// field_notes

If you manage more than 10 domains, spreadsheet-tracking SSL expiry is how you accidentally let one lapse. The Bulk Domain Checker gives you a side-by-side table for up to 100 domains.

MTA-STS forces inbound mail to use TLS and only to whitelisted MX hostnames. Setup is ~15 minutes, the threat it blocks is invisible without it.

Email auth is seven DNS records deep. Here's how to check them all at once, read the composite score, and save the result as a shareable report.

HTTP/2 runs over TCP+TLS via ALPN; HTTP/3 runs over QUIC (UDP) via Alt-Svc. Here's how to detect which your server supports and whether you should enable the newer one.

Orphaned CNAMEs pointing at unclaimed SaaS apps (Heroku, S3, GitHub Pages, Vercel, Netlify, ...) are a classic path to a hostile subdomain. Here's how to enumerate and remediate.

Typosquats — keyboard-typo, homoglyph, and cousin-TLD domains impersonating your brand. Here's how to find the ones that actually matter (DNS + MX live) before they go active.

Every public domain audit page on DomBrains runs 8 headline checks in parallel, caches the result 24h, renders schema.org markup, and exposes embeddable SVG badges. Here's how to use it.

MX routes incoming mail. SPF authorises outgoing senders. DKIM signs the messages. Here's how the three records work together — and what breaks when one is missing.

What each cookie flag actually does, when to set each one, and why missing a flag turns a session cookie into a credential leak waiting to happen.

Five fast checks — age, WHOIS, DNS, certificate, reputation — that catch most phishing and scam domains before you hand over a credit card.

TLS 1.3 is faster, safer, and supported everywhere that matters. Here's how the two compare, when to disable older versions, and how to verify support.

How DNSSEC actually protects you (and what it doesn't), the trade-offs of enabling it, and a checklist for safe deployment.

Reverse DNS is the #1 cause of legitimate mail being scored as spam. What PTR records are, how to set one, and how to verify it from the receiver's side.

How DNS blacklists (RBL/DNSBL) work, which lists actually matter, how to delist, and the steps to take before requesting removal.

Certificate Transparency logs reveal subdomains that ever got a TLS cert. Here's how to query them and why this is the most reliable subdomain enumeration method.

Why redirect chains hurt page speed and SEO, the four common shapes (HTTP→HTTPS→www, trailing slash, language, CDN), and how to flatten them.

What's in a WHOIS record in 2026, what registrars are required to publish, what privacy services hide, and what you can still learn about a domain.

Strict-Transport-Security forces HTTPS. What it protects against, how to deploy it safely (test → preload), and what to do when it bites back.

What MX records are, how to interpret priority, and how to tell which email provider a domain uses — from Google Workspace to Microsoft 365.

TTL is not the whole story. What actually determines how long DNS changes take, why different regions see changes at different times, and how to check.

When DKIM signing fails with 'key not found', here's how to find the right selector, verify the TXT record, and debug DNS propagation.

Why the SPF DNS lookup limit exists, how to count your lookups, and four techniques to stay under 10 without losing coverage.

The three DMARC policies, what each one tells receiving servers to do, and the safe migration path from p=none to p=reject without breaking legitimate mail.

Step-by-step guide to recovering from an expired SSL certificate. Temporary fixes, re-issuance, and how to prevent it from happening again.