Security

/ˈɑːr-ɑːr-sɪɡ/

n. “Signed. Sealed. Verifiable.”

RRSIG, short for Resource Record Signature, is a record type used by DNSSEC to cryptographically sign DNS data. It is the proof attached to an answer — evidence that a DNS record is authentic, unmodified, and published by the rightful owner of the zone.

/ˈdiː-ɛn-ɛs-kiː/

n. “This is the key — literally.”

DNSKEY, Domain Name System Key, is a record type used by DNSSEC to publish the public cryptographic keys for a DNS zone. It is the anchor point for trust inside a signed domain. Without it, nothing can be verified, and every signature becomes meaningless noise.

/ˈdiː-ɛn-ɛs-sɛk/

n. “Proves the answer wasn’t forged.”

DNSSEC, short for Domain Name System Security Extensions, is a set of cryptographic mechanisms designed to protect the DNS from lying to you. Not from spying. Not from tracking. From quietly, efficiently, and convincingly giving you the wrong answer.

/ˈɛs-pi-ɛf/

n. “Verify the sender before you open the mail.”

SPF, short for Sender Policy Framework, is an email authentication method designed to detect and prevent email spoofing by verifying that incoming mail from a domain comes from an authorized IP address. It allows domain owners to publish a list of IP addresses or servers permitted to send email on their behalf in their DNS records.

/ˈdiː-mɑːrk/

n. “The rulebook for email trust.”

DMARC, short for Domain-based Message Authentication, Reporting & Conformance, is an email authentication protocol designed to give domain owners control over how email receivers handle messages that fail verification checks. It builds on existing standards like SPF and DKIM, providing both enforcement guidance and reporting.

/diː-keɪ-ˈaɪ-ɛm/

n. “Sign it so they know it’s really you.”

DKIM, short for DomainKeys Identified Mail, is an email authentication standard that allows senders to digitally sign their messages using cryptographic keys. The recipient server can then verify that the email was indeed sent by the claimed domain and that the message has not been tampered with in transit.

/stɑːrt-tiː-ɛl-ɛs/

n. “Upgrade the line before you speak.”

STARTTLS is a protocol command used to upgrade an existing plaintext communication channel—commonly in SMTP, IMAP, or POP3—to a secure, encrypted connection using TLS. Instead of initiating a connection directly over TLS, the session begins in cleartext and then negotiates encryption before transmitting sensitive data.

/ˌeɪtʃ-tiː-ɛs-tiː-ɛs/

n. “Never talk unencrypted, even if asked nicely.”

HSTS, short for HTTP Strict Transport Security, is a web security policy mechanism that tells browsers to always use HTTPS when communicating with a specific site. Once a browser sees the HSTS header from a site, it refuses to make any unencrypted HTTP requests for that domain, effectively preventing downgrade attacks and certain types of man-in-the-middle attacks.

/ˌeɪtʃ-tiː-tiː-piː-ˈɛs/

n. “Talk securely or don’t talk at all.”

HTTPS, short for Hypertext Transfer Protocol Secure, is the secure version of HTTP, the foundational protocol of the web. It wraps standard web communication in an encrypted layer, usually via TLS, ensuring that data exchanged between a browser and server remains private and tamper-resistant.

/ˌpɒliˈwʌn-θɜːrtiː-fʌɪv/

n. “A tiny guardian watching every bit.”

Poly1305 is a cryptographic message authentication code (MAC) algorithm created by Daniel J. Bernstein, designed to verify the integrity and authenticity of a message. Unlike encryption algorithms that hide the content, Poly1305 ensures that data has not been tampered with, acting as a digital seal that can detect even a single-bit change in a message.