Web Infrastructure News: SSL, DNS, Domain & Monitoring Updates

Web infrastructure news today. SSL/TLS certificate changes, DNS security updates, robots.txt and AI crawler developments, domain policy changes, and monitoring industry news. Updated regularly with sources.

Web infrastructure changes constantly. Certificate authorities shorten lifetimes. DNS providers get hijacked. AI crawlers ignore robots.txt. Domain registrars change policies. Miss an update and your site goes down, drops out of search results, or gets impersonated.

This page tracks the changes that matter across SSL/TLS, DNS, domain registration, crawlability, and monitoring. Every item links to a primary source so you can verify it yourself. Updated regularly with policy changes, security incidents, industry developments, and standards updates that affect anyone running a website.

Bookmark this page. When something breaks, check here first.

Don't wait for the news to find you

Monitor your entire web infrastructure — uptime, SSL, DNS, domains, and vendor status — from one dashboard.


June 2026

Automated traffic overtakes humans on the web for the first time

On June 3, 2026, Cloudflare CEO Matthew Prince reported — citing Cloudflare Radar — that automated traffic now makes up roughly 57.5% of requests to HTML pages, versus 42.5% from humans. It's the first time machines have formed the majority of web traffic, driven largely by the rise of agentic AI. Prince had forecast the crossover for 2027 at SXSW in March; it arrived early.

For anyone running a site, this reframes capacity planning and monitoring: a growing share of your "traffic" is bots, and uptime/latency baselines increasingly reflect crawler and agent behavior rather than human visitors.

Sources: Tech Times, WorkOS

Chrome stops trusting new public certificates issued for client authentication

Under the Chrome Root Program policy, public TLS server certificates issued on or after June 15, 2026 must carry the serverAuth extended key usage (EKU) only. New multi-purpose certificates that also include clientAuth will not be trusted by Chrome. Existing certificates keep working until they expire, and several CAs (DigiCert, Sectigo, Let's Encrypt) finished removing clientAuth from newly issued public certs ahead of the deadline.

If you've been using publicly trusted certificates for mutual TLS (mTLS), this breaks that pattern — move client-authentication use cases to a private CA.

Sources: Chrome Root Program Policy, The SSL Store

UK publishers start billing AI crawlers £500 per article

On June 15, 2026, the Movement for an Open Web launched "Search-Only Contracts" with 31 founding UK publishers. The terms — embedded in robots.txt and site terms — bill AI firms £500 per article for unauthorized generative-AI use and are designed to be enforceable through UK small-claims county courts (a roughly £50 filing fee). The targets are OpenAI's ChatGPT and Google Gemini.

It's the latest sign that robots.txt is shifting from a polite convention toward a contract-and-litigation footing. Whether or not it holds up in court, it signals how seriously publishers now take crawler control.

Sources: Press Gazette, PPC Land

More newsrooms switch to "default-deny" for AI crawlers

In early June 2026, Reuters and Time both moved to default-deny robots.txt configurations — blocking AI crawlers by default and admitting them only by allowlist, joining People Inc. and The Atlantic. Reuters says it will permit a bot only where there's a "fair value exchange" (licensing, referral traffic, or monetization). Industry estimates put the share of news sites blocking at least one AI crawler above 50%, though reports also find roughly 30% of AI scrapes ignore robots.txt anyway.

Sources: Search Engine Journal, Technology Checker

Google's May 2026 core ranking update finishes rolling out

Google's May 2026 core update — which began on May 21 (Google I/O day) — completed its rollout on June 2, 2026 after roughly 12 days. It was the second core update of the year and was announced through the Search Status Dashboard rather than a dedicated blog post. Site owners reported high ranking volatility during the rollout.

If your organic traffic shifted in late May or early June, this is the likely cause. Watch Search Console coverage and impressions, not just rankings.

Sources: Search Engine Land, Search Engine Journal

Google Postmaster Tools adds "Deliverability Analysis"

In early June 2026, Google added a Deliverability Analysis section to the Postmaster Tools V2 compliance dashboard. It translates raw sending data into a plain-language verdict and a specific recommended action — for example, flagging a high spam rate, authentication failures, or low engagement and telling you what to fix first.

This matters for monitoring because alert deliverability depends on your sending domain's reputation. If your monitoring tool emails alerts from a domain that lands in spam, those alerts may never reach you.

