DEV Community: Regő Botond Ronyecz

SPF Record Syntax Complete Reference

Regő Botond Ronyecz — Mon, 29 Jun 2026 21:30:53 +0000

Teaser only. This is not the full article. Complete SPF syntax reference with M365 and Google templates: SPF Record Syntax: Complete Reference

You paste include:sendgrid.net into an already crowded TXT record. Syntax looks valid. Receivers return permerror.

SPF is one string starting with v=spf1, mechanisms evaluated left to right, and a hard stop at ten DNS lookups. Most production failures are not typos. They are lookup overflow, duplicate SPF TXT records, or a missing -all.

Sanity check before any edit:

dig example.com TXT +short

Count includes toward the cap. End production senders with -all, not ~all left over from a migration.

In the full post on zerohook.org:

Every mechanism and qualifier explained
Lookup limit math with nested includes
M365, Google Workspace, and ESP patterns
PermError and softfail troubleshooting

Read the full guide: SPF Record Syntax: Complete Reference

SPF Permerror: When Your Lookup Count Hits 11

Regő Botond Ronyecz — Mon, 29 Jun 2026 21:29:59 +0000

Teaser only. This is not the full article. Complete guide with lookup counting and M365 templates: Fix SPF Permerror (Too Many Lookups)

Your TXT record looks fine in Cloudflare. Gmail returns permerror anyway.

Most teams count visible include: statements. Receivers walk nested SPF records until RFC 7208's ten lookup cap breaks evaluation entirely. Add M365, Mailchimp, and a legacy vendor path and you can cross the limit without changing the line you stare at in DNS.

Quick check:

dig example.com TXT +short | grep spf

If expansion crosses ten lookups, SPF does not pass or fail cleanly. It permerrors. DMARC alignment on the SPF leg collapses with it.

In the full post on zerohook.org:

How to count nested lookups (not just top-level includes)
Copy-paste M365 + ESP templates under the cap
When to split marketing to a subdomain
DMARC and deliverability impact when SPF breaks

Read the full guide: Fix SPF Permerror (Too Many Lookups)

SOC2 CC6.6 DNS Monitoring Evidence

Regő Botond Ronyecz — Mon, 29 Jun 2026 21:29:04 +0000

Teaser only. This is not the full article. Complete Type II evidence guide for DNS email controls: SOC2 CC6.6 DNS Monitoring Evidence

Your auditor opens the evidence folder. You hand them a dig screenshot from last month. They ask what happened in March.

Type II reviews operating effectiveness across the whole window, not DNS correctness on audit eve. CC6.6 ties to boundary controls on email infrastructure: enforced DMARC, MTA-STS, access to DNS panels, and proof you caught drift.

A last-minute cleanup does not erase three months at p=none.

dig _dmarc.example.com TXT +short

Look for p=quarantine or p=reject during sample weeks, not just on the final day.

In the full post on zerohook.org:

CC6.1, CC6.6, and CC7.1 mapping for DNS
Evidence package auditors accept (vs. Excel screenshots)
Weekly monitoring cadence for SMB Type II
Tamper-proof change logs

Read the full guide: SOC2 CC6.6 DNS Monitoring Evidence

NIS2 Email Security Checklist 2026

Regő Botond Ronyecz — Mon, 29 Jun 2026 21:28:04 +0000

Teaser only. This is not the full article. Complete Article 21 checklist with evidence artifacts: NIS2 Email Security Checklist (2026)

The auditor asks how you secure email transmission. You slide over a 2022 SPF screenshot. They ask for DMARC aggregate reports from the last 90 days. Silence.

NIS2 Article 21 does not name SPF in the directive text. EU assessors still map transmission security to authenticated mail, transport policies, DNS integrity, and provable monitoring. Essential and important entities across member states hit this question early in 2026 reviews.

Minimum records to inventory before your next assessment:

dig example.com TXT +short | grep spf
dig _dmarc.example.com TXT +short

SPF alone is not a program. Neither is p=none without review.

