<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Luke Thomas</title>
    <description>The latest articles on DEV Community by Luke Thomas (@lukethomas_tw).</description>
    <link>https://dev.to/lukethomas_tw</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3979747%2Fb5d76311-22b9-4a58-8c16-afc0a002a0ba.png</url>
      <title>DEV Community: Luke Thomas</title>
      <link>https://dev.to/lukethomas_tw</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/lukethomas_tw"/>
    <language>en</language>
    <item>
      <title>Why your email goes to spam, and how to actually fix it</title>
      <dc:creator>Luke Thomas</dc:creator>
      <pubDate>Sat, 04 Jul 2026 13:03:58 +0000</pubDate>
      <link>https://dev.to/lukethomas_tw/why-your-email-goes-to-spam-and-how-to-actually-fix-it-4oa0</link>
      <guid>https://dev.to/lukethomas_tw/why-your-email-goes-to-spam-and-how-to-actually-fix-it-4oa0</guid>
      <description>&lt;p&gt;You hit send, and the email never arrives. Or it arrives in the spam folder, and the person on the other end swears they checked. The maddening part is the silence: no bounce, no error, no explanation. Just a message that quietly did not land.&lt;/p&gt;

&lt;p&gt;I have spent more Friday afternoons than I would like chasing exactly this, and the lesson every time is the same. The reason your email goes to spam is almost never a mystery once you stop looking at the symptom and start reading what the receiving mail server actually sees. This is the process we use, in order, with a tool for each step.&lt;/p&gt;

&lt;h2&gt;
  
  
  A quick story, because it makes the point
&lt;/h2&gt;

&lt;p&gt;We build Trace Warrior, and we send our transactional email (signups, receipts, alerts) through a proper provider. Not long ago our own signup emails started vanishing. The sending dashboard cheerfully reported every one as "delivered." The inbox said otherwise.&lt;/p&gt;

&lt;p&gt;It turned out Microsoft 365 had accepted the messages at the server, which is all "delivered" means, and then quietly quarantined them as High Confidence Phishing. Quarantine is a holding area that never touches the inbox or even the junk folder, so from our side there was nothing to see. Two lessons fell out of that afternoon, and they shape everything below:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;"Delivered" is not "read."&lt;/strong&gt; It only means the receiving server accepted the handshake. What happens next is invisible from the sending side.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;The reasons mail gets filtered live in your DNS records&lt;/strong&gt;, not in your outbox. You have to go and read them.&lt;/li&gt;
&lt;/ol&gt;

&lt;h2&gt;
  
  
  The mental model: deliverability is three questions
&lt;/h2&gt;

&lt;p&gt;Almost every "why is my email going to spam" problem is one of three things, and it helps to work them in this order:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Can mail physically reach the domain?&lt;/strong&gt; That is your MX records.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Can the receiver prove the mail is really from you?&lt;/strong&gt; That is SPF, DKIM, and DMARC.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Does your sending identity have a bad reputation?&lt;/strong&gt; That is blacklists, plus content and sending behaviour.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Spam folders and silent filtering are nearly always a failure of number two or number three. Run the checks in order and the black box turns into a short, specific list of things to fix.&lt;/p&gt;

&lt;h2&gt;
  
  
  1. MX: can mail even reach you?
&lt;/h2&gt;

&lt;p&gt;Before anything else, confirm the domain's mail is pointed somewhere sane. Broken or missing MX records mean mail bounces or, worse, silently routes to the wrong place. The classic mistakes are an MX pointing at a CNAME (which some servers refuse), a host that no longer resolves, or a null MX that declares the domain does not accept mail at all.&lt;/p&gt;

&lt;p&gt;Run an &lt;a href="https://www.tracewarrior.com/tools/mx-lookup" rel="noopener noreferrer"&gt;MX lookup&lt;/a&gt; on your domain. You want to see your real mail provider (Google Workspace, Microsoft 365, and so on), every host resolving to an IP, and no health warnings. If this part is broken, fix it first.&lt;/p&gt;

&lt;h2&gt;
  
