Gmail: From Invitation-Only Experiment to the World’s Default Inbox
Gmail didn’t become the world’s default inbox by accident. This piece explores how scale, design, and ecosystem beat privacy-first ideals.
DMARC: Deciding What Happens When Email Authentication Fails
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is often described as “the thing that stops spoofing.” That’s not quite right…
DKIM: Proving a Message Wasn’t Changed — Not Who Sent It
DKIM (DomainKeys Identified Mail) doesn’t verify who sent an email. It verifies that the message hasn’t been altered since it was signed, and that a domain takes responsibility for its contents. Understanding DKIM means understanding what it proves — and what it deliberately ignores.
SPF: What It Really Proves — and Why It Fails So Often
SPF doesn’t verify who sent an email — it only confirms that a server was allowed to deliver it. That distinction explains why SPF passes during phishing, fails during forwarding, and can’t be treated as a trust signal on its own.
SPF, DKIM, and DMARC: How Email Authentication Actually Works
Email authentication relies on SPF, DKIM, and DMARC — a set of interlocking systems — but most people misunderstand what they really do, and what they don’t protect.