In the full post on zerohook.org:

Full DNS and monitoring checklist for Article 21
Evidence artifacts auditors request (not policy PDFs)
MTA-STS, TLS-RPT, and DNSSEC mapping
Fine exposure vs. compliance cost context

Read the full guide: NIS2 Email Security Checklist (2026)

NIS2 Article 21: DNS Auditors Ask For

Regő Botond Ronyecz — Mon, 29 Jun 2026 21:27:06 +0000

Teaser only. This is not the full article. Complete Article 21 DNS control mapping and evidence guide: NIS2 Article 21: DNS Auditors Ask For

Article 21 talks about technical and organizational measures. Your assessor talks about _dmarc, MTA-STS, and who can edit Cloudflare.

EU auditors translate transmission security into queryable DNS objects: SPF, DKIM, enforced DMARC, transport records, and proof you monitored changes between visits. A policy binder without TXT records fails the conversation fast.

Verify what they will query on day one:

dig _dmarc.example.com TXT +short
dig _mta-sts.example.com TXT +short

If p=none is live and nobody reviews rua= XML, you have a gap even when "email security" is checked on a spreadsheet.

In the full post on zerohook.org:

Article 21 to DNS control mapping table
Evidence samples assessors accept vs. reject
Shadow IT senders and subdomain inventory
Link to full NIS2 email checklist

Read the full guide: NIS2 Article 21: DNS Auditors Ask For

Microsoft 365 SPF Record Template

Regő Botond Ronyecz — Mon, 29 Jun 2026 21:25:52 +0000

Teaser only. This is not the full article. Complete guide with ESP includes and PermError avoidance: Microsoft 365 SPF Record Template

You migrated to Exchange Online. SPF still points at Google from 2022. Outbound mostly works until a gateway quarantines proposals.

M365-only senders need one include and a hard fail:

v=spf1 include:spf.protection.outlook.com -all

Publish on the root domain in Cloudflare, Route53, or GoDaddy. Not in the M365 admin panel. One TXT per domain. Two SPF records = permerror.

In the full post on zerohook.org:

M365 + Mailchimp, HubSpot, SendGrid templates
Lookup counting before you add ESP includes
Cloudflare and GoDaddy publish clicks
When to move marketing to mail.yourdomain.com

Read the full guide: Microsoft 365 SPF Record Template

ISO 27001: 12 Email DNS Records

Regő Botond Ronyecz — Mon, 29 Jun 2026 21:24:26 +0000

Teaser only. This is not the full article. Complete guide mapping 12 DNS records to Annex A 2022: ISO 27001: 12 Email DNS Records That Matter

Stage 2 asks for email transfer controls. You open a 40-page acceptable use policy. The assessor asks for twelve queryable DNS objects.

ISO/IEC 27001:2022 maps Annex A to SPF, DKIM, enforced DMARC, MTA-STS, TLS-RPT, DNSSEC, CAA, and subdomain policies. Authentication without operating evidence still fails A.8.16 monitoring arguments.

Stage 2 does not care that DMARC was "planned for Q3" since the last cycle.

dig _dmarc.example.com TXT +short

p=none through your certification window is a finding waiting for A.8.7.

In the full post on zerohook.org:

All 12 records with Annex A control IDs
Evidence samples for each record type
Stage 2 remediation priority order
Overlap with NIS2 and SOC2 evidence reuse

Read the full guide: ISO 27001: 12 Email DNS Records That Matter

Gmail Unverified Sender? Check DMARC

Regő Botond Ronyecz — Mon, 29 Jun 2026 21:23:11 +0000

Teaser only. This is not the full article. Complete guide with SPF, DKIM, and alignment fixes: Gmail Unverified Sender? Check DMARC

Recipients see "Be careful with this message" or an unverified sender banner. Your mail still delivers. Trust is already bleeding.

Gmail shows that warning when authentication is missing or DMARC does not align. SPF alone does not clear the banner if DKIM fails or your policy is monitor-only at p=none.

Verify the basics:

dig _dmarc.example.com TXT +short
dig example.com TXT +short | grep spf

You need a valid SPF path, DKIM signing on your From domain, and a DMARC record that matches how you actually send.

