Freddie Leeman - URIports Blog

Freddie Leeman

Geek, dad, entrepreneur, security enthusiast.

DMARCbis Replaces the PSL with DNS Tree Walk: What's the Difference?

DMARCbis Replaces the PSL with DNS Tree Walk: What's the Difference?

A central concept in DMARC is the Organizational Domain. It plays two key roles: 1. It defines the fallback domain used to look up a DMARC policy when no DMARC record is found at the exact domain from the "From" header. 2. It provides the domain against which

Email Authentication Sender Requirements 2025

Email Authentication Sender Requirements 2025

Major mailbox providers Google, Yahoo, and Microsoft have raised the bar on email authentication to improve inbox security and reduce spam. If you send email in bulk (especially over 5000 messages a day), these changes likely affect you. Senders Sending < 5k Emails/Day Requirement Status SPF / DKIM SPF or

MTA-STS Survey Update 2025: Adoption Trends One Year Later

MTA-STS Survey Update 2025: Adoption Trends One Year Later

Last year, we published our inaugural MTA-STS adoption survey, tracking how many domains in the top 1 million had implemented Mail Transfer Agent Strict Transport Security (MTA-STS). One year later, it’s time to revisit the data and see how the landscape has changed. Summary of Changes (April 2024 → April

Potential Permissions Policy violation Reports

Potential Permissions Policy violation Reports

URIports now supports potential-permissions-policy-violation reports, helping detect iframe permission conflicts before features are used. This improves security monitoring, prevents misconfigurations, and strengthens policy enforcement. Stay ahead of potential risks with better visibility.

Follow-Up on Security.txt Adoption: Progress and Pitfalls in 2025

Follow-Up on Security.txt Adoption: Progress and Pitfalls in 2025

Since the introduction of RFC9116 in 2022, the security.txt initiative has continued to evolve, aiming to simplify security vulnerability reporting and encourage widespread adoption. The goal remains clear: provide a standardized way for security researchers to report vulnerabilities by placing a text file in the /.well-known/ folder of a

BIMI: Updated Analysis of the Top 1 Million Domains

BIMI: Updated Analysis of the Top 1 Million Domains

In May 2024, I analyzed the top 1 million domains for BIMI (Brand Indicators for Message Identification) compliance, revealing adoption rates, errors, and trends. Now, with updated data, I revisit this analysis to explore changes in BIMI adoption and implementation quality. This follow-up highlights progress, persistent issues, and new challenges

The Ultimate SPF / DKIM / DMARC Best Practices 2025

The Ultimate SPF / DKIM / DMARC Best Practices 2025

Reduce spoofing and phishing, build and maintain a solid reputation, and increase email deliverability with SPF, DKIM, and DMARC.

Powerful CSP Reporting with URIports' JavaScript CSP Report Handler

Powerful CSP Reporting with URIports' JavaScript CSP Report Handler

Content Security Policy (CSP) reporting can be a powerful tool for improving your web application's security posture. However, implementing it can be challenging—particularly when you're unable to modify HTTP response headers directly. Today, we're thrilled to announce a new JavaScript repository that makes

DKIM 'temperror' result in Outlook.com DMARC Reports

DKIM 'temperror' result in Outlook.com DMARC Reports

Introduction In recent years, email administrators have been encountering unusually high rates of DKIM authentication failures in DMARC reports from Microsoft's Outlook.com. These failures are labeled temperror and signify temporary DNS lookup issues, which Microsoft has acknowledged and is working to resolve. In this post, we’ll

Microsoft's TLS-RPT Implementation and Its Impact on Email Security

Microsoft's TLS-RPT Implementation and Its Impact on Email Security

Email security is a critical concern for organizations worldwide, with protocols like DANE (DNS-based Authentication of Named Entities) and MTA-STS (SMTP Mail Transfer Agent Strict Transport Security) playing pivotal roles in safeguarding email communications. These protocols help enforce security measures that prevent man-in-the-middle attacks and ensure email transport is conducted

BIMI: An Analysis of the Top 1 Million Domains

BIMI: An Analysis of the Top 1 Million Domains

After developing an RFC-compliant validator for BIMI (Brand Indicators for Message Identification), I conducted a comprehensive analysis of the top 1 million domains to evaluate their BIMI setup. The findings highlight significant insights and common errors in BIMI implementations across these domains. Summary of Findings Out of the top 1

