The ease of sending and receiving email makes it an attractive way to run scams like phishing attacks. One telltale mark of a phishing attack is the sender’s address not matching their purported domain; attacks that appear to come from legitimate email addresses are much more likely to fool the victim.

You can protect your organization’s email accounts from being compromised and used in phishing attacks by training your users to identify forged emails and use password managers, which won’t autofill a password on a malicious site. But how do you prevent bad guys from forging email that looks like it comes from inside your organization? You can’t, but you can reduce the chances that other email servers will accept it. In the process, you’ll enhance the deliverability of legitimate email from your domain.

The rest of this article is aimed at two types of readers. The first is the IT professional who needs an overview of email authentication technologies and pointers to helpful tools. For other readers, this article will give you an idea of what’s involved so you can talk more knowledgeably with your IT staff or better appreciate what they manage for you.

Whether your email is hosted at Microsoft 365 or Google Workspace, or managed by your Internet service provider or IT department, if your organization has its own domain for email addresses—yourname@yourcompany.com—you need to know about and set up three authentication technologies: SPF, DKIM, and DMARC:

• SPF, which stands for Sender Policy Framework, lets you specify which servers and domains are allowed to send email for your organization. It allows receiving mail servers to verify that incoming messages from your organization are actually from you.
• DKIM, or DomainKeys Internet Mail, adds a digital signature to every message sent from your organization. Receiving mail servers can use your public key to verify that messages actually came from you and were not changed in transit.
• DMARC, which expands to Domain-based Message Authentication, Reporting, and Conformance, leverages SPF and DKIM to publish policies that tell receiving mail servers what to do with messages that fail authentication: deliver, quarantine, or reject them. A message fails DMARC authentication only if it fails both SPF and DKIM—only one is necessary for the message to pass DMARC’s checks.

These three authentication technologies exist inside DNS (Domain Name System) records. The primary use of DNS is to link your human-usable domain name with the underlying IP addresses of the servers that manage your Internet presence; for example, matching www.yourcompany.com with an IP address like 192.168.1.23. However, DNS can also contain TXT records with additional information about your domain—you configure SPF, DKIM, and DMARC using TXT records.

These TXT records must be carefully constructed to work correctly—an incorrect configuration could cause email failures. You could build them manually, but it’s safer to use a tool that asks you questions and spits out a correctly formatted TXT record for you to add to your DNS configuration. If all that sounds intimidating, work with your ISP or email service provider, or ask us for help. But here are the basics.

Tools abound for creating SPF, DKIM, and DMARC records, but we recommend those from DMARCLY and EasyDMARC. We’ll use DMARCLY for the examples here, and it provides a comprehensive explanation that’s worth reading if you want more depth.

SPF

SPF is the oldest of these technologies. To get started, all you need to do in DMARCLY’s SPF Generator tool is specify the names or IP addresses of servers that are allowed to send email from your domain. The mx (mail exchanger) and a radio buttons automatically add the servers listed in your DNS records, and anything you put in the Includes field will allow email sent from anything allowed by a third party that sends email on your behalf. It’s common to put Google, Amazon SES, SendGrid, or other systems there. The IPv4, IPv6, and Hostnames fields let you specify other allowed servers, but aren’t necessary.

The Policy menu is important—you can choose from Fail, SoftFail, and Neutral. Start with Neutral, which should allow messages to be accepted (it prefixes all in the TXT record with a ?). Then bump up to SoftFail (a tilde ~ prefix) to have messages accepted but marked. When you’re confident everything is working correctly, move to Fail, which uses a - prefix.

DKIM

Because it relies on public key cryptography, DKIM is significantly more complicated. Although DMARCLY’s DKIM Generator tool will generate the necessary public and private keys, that’s not helpful unless you have full control over your email server and know how to install the private key to sign all your outgoing email. It’s much more likely that you’ll use a tool managed by the company that hosts your email to create your keys. That tool will automatically install the private key and give you the necessary details to add to a TXT record in your DNS settings.

DMARC

Where SPF and DKIM are all about authenticating email messages, DMARC lets you say what happens when authentication fails. DMARCLY’s DMARC Generator tool makes it easy to generate your DMARC record. For Policy and Subdomain Policy, you can choose None, Quarantine, or Reject—those specify what will happen to messages that fail both SPF and DKIM authentication. Start with None to see what happens in your reporting, move to Quarantine, and if everything seems OK, end up at Reject.