  
  2. SPF: does the sending server have permission?
&lt;/h2&gt;

&lt;p&gt;SPF (Sender Policy Framework) is a DNS record that lists which servers are allowed to send mail as your domain. When a receiver gets a message claiming to be from you, it checks whether the sending server is on that list.&lt;/p&gt;

&lt;p&gt;The silent killer here is a limit almost nobody knows about: &lt;strong&gt;SPF is allowed a maximum of 10 DNS lookups.&lt;/strong&gt; Every &lt;code&gt;include:&lt;/code&gt; in your record (and every provider you add, from your CRM to your help desk to your newsletter tool) consumes lookups, and they nest. Go over 10 and receivers return a permerror, SPF fails, and your perfectly legitimate mail starts getting filtered.&lt;/p&gt;

&lt;p&gt;Run an &lt;a href="https://www.tracewarrior.com/tools/spf-checker" rel="noopener noreferrer"&gt;SPF check&lt;/a&gt; on your domain. It walks every include the way a receiving server does, counts your lookups against the limit of 10, and flags the other common faults: multiple SPF records (which invalidate each other), a &lt;code&gt;+all&lt;/code&gt; that authorises the entire internet, and broken includes. If you are near the limit, that is very often your answer.&lt;/p&gt;

&lt;h2&gt;
  
  
  3. DKIM: is the message actually signed?
&lt;/h2&gt;

&lt;p&gt;DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every message, so the receiver can prove the mail genuinely came from your domain and was not tampered with in transit. It is also the authentication method that survives forwarding, which SPF does not.&lt;/p&gt;

&lt;p&gt;The annoying part of checking DKIM is that you need the "selector", a short name your provider chose, and most people have no idea what theirs is. Our &lt;a href="https://www.tracewarrior.com/tools/dkim-checker" rel="noopener noreferrer"&gt;DKIM checker&lt;/a&gt; gets around that: leave the selector blank and it scans the selectors that every major provider documents (Google, Microsoft 365, SendGrid, Fastmail, Proton, and more) until it finds yours. It then validates the key itself, flagging revoked keys, weak 1024-bit keys, and records left in testing mode.&lt;/p&gt;

&lt;h2&gt;
  
  
  4. DMARC: what should the receiver do on failure?
&lt;/h2&gt;

&lt;p&gt;DMARC ties SPF and DKIM to the domain in your visible From address and tells receivers what to do when a message fails: nothing (&lt;code&gt;p=none&lt;/code&gt;), send it to spam (&lt;code&gt;p=quarantine&lt;/code&gt;), or reject it outright (&lt;code&gt;p=reject&lt;/code&gt;). It also gives you reports on who is sending mail as your domain, which is how you catch both spoofers and forgotten senders.&lt;/p&gt;

&lt;p&gt;Two things make DMARC urgent. First, &lt;strong&gt;Google and Yahoo now require it&lt;/strong&gt; from anyone sending in bulk. Second, without it, receivers have no instructions for handling mail that fails your other checks, which makes both spoofing and false-positive filtering more likely.&lt;/p&gt;

&lt;p&gt;Run a &lt;a href="https://www.tracewarrior.com/tools/dmarc-checker" rel="noopener noreferrer"&gt;DMARC check&lt;/a&gt;. It reads your policy with organizational-domain fallback exactly like a real receiver, explains every tag in plain language, and verifies something most tools miss: whether your report destinations are actually authorised to receive your reports. If you have no DMARC record, start with &lt;code&gt;p=none&lt;/code&gt; to watch the reports, then tighten to &lt;code&gt;quarantine&lt;/code&gt; and &lt;code&gt;reject&lt;/code&gt; once they look clean.&lt;/p&gt;

&lt;h2&gt;
  
  
  5. Blacklists: is your IP or domain already burned?
&lt;/h2&gt;

&lt;p&gt;You can pass every authentication check and still land in spam if the IP you send from, or your domain, is on a spam blocklist (a DNSBL). This happens more than you would think: shared IPs at budget hosts, a compromised device on your network, or simply a fresh IP with no reputation.&lt;/p&gt;