Sources: DMARC Report


May 2026

A DNSSEC signing error briefly takes .de off the internet

On May 5, 2026, DENIC — the registry for Germany's .de — published invalid DNSSEC signatures during a routine key rollover. A software defect generated three different key pairs (one per HSM) that shared the same key tag (33834), but only one public key was published in the DNSKEY record, so only about a third of signatures validated. Validating resolvers returned SERVFAIL for .de domains — including bahn.de, amazon.de, and spiegel.de — for roughly three hours until the issue was corrected. Cloudflare's 1.1.1.1 temporarily marked .de "insecure" to restore resolution.

This is the textbook illustration of why DNSSEC needs its own monitoring: a signing failure looks identical to "the site is down" from a user's perspective, and most uptime checks can't tell the two apart.

Sources: DENIC post-mortem, Cloudflare

Let's Encrypt begins the move from 90-day to 45-day certificates

On May 13, 2026, Let's Encrypt made its optional tlsserver 45-day certificate profile available to early adopters — the first concrete step in a plan, announced in December 2025, to cut its default certificate lifetime from 90 days to 45. The default "classic" profile is scheduled to drop to 64 days in February 2027 and to 45 days in February 2028, aligning with the CA/Browser Forum's broader shortening timeline.

Shorter lifetimes shrink your renewal window. If your ACME automation has ever failed silently, you now have far less buffer before a certificate actually expires.

Sources: Let's Encrypt: From 90 to 45 days, Let's Encrypt blog

AWS us-east-1 hit by a thermal event

On May 7–8, 2026, elevated temperatures in a single us-east-1 Availability Zone (use1-az4, Northern Virginia) impaired EC2 instances and degraded EBS volumes for roughly seven hours. Status trackers logged thousands of service status changes; affected services included FanDuel, Epic Games, Signal, Trello, Moodle, and Ancestry. Because the impact was contained to one AZ, it was less severe than the region-wide DNS outage of October 2025.

The lesson repeats: single-region, single-AZ dependencies remain a concentration risk. Monitoring from multiple locations catches partial-region degradation that a single check can miss.

Sources: StatusGator, ITPro

Railway goes dark after Google Cloud suspends its account by mistake

On May 19–20, 2026, Google Cloud incorrectly flagged platform host Railway's production account as suspended, taking down all of Railway's GCP-hosted infrastructure for about eight hours (22:20 UTC May 19 to ~06:14 UTC May 20). It's a stark reminder that your provider can take you offline by mistake — no breach, no bug in your own code required.

For anyone building on a single cloud, this is an argument for independent, third-party monitoring that doesn't depend on the same provider you're hosting on.

Sources: Railway incident report

DMARCbis lands: DMARC becomes a Proposed Standard

In May 2026, the IETF published the long-running "DMARCbis" revision as RFC 9989 (core DMARC), with RFC 9990 (aggregate reporting) and RFC 9991 (failure reporting). It's the first substantive update to DMARC since the original RFC 7489 in 2015, and it elevates DMARC from an Informational document to the Standards Track. Existing records still begin with v=DMARC1, so current deployments keep working — but the alignment and reporting rules are now formally specified.

With Gmail, Yahoo, and Microsoft all rejecting non-compliant bulk mail, correct SPF/DKIM/DMARC DNS records are now a hard requirement for any domain that sends email — including the domain your monitoring alerts come from.

Sources: RFC 9989, Red Sift

Anthropic's Claude-SearchBot becomes the largest dedicated AI search crawler

Crawler telemetry through May and June 2026 showed significant churn in AI bot traffic. Anthropic's newer Claude-SearchBot roughly tripled its share to around 2.4%, overtaking OpenAI's OAI-SearchBot to become the largest dedicated AI search crawler. ByteDance's Bytespider surged to become the #4 AI crawler overall, while Googlebot's share fell to an all-time low. Anthropic now operates four distinct bots (ClaudeBot, Claude-User, Claude-SearchBot, and claude-code), each with its own user-agent.

The takeaway for robots.txt maintainers is unchanged but more urgent: blocking one AI user-agent today doesn't block the new ones that appear next month. Review your rules regularly.