To set up reporting, enter an email address in the Aggregate Email field, but don’t put a personal address there. DMARC reports are daily XML digests that aren’t human-readable, so they should be sent to a service that will parse them and provide you with a dashboard for exploring the problems. DMARCLY and EasyDMARC both offer dashboards, as does the Cloudflare service if you use it for DNS or other tasks. To start, you can leave DMARC’s Strict Alignment and Forensic Options blank.

Configuring DNS

Once you’ve generated your SPF, DKIM, and DMARC records, you have to configure them in your DNS settings. How you do that depends on your DNS host; we’ll show what it looks like Cloudflare. Other DNS hosts should be similar.

For each case, you’re creating a TXT record, but what goes in the Name and Content fields varies:

• SPF: The name for an SPF record should be the @ character, signifying the root level of your domain. Paste the text that the SPF Generator tool created in the Content field. You can have only one SPF record for each domain, although you can set up separate SPF records for subdomains.
  
• DKIM: You can have as many DKIM records as services that send email on your behalf, so the first part of the name can vary—we show example below. However, the ._domainkey part is required for each DKIM record. For the content, paste the text given to you by the email-sending service. Note that some email services may require you to create one or more CNAME records instead of a TXT record—just follow their instructions.
  
• DMARC: For DMARC, the name must be _dmarc. Once again, you’ll paste the text given to you by the DMARC Generator tool in the Content field.
  

Reporting and Evaluation

After you set up SPF, DKIM, and DMARC, it’s essential to keep an eye on your email. If you’ve started with SPF in Neutral mode and DMARC in None, nothing should go wrong. You can look through the headers of test messages you send to verify. This DMARCLY article explains what to look for. If you’ve signed up for an aggregate reporting service, you’ll be able to see reports like this one from Cloudflare that show the percentage of email that passes each of the authentication technologies.

If everything looks good and most email passes, change SPF to SoftFail and DMARC to Quarantine. Make sure you can send email to some known personal addresses on Gmail, Yahoo, or iCloud. Also, tell people who send email from your domain to be on the alert if they don’t hear back from someone who typically replies quickly—if a misconfiguration is causing your email to be marked as spam, you want to know about that quickly. If you’re using a DMARC reporting service, look at those reports to see if any email services are sending a lot of messages that fail DMARC.

After you’ve run with those settings for a month or two, bump SPF up to Fail and DMARC to Reject. Continue to monitor your DMARC reporting and pay attention to any complaints from users about the messages they send not arriving.

That’s a lot, we know. Feel free to contact us if you need help with any step of the process.

(Featured image based on an original by iStock.com/Ole_CNX)

Apple publishes a multitude of manuals and tons of technical documentation for its products on its support site, but until recently, it could be challenging to find something specific because the search engine on Apple’s site is poor. For a better path into Apple’s online support materials, check out the company’s new Documentation site, which brings together manuals, specs, and some downloads for nearly all its products. The operating system User Guides are particularly helpful, and they even provide a Version pop-up menu that lets you make sure you’re getting information for the version you’re using.

(Featured image by iStock.com/Ildo Frazao)

You may be used to Mac apps using red underlines to mark misspelled words, but did you know that macOS has also long included a fully featured Dictionary app? It provides quick access to definitions and synonyms in the New Oxford American Dictionary and the Oxford American Writer’s Thesaurus, along with definitions of Apple-specific words like AirDrop and Apple ProRes RAW. But that’s far from all it can do.

Getting on the Same Page

First, some basics. Open the Dictionary app from your Applications folder and type a word or phrase into the Search field. As you type, Dictionary starts looking up words that match what you’ve typed—you don’t even have to press Return. It’s a great way to look up a word when you aren’t quite sure of the complete spelling. If more than one word matches what you’ve typed, click the desired word in the sidebar.

Notice the gray buttons below the toolbar, which represent the references Dictionary will consult for every search, including Wikipedia if your Mac has an Internet connection. In short, Dictionary gives you instant access to a dictionary, a thesaurus, and an encyclopedia containing over 6.8 million articles in English. Click a reference to limit your search to that source, or click All to scan all of them.

If you want to look up words in another language and get an English definition, Dictionary even provides translation dictionaries alongside a long list of other reference works. Choose Dictionary > Settings and select the ones you’d like to use. Then, drag the selected entries into the order you want them to appear below the toolbar.

Once you’re in a definition, note that you can copy formatted text for use in other apps—always helpful when wading into grammar and usage arguments on the Internet. More generally, you can click nearly any word in Dictionary’s main pane to look it up instantly. If dictionaries had been this much fun in school, we’d all have larger vocabularies! Use the Back and Forward arrow buttons to navigate among your recently looked-up words.