&lt;p&gt;Run a &lt;a href="https://www.tracewarrior.com/tools/blacklist-check" rel="noopener noreferrer"&gt;blacklist check&lt;/a&gt; on your sending IP or domain against the major lists (Spamhaus, SpamCop, Barracuda, and others). One warning: be careful which checker you trust here. Spamhaus and some others deliberately refuse queries from shared public resolvers and answer with sentinel codes, and naive tools display those as "listed", a false accusation about your IP. Ours queries through its own resolver to get real answers, and decodes each list's return codes so a residential-policy marker is never reported as a spam listing.&lt;/p&gt;

&lt;h2&gt;
  
  
  The alignment trap: why "SPF passes" is not enough
&lt;/h2&gt;

&lt;p&gt;Here is the subtlety that trips up even experienced admins. SPF and DKIM can technically &lt;strong&gt;pass&lt;/strong&gt; and still not &lt;strong&gt;align&lt;/strong&gt; with your From domain, and DMARC requires alignment, not just a pass. This is why mail sent "on behalf of" you through a third party often fails DMARC even though SPF is green.&lt;/p&gt;

&lt;p&gt;It is also why you want both SPF and DKIM, not just one. When a message is forwarded, SPF breaks (the forwarding server is not on your list), but DKIM survives, because the signature travels with the message. Authenticate on both and your mail holds up through mailing lists, forwards, and the long tail of ways email actually moves.&lt;/p&gt;

&lt;h2&gt;
  
  
  The boring reasons that still matter
&lt;/h2&gt;

&lt;p&gt;If your authentication is clean and you are not blacklisted, the remaining causes are less technical but just as real:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;A brand-new domain or IP&lt;/strong&gt; has no sending reputation. Warm it up slowly instead of blasting your first campaign to 50,000 people.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Missing reverse DNS (PTR).&lt;/strong&gt; Many receivers quietly penalise a sending IP with no PTR record.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Spammy content&lt;/strong&gt;: all-image emails, link shorteners, aggressive subject lines, or a missing unsubscribe link.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Sudden volume spikes&lt;/strong&gt;, which look exactly like a compromised account.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Fix it once, then keep it fixed
&lt;/h2&gt;

&lt;p&gt;The hard truth about deliverability is that it is not set-and-forget. A fat-fingered DNS edit, an expired DKIM key, an SPF record that quietly grows past 10 lookups as you add tools, or an IP that lands on a blocklist can undo all of this silently, and you find out when your mail stops arriving, usually at the worst possible moment. That is the case for monitoring the records themselves, so drift alerts you instead of your customers.&lt;/p&gt;

&lt;h2&gt;
  
  
  The 60-second checklist
&lt;/h2&gt;

&lt;p&gt;When someone says their email is going to spam, run these five, in order:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;MX&lt;/strong&gt; resolves to your real mail host, no warnings&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;SPF&lt;/strong&gt; exists, ends in &lt;code&gt;-all&lt;/code&gt;, stays under 10 lookups&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;DKIM&lt;/strong&gt; key is published and valid&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;DMARC&lt;/strong&gt; is published, at least &lt;code&gt;p=none&lt;/code&gt; with reporting&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Blacklists&lt;/strong&gt;: your IP and domain are clean&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Then confirm reverse DNS is set and the content is not obviously spammy.&lt;/p&gt;

&lt;p&gt;The reason "my email goes to spam" feels like a black box is that the sending side shows you almost nothing. The receiving side shows you everything, you just have to ask it.&lt;/p&gt;

&lt;p&gt;What is the sneakiest deliverability bug you have run into? Mine is still the Microsoft quarantine that reported "delivered" the entire time it was eating our mail.&lt;/p&gt;

</description>
      <category>devops</category>
      <category>dns</category>
      <category>webdev</category>
      <category>security</category>
    </item>
    <item>
      <title>DNS gets blamed last and breaks first: my symptom-to-root-cause playbook</title>
      <dc:creator>Luke Thomas</dc:creator>
      <pubDate>Wed, 01 Jul 2026 18:33:47 +0000</pubDate>
      <link>https://dev.to/lukethomas_tw/dns-gets-blamed-last-and-breaks-first-my-symptom-to-root-cause-playbook-517i</link>
      <guid>https://dev.to/lukethomas_tw/dns-gets-blamed-last-and-breaks-first-my-symptom-to-root-cause-playbook-517i</guid>
      <description>&lt;p&gt;Every incident I have chased that started with "the site is down" and ended in DNS had one thing in common: the error messages pointed everywhere except DNS. Timeouts, TLS warnings, a login screen that spins forever. You go poking at the app, the load balancer, the database, and an hour later it turns out a resolver was handing back a stale answer the whole time.&lt;/p&gt;

