the client is getting DNS responses from the right ZONE data. DNSSEC does not encrypt the conversation between DNS client and DNS server. It does enable the client to be able to check if the data it gets back is valid. In short what we are doing is validating that the “data” being returned is authorized and not tampered with.
Read more “DNSSEC – why not having a signed zone is almost never going to lead to you getting pwn3d”