Alternative Lookup Methods

As helpful as the Dictionary app is, you probably don’t want to leave it open all the time. Happily, Apple has provided several shortcuts for looking up words:

• Spotlight: Press Command-Space to invoke Spotlight, and enter your search term. If you get too many unhelpful results from Spotlight, deselect unnecessary categories from System Settings > Siri & Spotlight.
  
• Lookup: Even better, hover over a word or phrase with the pointer and press Command-Control-D—you can also Control-click the word and choose Look Up “word.” If the app supports it, macOS displays a popover with the definition. If you use a trackpad, you can also do a three-finger tap on the selected word—make sure the “Look up & data detectors” checkbox is selected in System Settings > Trackpad > Point & Click.
  

Now that you know how to take full advantage of the reference works Apple has built into macOS, it’s time to get in touch with your inner logophile—look it up.

(Featured image by iStock.com/Chinnapong)

Have you ever noticed the shading in the corner of text area fields in Safari, Chrome, Firefox, and most other Mac Web browsers? These “handles” let you resize the field—always vertically and sometimes horizontally. That’s handy when the website designer has provided only a small text box and you want to enter more text than will fit. Just drag the handle to make the text box the size you need. Other objects on the page move to accommodate the larger text box. If a text box doesn’t have a resize handle, the site designer doesn’t expect it to need to hold more than a single line of text.

(Featured image based on originals by iStock.com/OlgaCanals and PhotoMelon)

We think of 1Password as being helpful for entering passwords on websites and in iPhone and iPad apps. But its Universal Autofill feature has a hidden capability that lets 1Password enter your Mac login password when you have to provide it to change certain system settings, install apps, format drives in Disk Utility, and more. (But it won’t work to log in at startup before 1Password is running.) To turn this feature on, click the New Item button in 1Password, search for and select “Mac login” ➊, give it a name that will sort alphabetically to the top, like “2020 27-inch iMac” ➋, enter your password, and click Save ➌. From then on, whenever you’re prompted for your Mac login password ➍, press Command-\ (Backslash, located above the Return key), and then click the desired login or press Return to select the topmost item ➎.

(Featured image based on an original by iStock.com/ipuwadol)

Does it feel like your Apple devices are always asking you to install operating system updates? You’re not wrong—from September 2022 to January 2024, we saw the following releases in Apple’s previous set of operating systems:

• macOS 13 Ventura: 20 releases
• iOS 16: 25 releases
• iPadOS 16: 20 releases
• watchOS 9: 15 releases
• tvOS 16: 12 releases

Apple issued many of those at the same time, but since you might not use all your devices every day, it can seem as though you spend all your time installing updates. As annoying as updating can be, we encourage you to do so soon after you’re notified for three reasons.

Reason One: Fewer Bugs

First, as has always been the case, updates fix bugs. You may not have experienced all the bugs that Apple fixes, but when one blocks something you want to do, the fix comes as a huge relief.

For instance, in a set of releases in January 2024, Apple inadvertently introduced a bug that caused text in many apps, including Mail, Notes, and Safari, to appear to be duplicated and overlap. It was only cosmetic, and switching to another window or resizing the window would make it look right again. But the bug was hugely disconcerting, so Apple fixed it two weeks later in macOS 14.3.1 Sonoma, iOS 17.3.1, iPadOS 17.3.1, and Safari 17.3.1 (which brought the fix to macOS 13 Ventura and macOS 12 Monterey).

Reason Two: Better Security

Second, many of the bugs Apple fixes won’t impact your experience of using your device, but they make it possible for attackers to steal information, install malware, spy on your communications, or even take over your entire device. Nearly all of Apple’s operating system updates contain security fixes to address newly discovered vulnerabilities, and some releases only have security fixes. Apple continues to release security updates for the last two versions of macOS and older versions of iOS and iPadOS as appropriate.

It’s easy to think that you won’t be impacted by security vulnerabilities, but remember that as soon as Apple releases an update outlining what it has fixed, attackers know what vulnerabilities exist in unpatched systems. Apple has to react swiftly to some reported vulnerabilities because blocking them can literally be a matter of life or death when it comes to, for instance, iPhone-using dissidents, activists, or journalists working in opposition to repressive governments that employ spyware against their enemies. (All spyware relies on previously unidentified vulnerabilities.)

However, some security vulnerabilities are more likely to impact regular users. For instance, in macOS 14.2.1, Apple fixed a bug in Screen Sharing. If you were sharing your full screen with someone else and had multiple Spaces, Screen Sharing could show the other person random windows in other Spaces, which could range from embarrassing (adult pictures) to seriously problematic (passwords or financial details).