&lt;p&gt;So I stopped trusting symptoms and started isolating layers. Here is the process I actually run, in order.&lt;/p&gt;

&lt;h2&gt;
  
  
  Three shapes of the same problem
&lt;/h2&gt;

&lt;p&gt;Almost every DNS failure shows up as one of three things.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;NXDOMAIN.&lt;/strong&gt; The resolver asked the authoritative servers and got a definitive "this name does not exist." Sometimes that is true: an expired domain, a typo. More often the record exists and you are staring at a cache that has not caught up yet. If the name resolves at the authoritative source but your resolver says NXDOMAIN, you are not debugging, you are waiting.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Resolver not responding.&lt;/strong&gt; Nothing resolves and browsing by name just stops. Usually the resolver itself is unreachable: an ISP outage, a firewall quietly eating port 53 (DNS needs both UDP and TCP), or the wrong resolver addresses in the config.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Slow resolution.&lt;/strong&gt; Pages hang for a few seconds, then load fast. That is the classic signature of a dead primary resolver, where every lookup burns a full timeout before falling back to the secondary.&lt;/p&gt;

&lt;h2&gt;
  
  
  The one idea that makes this easy
&lt;/h2&gt;

&lt;p&gt;Separate three questions and never let them blur together:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Can I reach the network at all?&lt;/li&gt;
&lt;li&gt;Can I resolve names?&lt;/li&gt;
&lt;li&gt;Is the answer I get back correct?&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;Each step answers exactly one of those.&lt;/p&gt;

&lt;p&gt;Reach the network, no names involved:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;ping 1.1.1.1
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;If that fails you have a connectivity problem, not a DNS problem. Stop blaming DNS.&lt;/p&gt;

&lt;p&gt;Can you resolve at all:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;dig google.com
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Raw IP works but names do not? DNS is now confirmed as the failing layer.&lt;/p&gt;

&lt;p&gt;Is the answer correct, and whose fault is a bad answer:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;dig example.com            &lt;span class="c"&gt;# your resolver&lt;/span&gt;
dig @1.1.1.1 example.com   &lt;span class="c"&gt;# a known-good public one&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This is the decisive split. If a public resolver answers correctly and yours does not, the fault is your resolver or the path to it. Point at 1.1.1.1 or 8.8.8.8 and keep working while you fix it. If the public resolver is also wrong, the problem lives at the authoritative side, in the zone itself.&lt;/p&gt;

&lt;p&gt;When you suspect a broken delegation, one command settles it:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;dig +trace example.com
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;That walks the chain from the root servers down to the authoritative nameservers and shows every referral. A registrar pointing at the wrong nameservers jumps straight out.&lt;/p&gt;

&lt;h2&gt;
  
  
  The cache is the liar
&lt;/h2&gt;

&lt;p&gt;The most confusing DNS bugs, the "works on my machine, fails on the server" ones, are almost always stale caches. Flush yours before you theorize:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# macOS&lt;/span&gt;
&lt;span class="nb"&gt;sudo &lt;/span&gt;dscacheutil &lt;span class="nt"&gt;-flushcache&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt; &lt;span class="nb"&gt;sudo &lt;/span&gt;killall &lt;span class="nt"&gt;-HUP&lt;/span&gt; mDNSResponder
&lt;span class="c"&gt;# Linux (systemd-resolved)&lt;/span&gt;
&lt;span class="nb"&gt;sudo &lt;/span&gt;resolvectl flush-caches
&lt;span class="c"&gt;# Windows&lt;/span&gt;
ipconfig /flushdns
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;And because your local cache can lie to you, it helps to get a second opinion from outside your own network. Full disclosure: I build a set of network tools called Trace Warrior, and the &lt;a href="https://www.tracewarrior.com/tools/dns-lookup" rel="noopener noreferrer"&gt;DNS lookup&lt;/a&gt; runs the query from a neutral vantage point and shows every record type at once, which is the fastest way to tell "my resolver is stale" from "the record is genuinely wrong."&lt;/p&gt;