Sources: PPC Land: Anthropic's crawlers, Web Search API crawler report


April 2026

Verisign to raise wholesale .com prices 7%

On its April 23, 2026 earnings call, Verisign announced that the registry-level wholesale price of a .com domain will rise 7%, from $10.26 to $10.97, effective November 1, 2026 — the first increase after a pause through 2025. Under the current ICANN/Verisign agreement, Verisign can take up to a 7% increase in four of every six years, so the wholesale price could climb further over the contract term. Registrars typically pass these increases through to registrants.

If you manage a domain portfolio, budget for renewal-cost creep and monitor expiry dates independently — auto-renewal failures get more expensive as prices rise.

Sources: Domain Name Wire, Verisign investor relations

ICANN opens the first new gTLD application round in over a decade

On April 30, 2026, ICANN opened the application window for its long-awaited next round of new generic top-level domains — the first since the 2012 round that produced more than 1,200 new gTLDs. The window runs through August 12, 2026, with a base evaluation fee of $227,000 (reduced for qualifying applicants), and expands internationalized domain name support to 27 scripts.

Expect a wave of new TLDs over the next few years. For site operators, new gTLDs mean new registry operators — and new registry-level policies (including DNSSEC requirements) to track for any domains you register on them.

Sources: ICANN announcement, ICANN New gTLD Program

A hijacked .fi domain drains $1.2M from CoW Swap users

Around April 14–17, 2026, an attacker socially engineered Finland's .fi registry (Traficom) using falsified ID documents to seize control of the domain cow.fi, used by the CoW Swap DAO. For several hours the site served a pixel-perfect phishing clone that drained connected wallets — about $1.2M in user losses — before the domain was restored and a registry lock applied.

The defenses here are boring but effective: registry lock on critical domains, and DNS monitoring that alerts you the moment your nameserver or A-record changes.

Sources: Domain Name Wire, The Block

NCSC and DOJ move against APT28's router-based DNS hijacking

On April 7, 2026, the UK's National Cyber Security Centre (NCSC) published an advisory on the Russian state actor APT28 (Fancy Bear / GRU Military Unit 26165) compromising vulnerable routers — particularly 23 TP-Link models via CVE-2023-50224 — to overwrite their DHCP/DNS settings and redirect traffic through attacker-controlled DNS servers. Active since at least 2024, the operation used roughly 140 malicious IP addresses across two infrastructure clusters to mount man-in-the-middle attacks against email and authentication services (primarily Outlook), harvesting credentials. The same day, the U.S. Justice Department and FBI announced "Operation Masquerade," a court-authorized takedown that neutralized the U.S. portion of the network — resetting compromised routers' DNS settings to legitimate ISP resolvers without disrupting normal function.

DNS hijacking at the router level is hard to spot from inside a network: name resolution still "works," it just points somewhere malicious. Patch edge devices, and use DNS monitoring from outside your network to detect when your domain starts resolving to an unexpected address.

Sources: NCSC advisory, U.S. Justice Department, The Hacker News

DigiCert's legacy "G1" roots removed from Chrome and Firefox

From April 15, 2026, Chrome and Mozilla removed trust for several legacy DigiCert "G1" root certificates. Certificates chaining to those roots are no longer trusted in current browsers. In normal operation this is invisible — modern certificates chain to newer roots — but it can surface during migrations, with private PKI accidentally exposed to the public web, or on older devices and appliances that pin to the old chain.

SSL monitoring that validates the full chain (not just the leaf certificate) is how you catch a broken or distrusted chain before your visitors do.

Sources: Hexss SSL analysis


March 2026

TLS certificate lifetimes officially start shrinking — 200-day maximum

The first milestone of the CA/Browser Forum's certificate-shortening timeline took effect: as of March 15, 2026, the maximum lifetime for a public TLS certificate dropped from 398 days to 200 days. (The full schedule, approved in April 2025, continues to 100 days in March 2027 and 47 days in March 2029.)

At 200 days, manual renewal is already impractical for any site with more than a handful of certificates. Automate renewal via ACME now, before the next reductions land — and monitor expiry dates so a failed renewal doesn't become an outage.

Sources: CA/Browser Forum Ballot SC-081v3, Sectigo

See sslcertificateexpiry.com for SSL monitoring and expiry tracking.

Inside Googlebot: Google clarifies how crawling really works

On March 31, 2026, Google's Gary Illyes published "Inside Googlebot" on the Search Central blog. The key operational detail: Googlebot fetches only the first 2MB of an HTML page (64MB for PDFs) and processes the rest from there. The practical advice is to keep critical tags — title, canonical, and structured data — near the top of your HTML so they're never truncated.