In the full post on zerohook.org:

Exact Gmail banner triggers in 2026
M365 and Google Workspace DKIM enable steps
When p=none still shows warnings
Moving from monitor to quarantine safely

Read the full guide: Gmail Unverified Sender? Check DMARC

Gmail Spam Filter 2026: 35 Failures

Regő Botond Ronyecz — Mon, 29 Jun 2026 21:21:52 +0000

Teaser only. This is not the full article. Complete catalog of 35 Gmail failure signals and fixes: Gmail Spam Filter 2026: 35 Mail Failures

Green checkmarks in your DNS panel. Gmail still folders the newsletter. The team fixed SPF twice.

Google's bulk sender rules in 2026 go past three DNS records. Authentication, complaint rates, list hygiene, one-click unsubscribe, and engagement signals all feed filtering. Fixing SPF while DKIM alignment fails is like locking the front door and leaving the loading dock open.

Start in Gmail Postmaster Tools and Show original on a failed message. Authentication-Results tells you which leg broke before you edit TXT records again.

In the full post on zerohook.org:

All 35 failure categories mapped to fixes
Bulk sender thresholds (5,000+/day and complaint rates)
SPF, DKIM, DMARC, and alignment together
Postmaster Tools metrics that predict spam placement

Read the full guide: Gmail Spam Filter 2026: 35 Mail Failures

Gmail 550 5.7.26: Auth Required Fix

Regő Botond Ronyecz — Mon, 29 Jun 2026 21:19:57 +0000

Teaser only. This is not the full article. Complete guide with M365 and Google Workspace DNS steps: Fix Gmail 550 5.7.26 Auth Errors

Payroll mail bounces. The SMTP reply is short and ugly:

550 5.7.26 Authentication Required

Gmail is not guessing about your intentions. It rejected the message because SPF, DKIM, or DMARC alignment failed on the sending path. Outlook might still accept similar mail. Google won't in 2026.

Open the bounce or Show original in Gmail. Look for spf=, dkim=, and dmarc= in Authentication-Results before you touch DNS.

In the full post on zerohook.org:

How to read the 550 5.7.26 bounce line by line
SPF/DKIM/DMARC fixes for Microsoft 365 and Google Workspace
ESP alignment when marketing sends as your domain
When to check envelope-from vs. From: header

Read the full guide: Fix Gmail 550 5.7.26 Auth Errors

SPF Passes but Mail Lands in Spam

Regő Botond Ronyecz — Mon, 29 Jun 2026 21:18:54 +0000

Teaser only. This is not the full article. Complete guide with Authentication-Results and alignment fixes: SPF Passes but Mail Lands in Spam

MXToolbox shows SPF pass. Gmail Postmaster shows spam anyway. The team keeps editing TXT records that were never the problem.

SPF pass only means the sending IP is authorized for the envelope domain. Inbox placement in 2026 still depends on DKIM, DMARC alignment, complaint rates, and engagement. We've seen teams chase SPF includes for weeks while DMARC failed on every campaign.

In Gmail, open Show original and read Authentication-Results before changing DNS again.

In the full post on zerohook.org:

SPF vs. DKIM vs. DMARC responsibilities
Alignment failures when ESPs sign their own domain
Bulk sender complaint rate thresholds
List hygiene signals beyond DNS

Read the full guide: SPF Passes but Mail Lands in Spam

Roll Out DMARC p=reject in 8 Weeks

Regő Botond Ronyecz — Mon, 29 Jun 2026 21:17:16 +0000

Teaser only. This is not the full article. Complete week-by-week rollout with pct= staging: Roll Out DMARC p=reject in 8 Weeks

Finance wants p=reject yesterday. Marketing still sends through three ESPs nobody documented. Flip the policy in one afternoon and payroll receipts start bouncing.

A sane rollout stages enforcement while you read aggregate reports. Start at p=none with rua=, move to quarantine with pct=, watch failure sources, then reject when alignment is boring for two straight weeks.

Baseline check:

dig _dmarc.example.com TXT +short

You want rua= receiving XML before you touch p=.

In the full post on zerohook.org:

Week-by-week checklist (8 weeks)
pct=25 staging without breaking transactional mail
Identifying shadow senders in aggregate XML
Rollback plan when a vendor surprises you

Read the full guide: Roll Out DMARC p=reject in 8 Weeks