Reason Three: New Features

Third, on the positive side, many operating system releases introduce welcome new features. When Apple unveils its next set of operating systems at the Worldwide Developer Conference in June, some of the promised features won’t appear with the initial releases. New features that shipped in later releases of macOS 14 Sonoma, iOS 17, iPadOS 17, and watchOS 10 include:

• watchOS’s double-tap gesture for tapping the default button in many apps
• AirDrop transfers continuing over the Internet when you move out of AirDrop range
• Adding NameDrop to share contact info when you bring two devices near each other
• Additional options to control when the iPhone screen shuts off in StandBy
• The option to choose a specific album for the Lock Screen’s Photo Shuffle wallpaper
• HomeKey support for Matter locks
• Expanded Favorites in the Music app
• A new automatic Favorite Songs playlist in the Music app
• The addition of Apple’s Journal app
• A Translate option for the Action button in the iPhone 15 Pro models
• 10-day precipitation forecasts in the Weather app
• Sharing of eligible passes in the Wallet app via NameDrop-like proximity
• A catch-up arrow in Messages that lets you jump to the first unread message
• Multiple timers in the Clock app on the Mac
• Stolen Device Protection for the iPhone
• Collaborative playlists in Apple Music
• Support for streaming content to TVs in select hotel rooms using AirPlay

Just Update It

Updates provide both a carrot (user-facing bug fixes and new features) and a stick (security fixes). That’s why we recommend updating soon after Apple pushes out a new release and why devices under management usually receive updates quickly. Even if a security breach is unlikely, the liability of allowing devices to remain unpatched is too high for most organizations. Installing updates is an easy way to reduce worry about things like compromised accounts and ransomware.

There are three types of operating system releases:

• Minor bug fix and security updates: Install these as soon as convenient, usually within a few days. Examples of these include macOS 14.3 to 14.3.1.
• Interim feature updates: Because these include bug fixes and security updates alongside the new features, you’ll also want to install these within a few days. An example is iOS 17.2.1 to iOS 17.3.
• Major version upgrades: Because Apple always releases security updates for the two versions of macOS before the current one, you can wait a month or three before installing a major upgrade, such as from macOS 13 to macOS 14. However, once you’ve verified that your apps and workflow are compatible with the new version, we recommend upgrading because skipping a major version of macOS often results in a more difficult upgrade experience.

In each of these cases, if you’re worried about how an update might impact your workflow, check online forums for discussions of each update and feel free to ask us what we recommend for your particular situation.

(Featured image by iStock.com/Fokusiert)

Is your Mac’s menu bar overwhelmed with icons? They’re helpful little critters, but finding one can be difficult when you have too many and they’re in no particular order. The hidden trick to cleaning up your menu bar relies on the Command key.

• Rearrange the menu bar icons in an order that makes sense to you by Command-dragging them around. You can’t move the Control Center icon or put anything to its right, but every other icon is movable.
• Delete unnecessary Apple-provided status icons by holding down Command and dragging them off the menu bar. (To put one back, select the “Show icon-name status in menu bar” checkbox in its System Settings screen.) You can’t remove the clock, Control Center, or the Siri icon this way, though you can turn off Siri in System Settings > Siri & Spotlight. Command-dragging to delete doesn’t work for non-Apple apps; instead, look for a preference in the app itself.

(Featured image by iStock.com/Valentyna Yeltsova)

Does your organization or some financial website require you to create a new password periodically? This practice was recommended long ago, but some organizations haven’t kept up with current recommendations that discourage such policies. If you’re bound by a password expiration policy, you can use this article to encourage your IT department or financial institution to update its approach to password security.

The rationale behind password expiration policies was that if an attacker were to steal a password database and decrypt some passwords, they would work for only a limited period, lessening the risk of unauthorized access. Even if an attacker gained access to an account, they could remain undetected only if they didn’t change the password, and that access wouldn’t last indefinitely.

Over time, security experts realized that the problem wasn’t so much how long an attacker could remain undetected but allowing users to set weak passwords that could be decrypted. It turns out that users often choose weaker passwords when they know they will have to change them, perhaps by tweaking a previous password for easier memorization. This fact hasn’t been lost on attackers, making it easier for them to figure out future passwords. In other words, attempting to increase security by requiring users to change passwords paradoxically reduces security.

The National Institute for Standards and Technology (NIST) is a US government agency that develops cybersecurity standards and best practices for the federal government that large corporations and other institutions tend to follow. In 2017, NIST changed its guidelines to say, “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).” In a FAQ, NIST explains:

Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets have been compromised since attackers can apply these same common transformations.