&lt;p&gt;The other half is not waiting for a human to notice. Most DNS incidents I have seen were a record that changed and nobody clocked it: a fat-fingered edit, or worse, a hijack. We ended up adding a &lt;a href="https://www.tracewarrior.com/monitors/dns-record-drift" rel="noopener noreferrer"&gt;DNS record monitor&lt;/a&gt; that watches for drift and alerts the moment an answer changes, because "should this record exist?" is a miserable question to be asking in the middle of an outage.&lt;/p&gt;

&lt;h2&gt;
  
  
  What actually prevents the next one
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Lower TTLs before a planned change, raise them after. A TTL left at 86400 turns a five-minute cutover into a full day of split traffic.&lt;/li&gt;
&lt;li&gt;Redundant nameservers on separate networks. Two nameservers on the same subnet is one nameserver wearing a disguise.&lt;/li&gt;
&lt;li&gt;Reverse DNS, or your mail quietly stops being delivered.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;The whole trick is refusing to guess. Reach, resolve, correct, in that order. Run the steps and DNS stops being mysterious and turns into a short walk to whichever layer is lying to you.&lt;/p&gt;

&lt;p&gt;What is the DNS bug that took you longest to catch? Mine was a validating resolver throwing SERVFAIL on a broken DNSSEC signature while everyone else resolved fine. I would genuinely love to hear the one that got you.&lt;/p&gt;

</description>
      <category>dns</category>
      <category>devops</category>
      <category>networking</category>
      <category>sysadmin</category>
    </item>
    <item>
      <title>Your TLS certificates will only last 47 days soon. Most teams have not done the math</title>
      <dc:creator>Luke Thomas</dc:creator>
      <pubDate>Fri, 12 Jun 2026 10:51:36 +0000</pubDate>
      <link>https://dev.to/lukethomas_tw/your-tls-certificates-will-only-last-47-days-soon-most-teams-have-not-done-the-math-20ko</link>
      <guid>https://dev.to/lukethomas_tw/your-tls-certificates-will-only-last-47-days-soon-most-teams-have-not-done-the-math-20ko</guid>
      <description>&lt;p&gt;In April 2025 the CA/Browser Forum voted 25 to 0 to shrink the maximum lifetime of public TLS certificates. Not by a little. The ballot is called SC-081v3 and this is the schedule it locked in:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Effective&lt;/th&gt;
&lt;th&gt;Max validity&lt;/th&gt;
&lt;th&gt;Roughly&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Today&lt;/td&gt;
&lt;td&gt;398 days&lt;/td&gt;
&lt;td&gt;13 months&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;March 2026&lt;/td&gt;
&lt;td&gt;200 days&lt;/td&gt;
&lt;td&gt;6.5 months&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;March 2027&lt;/td&gt;
&lt;td&gt;100 days&lt;/td&gt;
&lt;td&gt;3.3 months&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;March 2029&lt;/td&gt;
&lt;td&gt;47 days&lt;/td&gt;
&lt;td&gt;1.5 months&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;I run a small network monitoring product and I keep having the same conversation about this. Someone tells me "we renew certs once a year, we are fine." Then I show them the renewal math and the room goes quiet.&lt;/p&gt;

&lt;h2&gt;
  
  
  The math nobody is doing
&lt;/h2&gt;

&lt;p&gt;Picture a mid-size company with 600 public TLS certs. Websites, APIs, load balancers, CDN configs, VPN portals, the usual sprawl. Today that means roughly 600 renewals a year. Annoying, but a spreadsheet and a calendar reminder can survive it.&lt;/p&gt;

&lt;p&gt;Walk the same estate forward:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;2026, at 200 days: about 1,200 renewals a year&lt;/li&gt;
&lt;li&gt;2027, at 100 days: about 2,400 renewals a year&lt;/li&gt;
&lt;li&gt;2029, at 47 days: about 4,660 renewals a year&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;That last number is 120 renewals every working day. There is no spreadsheet workflow on earth that survives 2029. Manual cert management is not getting harder. It is ending.&lt;/p&gt;

