Internet protocols
Internet Engineering Task Force
The IETF develops and publishes the RFCs that define how the internet actually works — DNS, TCP/IP, TLS, SMTP, DMARC, HTTP, and most everything in between. Specifications are produced by working groups via open-participation consensus.
Standards governed by IETF
- Authenticated Received Chain (ARC) Preserves DKIM/SPF authentication results when mail is forwarded through mailing lists or alias services. The fix for `forwarder breakage`.
- Brotli / gzip compression Compress HTML, CSS, JS, and JSON over the wire. Brotli beats gzip; gzip beats nothing.
- CAA records Tells the world which certificate authorities are allowed to issue certificates for your domain. Stops rogue CA issuance dead.
- Certificate Transparency Every publicly-trusted certificate must appear in append-only public logs. Chrome, Safari, and Edge enforce it — non-CT certs throw a hard browser error.
- DANE for SMTP DNSSEC-anchored TLSA records that pin the certificate your mail server presents. The other (older, stricter) path to authenticated mail-in-transit alongside MTA-STS.
- DKIM Cryptographically signs outbound mail so receivers can verify the sender wasn't spoofed mid-flight. The other half of DMARC.
- DMARC Without DMARC enforcement, anyone can send mail that looks like it's from your domain. Apple, Google, Microsoft, and Yahoo now require it for bulk senders.
- DMARC Failure Reports (RUF) Per-message forensic reports for DMARC failures — distinct from the daily aggregate (rua=) feed. Useful for live debugging; rare in practice because of privacy concerns.
- DNSSEC Cryptographically signs your DNS records so resolvers can detect tampering. Underused — but increasingly expected for finance, gov, and email.
- Forward secrecy Even if your server's private key leaks tomorrow, past traffic stays unreadable. Mandatory in TLS 1.3 — make sure your stack negotiates it.
- HTTP Strict Transport Security One header tells every future visitor 'always HTTPS, never HTTP, no exceptions'. Should ship everywhere; preload only after you're sure.
- HTTP/2 Multiplexed connections, header compression, server push. Free performance upgrade on every major CDN.
- HTTP/3 QUIC-over-UDP transport. Faster handshakes and resilience to packet loss on flaky networks. Increasingly standard at the CDN layer.
- IETF AI Preferences (aipref) The IETF working group standardizing how sites express AI training / inference preferences. Likely to subsume ai.txt, llms.txt opt-out semantics, and the messy patchwork of robots.txt AI directives.
- MTA-STS Forces inbound mail to your domain over TLS so an attacker can't downgrade the connection mid-flight. Pair it with TLS-RPT to find out when someone tries.
- OCSP Stapling Server attaches a fresh signed revocation status during the TLS handshake — so clients don't have to call out to the CA. Faster handshakes, better privacy.
- security.txt A plain-text file at /.well-known/security.txt that tells researchers where to send vulnerability reports. Costs nothing; saves an inbound bug from getting routed to /dev/null.
- SMTP TLS Reporting (TLS-RPT) The reporting half of MTA-STS / DANE. A daily JSON digest of every TLS handshake failure to your domain — the only way to know your inbound mail is being downgraded.
- SPF Lists which servers are allowed to send mail as your domain. Half of DMARC; you need it.
- SPF 10-DNS-lookup limit An SPF record that triggers more than 10 DNS lookups during evaluation returns `permerror` — meaning every receiver treats it as if you had no SPF at all. The fastest path to silently broken DMARC.
- TLS 1.2+ baseline Disable TLS 1.0 and 1.1. They've been deprecated since 2020. PCI-DSS requires it; everyone else should too.
- TLS 1.3 The modern target, not the minimum. One round-trip handshake, mandatory forward secrecy, every weak cipher removed. If your stack supports it, prefer it.