Of course, if there’s evidence of unauthorized access or a breach of the password database, all passwords should be invalidated and everyone should be required to create a new password immediately—that’s entirely different than requiring passwords to be changed on a schedule.

Interestingly, NIST also doesn’t recommend password composition requirements—such as requiring the password to contain a letter, number, and special character—because users tend to devise predictable techniques to meet such requirements, such as appending an exclamation point to every password. Instead, NIST encourages longer passwords because a long password that’s easily remembered and typed can be stronger than a shorter password composed of random characters. Password managers can generally create both types.

If you’re forced to change a website password periodically, it’s easiest to use a password manager to generate and enter a new strong password, and you won’t have to memorize the new password. For the very few passwords you must remember and type manually, aim for longer passwords that won’t trip up your fingers while typing or require numerous switches of iPhone uppercase and numeric keyboards. To aid memorization, perhaps consider choosing words for your password from categories with many possibilities. For instance, if your initial password is gouda-purple-1989-New-York, the next one could be cheddar-black-2011-Des-Moines. Both are strong in their own right, but only you would know the categories used for each portion.

(Featured image based on an original by iStock.com/designer491)

On the iPhone and iPad, to send a photo to a Messages chat, tap the ⊕ button and then tap Photos in the list that appears to reveal the photo picker. That’s not difficult, but it requires an extra step you can avoid with this tip. If you’re running iOS 17 or iPadOS 17, instead of tapping the ⊕ button, touch and hold it for a second to bring up the photo picker immediately.

(Featured image based on an original by iStock.com/oatawa)

The near-ubiquity of videoconferencing is a lasting effect of the pandemic. The ease of gathering a group virtually usually more than makes up for the downsides. Despite that, many people still appear in video calls with low-resolution, poorly lit video that makes the call less effective.

A better webcam is an easy way to improve your video, and the best readily available webcam may already be in your pocket. That’s because you can use your iPhone and its high-quality cameras as a wired or wireless Mac webcam, thanks to Apple’s Continuity Camera technology.

Your Apple gear likely meets the Continuity Camera system requirements. You need an iPhone XR or later (all iPhones introduced in 2018 or later) running at least iOS 16 and a Mac running macOS 13 Ventura or later. Both must be signed in to the same Apple ID.

You’ll want a mount that holds your iPhone in landscape orientation (horizontally) at the top of your Mac’s screen, with its rear cameras facing you. The first such mounts for laptops and desktops came from Belkin, but numerous manufacturers now sell inexpensive alternatives that have different industrial designs and support iPhones that can’t use MagSafe. Continuity Camera can drain your battery, so it’s worth plugging in a charger cable or getting a screen mount that also holds a MagSafe charger; look on Etsy for options, such as this one.

Although the samples above show the iPhone’s cameras in the upper-right corner, you can rotate the iPhone to position the cameras in the lower-left corner, which may put them more in line with your eyes and improve eye contact.

(Technically, you can put the iPhone anywhere—a tripod behind your screen would also work—and it doesn’t have to be in landscape orientation. However, apps detect the iPhone as a webcam automatically only when it’s in landscape orientation, and if it’s below or to the side of your screen, the video angle will likely be problematic. You can also take your iPhone off its mount and walk around with it as long as you stay in Bluetooth range of your Mac.)

When the iPhone is locked and in position, its camera and microphone become available to videoconferencing apps like FaceTime, Zoom, and Webex. Your app may start using the iPhone as a camera automatically, but if not, look for a menu or icon that lets you choose the desired camera. Similarly, you can use the iPhone’s mic as your audio input for the call, although the Mac’s built-in mic, AirPods, or other mic may offer equally good or better audio quality.

For the most part, the iPhone acts like a standard webcam. After you end the call, remove it from the mount to use it normally again. Should you need to check something on your iPhone during the call, you can remove it from the mount and either tap the Pause button or just unlock it—your video (and audio, if you’re using the iPhone as a mic too) will pause. To resume, lock and remount your iPhone. You may want to warn the other people on your call first in case something goes wrong and you get disconnected.

Receiving a phone call is a similar situation. Answering the call on the iPhone pauses the audio and video for the videoconference until you end the call, lock the iPhone, and mount it again. You may also be able to answer the call on the Mac, but that also pauses the audio and video, and you may need to choose the iPhone as your camera again afterward.

Ultimately, using your iPhone as a webcam is remarkably easy—Continuity Camera just works in our experience. The only tricky part is finding the screen mount and charger that work best with your Mac and usage patterns.

(Featured image by Belkin)