CaptainDNS Blog

DNS, email authentication, AI integrations and product updates.

Technical guides, comparisons and insights on public DNS resolvers (Cloudflare, Google, Quad9), email authentication (SPF, DKIM, DMARC, BIMI, ARC) and deliverability. Learn how to configure Amazon SES, Brevo, SendGrid or Mailjet, and explore our AI integrations with ChatGPT and the MCP protocol. Whether you're a sysadmin, developer or marketing manager, find best practices here to secure your domains and optimize your email delivery.

Articles

March 2026

Diagram showing the progression of MTA-STS deployment from testing mode to enforce mode

CaptainDNS · March 10, 2026

From testing to enforce: a progressive MTA-STS deployment strategy

Testing mode monitors, enforce mode blocks. This guide details the four steps to deploy MTA-STS progressively, from the initial policy to TLS-RPT reports, through to switching to enforce.

Comparative diagram of MTA-STS and DANE protocols for email transport security

CaptainDNS · March 10, 2026

MTA-STS vs DANE: which protocol to choose for securing email transport?

MTA-STS uses HTTPS, DANE relies on DNSSEC. Both enforce mandatory TLS encryption between email servers, but they deploy differently. Complete comparison to make the right choice.

Diagram of an SMTP downgrade attack showing an attacker intercepting the STARTTLS connection between two email servers

CaptainDNS · March 9, 2026

SMTP Downgrade Attacks: How They Work and How to Defend Against Them

STARTTLS encrypts your emails, but a network attacker can strip that protection away. Learn how SMTP downgrade attacks work and what solutions block them.

CaptainDNS · March 8, 2026

BIMI Logo Not Showing: 5 Common Errors and How to Fix Them

Valid DMARC, published BIMI record, but still no logo in the inbox. This guide identifies the 5 most common causes and details what to do.

Diagram of the Microsoft 365 MX migration from mail.protection.outlook.com to mx.microsoft with DNSSEC

CaptainDNS · March 6, 2026

Microsoft 365 MX Migration to mx.microsoft: Automatic DNSSEC, Mandatory Graph API, and Action Items Before July 2026

Microsoft is changing DNS provisioning for Exchange Online domains. MX records are moving from mail.protection.outlook.com to mx.microsoft to streamline DNSSEC adoption. Here's what's changing and what you need to do.

Visual comparison of RSA 2048 and Ed25519 algorithms for DKIM signing

CaptainDNS · March 6, 2026

RSA vs Ed25519 for DKIM: which signing algorithm should you choose?

Technical comparison of RSA 2048 and Ed25519 algorithms for DKIM signing: performance, security, compatibility, and migration strategy.

Diagram showing how DKIM works: cryptographic signing and DNS verification

CaptainDNS · March 5, 2026

The Complete DKIM Guide: Understanding and Configuring Email Authentication

Everything you need to know about DKIM: how it works, step-by-step setup, key selection, integration with SPF and DMARC, and deliverability best practices.

Diagram of DKIM setup on Office 365 and Google Workspace with DNS verification steps

CaptainDNS · March 5, 2026

Setting Up DKIM on Office 365 and Google Workspace: A Practical Guide

Step-by-step guide to enable and configure DKIM on Microsoft 365 and Google Workspace. Full procedure, verification, and common error troubleshooting.

Diagram of the 6 causes of an SPF PermError with a diagnostic tree and error indicators

CaptainDNS · March 4, 2026

SPF PermError: the complete guide to understanding, diagnosing and fixing this error

Diagnose and fix SPF PermError: the 6 causes, the impact on DMARC and the methods to repair your SPF record.

SPF Flattening vs SPF Macros comparison with workflow diagrams and decision matrix

CaptainDNS · March 3, 2026

SPF Flattening vs SPF Macros: Which Approach Should You Choose to Stay Within the 10 Lookup Limit?

Detailed comparison of SPF flattening and SPF macros: how they work, advantages, disadvantages, and a decision matrix to help you choose the right approach.