Security.txt Adoption and Frequent Implementation Mistakes

Security.txt Adoption and Frequent Implementation Mistakes

In April 2022, an effort was made to enhance cybersecurity by introducing RFC9116. This standard introduces a well-organized file format, simplifying security vulnerability reporting by placing a text file in the /.well-known/ folder of a domain. The goal? To tackle a pervasive issue: the difficulty security researchers face in finding

Demystifying DMARC Alignment

Demystifying DMARC Alignment

Introduction A common challenge for those delving into email security is grasping the concept of alignment in SPF and DKIM. This blog sheds light on what alignment entails and its critical role in ensuring successful DMARC validation. Authenticated Identifiers Upon receiving an email, the receiving server validates SPF using the

MTA-STS Survey 2024: Adoption Rates and Common Pitfalls

MTA-STS Survey 2024: Adoption Rates and Common Pitfalls

MTA-STS, Google's alternative to DANE, which relies on HTTPS instead of DNSSEC to thwart Man-in-the-Middle downgrade attacks on the opportunistic encryption of SMTP traffic, was introduced over five years ago. We've conducted a comprehensive survey among the top 1 million domains to assess the adoption rate

New in Chrome 120: Permissions Policy Violation Reports

New in Chrome 120: Permissions Policy Violation Reports

Google Chrome version 120 now supports Permissions Policy Violation Reports. This feature leverages the Permissions Policy API and Reporting API integration, enhancing developers' control over browser functionalities on their web pages. The Permissions Policy API is a powerful tool that allows developers to specify which features and capabilities are

SPF Macros: Overcoming the 10 DNS Lookup Limit

SPF Macros: Overcoming the 10 DNS Lookup Limit

If your domain relies heavily on third-party services to send emails on its behalf, you could encounter the DNS lookup limit outlined in section 4.6.4 of RFC7208, resulting in an SPF permerror. Without a correct DKIM configuration, emails may not pass DMARC checks, potentially leading to blocking or

DKIM Ed25519-SHA256 adoption

DKIM Ed25519-SHA256 adoption

In this blog, we will delve into the significance of these RFCs, their recommendations, and the current state of email providers' support for Ed25519-SHA256.

The end of Expect-CT

The end of Expect-CT

With the release of the latest Google Chrome browser (105) at the end of August 2022, the Expect-CT header has officially been deprecated and will be removed in version 107.

Eight years of Sender Policy Framework (SPF)

Eight years of Sender Policy Framework (SPF)

Sender Policy Framework (SPF) is used to authenticate senders of email. Receiving servers use SPF to verify if the message source IP is authorized to send on behalf of the HELO or MAIL FROM domain. History The first draft [https://datatracker.ietf.org/doc/html/draft-schlitt-spf-classic-00] of the Sender Policy

Hosted MTA-STS by URIports

Hosted MTA-STS by URIports

Publish an MTA-STS policy by adding just two CNAME records to your domain's DNS. URIports will publish an RFC-compliant MTA-STS policy using the latest best practices and periodically validate your policy and email setup.

Introduction to SPF, DKIM, and DMARC

Introduction to SPF, DKIM, and DMARC

For those of you that are new to the email security subject, you've probably heard about SPF, DKIM, and DMARC. But what are they, and how do they relate to each other? Prefer listening over reading? Check out our podcast that breaks down everything you need to know

Reporting API v1 is here!

Reporting API v1 is here!

A new version of the Reporting API [https://web.dev/reporting-api/] has been released that hopefully will get supported across more browsers. The legacy Reporting API (v0) is currently only supported by Chrome and Edge browsers. If you have already implemented the Reporting API v0, you can migrate to the

DMARC External Destinations verification

The aggregate (rua) and failure (ruf) report destinations can be specified within the domain's DMARC policy. And while it is possible to specify a destination on a different organizational domain, the receiving domain must expressly indicate that reports for other domains are welcome. The absence of this record

Why use URIports for your DMARC monitoring?

Why use URIports for your DMARC monitoring?

DMARC, SPF, and DKIM have been around for more than eight years now. Every day, more domains adopt this mechanism to increase email deliverability and protect against email spoofing and phishing attacks. The "R" in DMARC stands for Reporting, and it is one of the great features of

Single Sign-On (SSO)

URIports supports Single Sign-On (SSO) using OpenID Connect (OIDC) for Mountain and Himalaya subscriptions. SSO speeds up access to your account by allowing you to log in with your existing company or Identity-As-A-Service (IDaaS) credentials, meaning fewer passwords to keep track of and easy user management. We've written