&lt;p&gt;There is a second cost hiding under the headline too. Organisation validation for OV and EV certs can currently be reused for up to 825 days. From March 2026 that drops to 398 days. So even if you buy a multi-year "subscription," you will be redoing the paperwork roughly every year on top of the extra renewals.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why they are doing this
&lt;/h2&gt;

&lt;p&gt;The short version: revocation never worked. CRLs got too big, OCSP leaks browsing history and mostly soft-fails, and everyone in the room knows it. If a private key leaks today, the worst case exposure is over a year. With 47-day certs the certificate dies on its own within weeks, whether or not revocation does its job.&lt;/p&gt;

&lt;p&gt;Short lifetimes also force regular key rotation, which makes future algorithm migrations (hello, post-quantum) far less painful. And they push the whole ecosystem toward what Let's Encrypt already proved works: boring, automated issuance.&lt;/p&gt;

&lt;p&gt;You can agree or disagree with the trade-offs. The vote was unanimous, so it is happening either way.&lt;/p&gt;

&lt;h2&gt;
  
  
  What it means for your setup
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Already on ACME (Let's Encrypt, ZeroSSL, etc.):&lt;/strong&gt; you are mostly fine on the issuance side. Your real risk is silent renewal failure. A DNS change, a rate limit, a webroot misconfig, and nothing tells you until the deployed cert expires. Monitor the certificate that is actually serving traffic, not the cron job that is supposed to renew it. Those are two different things and the gap between them is where outages live.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Manual paid certs (DigiCert, Sectigo, GlobalSign and friends):&lt;/strong&gt; the calendar-reminder workflow stops being sustainable in 2027 and stops being possible in 2029. Most of these CAs now offer ACME endpoints. Ask your account manager, move to automation this year, and keep the CA relationship if you like it.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Appliances that cannot speak ACME:&lt;/strong&gt; the long tail of pain. Old load balancers, VPN concentrators, vendor firewalls where renewal means a portal upload and a service restart. Your realistic options are a firmware upgrade that adds ACME, or a reverse proxy in front that owns the cert and re-encrypts upstream. Start the inventory now because procurement cycles are slower than CA/B Forum ballots.&lt;/p&gt;

&lt;h2&gt;
  
  
  The plan I would follow
&lt;/h2&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;2026: inventory and monitor.&lt;/strong&gt; Find every public cert you own, including the ones nobody remembers (status pages, legacy mail hosts, partner integrations). Put expiry monitoring on all of them, not just the critical ones. Daily checks are plenty. The goal is to never be surprised.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;2027: automate everything renewable.&lt;/strong&gt; By year end, your manual list should be down to appliances you physically cannot upgrade, each with a remediation plan.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;2028: dry-run the 47-day cadence.&lt;/strong&gt; Set internal certs to 47 days a year early and watch what breaks while breaking is still cheap.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;And one cultural change: route cert expiry alerts into the same on-call rotation that gets paged for outages. An expired cert is a production outage. It just happens to be one you can schedule.&lt;/p&gt;

&lt;h2&gt;
  
  
  Disclosure
&lt;/h2&gt;

&lt;p&gt;I build &lt;a href="https://www.tracewarrior.com" rel="noopener noreferrer"&gt;Trace Warrior&lt;/a&gt;, a small network tools site with an SSL expiry monitor, so yes, I have skin in this game. The &lt;a href="https://www.tracewarrior.com/tools/ssl-certificate-checker" rel="noopener noreferrer"&gt;certificate checker&lt;/a&gt; is free with no signup if you want to spot-check a host right now. But honestly, use anything. Use a bash script and cron if that is your style. Just do the inventory before March 2026 makes it urgent.&lt;/p&gt;

&lt;p&gt;Curious what others are doing: how are you handling renewals on hardware that will never speak ACME? Reverse proxy shims, firmware nagging, or planned replacement?&lt;/p&gt;

</description>
      <category>security</category>
      <category>devops</category>
      <category>webdev</category>
      <category>tls</category>
    </item>
  </channel>
</rss>
