Security Articles | CaptainDNS Blog

February 2026

TLS-RPT: monitoring TLS encryption failures in email delivery

CaptainDNS · February 10, 2026

TLS-RPT: The Complete Guide to Monitoring Email TLS Security

TLS-RPT (RFC 8460) lets you receive reports on TLS encryption failures in your email delivery. Learn how to configure it, read reports, and take action.

MTA-STS troubleshooting: diagnosing and resolving common errors

CaptainDNS · February 9, 2026

MTA-STS Not Working? Complete Troubleshooting Guide

Your MTA-STS policy is unreachable, the TLS certificate is rejected, or enforce mode is blocking emails? This troubleshooting guide covers common errors and their solutions.

MTA-STS: securing email transport with mandatory TLS encryption

CaptainDNS · February 6, 2026

MTA-STS: the complete guide to securing your email transport

MTA-STS (RFC 8461) enforces TLS encryption for incoming emails. Learn how to configure it, choose between testing and enforce modes, and validate your deployment.

Delisting guide: how to remove an IP from email blacklists

CaptainDNS · February 3, 2026

How to Remove Your IP from a Blacklist: The Complete Delisting Guide

Is your IP on a blacklist and your emails getting rejected? This guide details the delisting procedures for each major blacklist, including processing times and best practices to avoid getting listed again.

CaptainDNS · February 2, 2026

6 Scenarios to Anticipate Before Applying for a .brand

Lost auction, 5-year abandonment, migration failure: anticipate the risks of an ICANN 2026 gTLD application with detailed contingency plans.

January 2026

CaptainDNS · January 28, 2026

.brand TLD: why major brands create their own domain extension

From .dvag (10,562 domains) to .ferrari, .zara, and .google: discover why 494 global companies have invested in their own .brand TLD.

Illustration: Surfshark DNS (public DNS resolver) with IPv4/IPv6 endpoints, DoH, and deployment options.

CaptainDNS · January 9, 2026

Surfshark DNS: how it works, benefits, and setup

Surfshark DNS is a free public DNS resolver (IPv4/IPv6, DoH) focused on privacy. Here's when to use it, how to configure it, and what to check.

Illustration: DNS4EU, European DNS resolver with Protective/Child/NoAds variants and encrypted DNS DoH/DoT.

CaptainDNS · January 7, 2026

DNS4EU: the European DNS resolver (DoH/DoT), profiles and setup

DNS4EU is a European public DNS with 5 variants (security, kids, ad blocking, neutral) and IPv4/IPv6 + DoH/DoT addresses. Deployment and verification guide.

Illustration: Gmail address change with alias and account retention

CaptainDNS · January 6, 2026

Change your Gmail address: an option rolling out at Google

Google documents a long-awaited feature: replace your @gmail.com while keeping your account, emails, and services. Here's how to prepare.

December 2025

Illustration: NextDNS, a customizable DNS resolver (DoH/DoT), filtering and profiles.

CaptainDNS · December 26, 2025

NextDNS DNS: how it works, benefits, and setup

NextDNS is a customizable DNS resolver: DoH/DoT encryption, filtering, profiles, and logs. Here’s how to deploy it cleanly at home or in an SMB.

Illustration: 1.1.1.1 (Cloudflare), a public DNS resolver with DoH/DoT/ODoH options and a privacy focus

CaptainDNS · December 23, 2025

Cloudflare DNS (1.1.1.1): privacy, DoH/DoT, deployment

1.1.1.1 is Cloudflare's public DNS resolver. Here's how to use it properly (addresses, DoH/DoT/ODoH, tests, pitfalls) and deploy it.

Illustration: Quad9 (9.9.9.9), a secure DNS resolver with filtering and encrypted transports (DoT/DoH).

CaptainDNS · December 19, 2025

Quad9 DNS (9.9.9.9): how it works, benefits, alternatives

Quad9 (9.9.9.9) is a public DNS resolver focused on security and privacy: malware blocking, DNSSEC validation, and encrypted DoT/DoH options. Here's how to deploy it properly.

CaptainDNS · December 16, 2025

BIMI, VMC, CMC: compatibility and DNS prerequisites (Gmail, Yahoo, Apple Mail)

Putting your logo in the inbox: what you actually need to configure in DNS for BIMI, and how to choose between VMC and CMC.

Diagram showing Gmail stopping POP fetching from external accounts in 2026

CaptainDNS · December 5, 2025

Gmail ends POP fetching from other accounts in 2026: impact and action plan

Starting January 2026, Gmail will no longer continuously fetch messages from external mailboxes via POP ("Check mail from other accounts"). Impacts, timeline, and alternatives for Gmail and Google Workspace users and admins.

Diagram comparing DoH3, DoQ and DoT in a modern DNS architecture

CaptainDNS · December 1, 2025

DoH3, DoQ and DoT: everything changing by late 2025

Panorama of encrypted DNS transports at the end of 2025: performance, network impact, security, and an action plan for infra teams.

November 2025

BIMI October 2025: lps=, ABNF, SVG/SVGZ formats and headers

CaptainDNS · November 13, 2025

BIMI Draft -11 dated 9 October 2025: what's changing and how to prepare

Revision -11 formalizes Local-Part Selectors (lps=), clarifies the discovery path, reaffirms SVG/SVGZ logos and reiterates DMARC and header requirements.

DKIM2: What's new, removals, timeline and impact

CaptainDNS · November 3, 2025

DKIM2: what's new, what's changing and key dates

Everything you need to know about DKIM2 at the end of 2025: principles, new headers, coexistence with DKIM/DMARC, the IETF draft timeline and a readiness plan.

October 2025

CaptainDNS · October 29, 2025

DMARCbis: every change (and how to get ready)

DMARCbis replaces RFC 7489, drops the PSL in favor of a DNS Tree Walk, adds 'psd', 'np' and 't', removes 'pct', 'ri' and 'rf', and splits reporting into two documents. Here's what it means...

What Is ARC (Authenticated Received Chain)?

CaptainDNS · October 23, 2025

ARC: keeping trust in an email as it crosses intermediaries

ARC (Authenticated Received Chain) lets every relay forward, sign, and seal the authentication results it observed so the final server can decide whether to trust the message.