If important markup lives deep in a bloated page, Googlebot may never see it. Lean pages and lean sitemaps remain the safest bet.

Sources: Google Search Central, Search Engine Land

Google's March 2026 core update

Google ran a broad core ranking update from March 27 to April 8, 2026 — a "regular" core update announced via the Search Status Dashboard. As with all core updates, recoveries and drops tracked overall content quality rather than any single technical signal.

Sources: Search Engine Land, Google Search Status Dashboard


Early 2026 (January–February)

Let's Encrypt ships 6-day and IP-address certificates

On January 15, 2026, Let's Encrypt moved two long-trailed features to general availability: ultra-short-lived certificates (a "shortlived" profile of about six days, with no OCSP or CRL) and certificates that cover IP addresses directly. Both reflect the industry's shift toward short lifetimes and automation.

Six-day certificates only work with fully automated issuance — there is no manual renewal at that cadence. If you adopt them, your monitoring needs to watch the automation pipeline, not just the expiry date.

Sources: Let's Encrypt: 6-day and IP certs GA, Let's Encrypt: original announcement

Markmonitor changes hands in a $450M deal as registrar consolidation continues

Corporate-domain registrar Markmonitor was carved out of Newfold Digital and acquired by Com Laude (backed by PX3 Partners) in a deal worth roughly $450M; it closed December 31, 2025 and rebranded as Markmonitor Group in January 2026. The wider registrar market remains concentrated — across .com, the top five registrars hold roughly 55–57% of registrations, with GoDaddy alone near 32%.

Concentration concentrates risk: a policy change or outage at a major registrar affects a large slice of the web. Don't keep all your domains at one registrar, enable registry lock on critical ones, and monitor expiry dates independently of registrar notifications.

Sources: Newfold Digital press release, Domain Name Wire: .com registrar rankings

See domainexpirywatcher.com for domain expiry monitoring.

Monitoring keeps consolidating into unified platforms

The pattern toward unified monitoring continued into 2026, with the observability market both consolidating and fragmenting at once: large vendors keep acquiring (Datadog picked up browser-testing startup Propolis in January 2026), while newer code-first tools like Better Stack and Checkly chip away at incumbents. The common thread is that teams want fewer dashboards, not more — uptime, SSL, DNS, domain, and vendor-status checks that were once separate tools are increasingly bundled.

This is exactly why Site Watcher exists — one dashboard for all five monitoring types, with consolidated alerts so you don't get paged by five different tools for the same incident.

Sources: Datadog acquisitions (Tracxn)


Late 2025

Cloudflare outage takes down a large slice of the web

On November 18, 2025, a Cloudflare outage took down or degraded major sites including X, ChatGPT, Spotify, and Canva for roughly three hours. The cause was not an attack: a permissions change on a ClickHouse database cluster caused a Bot Management configuration ("feature") file to fill with duplicate rows and double in size, exceeding a hard limit and crashing Cloudflare's proxy. Cloudflare initially suspected a DDoS before tracing it to the internal config file.

The incident underscores the concentration risk of modern infrastructure — when one provider fronts a large share of internet traffic, a single bad config becomes a global event. Monitor from multiple locations, and don't rely solely on your CDN's status page to tell you when it's down.

Sources: Cloudflare post-mortem, ThousandEyes analysis

A DNS bug at AWS cascades across the internet

On October 20, 2025, a latent race condition in DynamoDB's automated DNS management in AWS's us-east-1 region emptied the DNS record for the regional DynamoDB endpoint, cascading across dozens of AWS services for roughly 15 hours. Snapchat, Reddit, Venmo, Coinbase, Signal, and Ring were among the casualties, with millions of outage reports. Days later, on October 29, an invalid configuration push took down Microsoft's Azure Front Door for several hours.

DNS remains one of the highest-leverage failure points in the stack: a single bad record can take a service offline globally. DNS monitoring that checks resolution from multiple locations is the fastest way to catch this class of failure.

Sources: ThousandEyes: AWS Oct 20 2025, ThousandEyes: Azure Front Door Oct 29 2025

DDoS attack records keep falling

Record-breaking DDoS attacks accelerated through late 2025. Cloudflare reported mitigating a 7.3 Tbps attack in May, then 11.5 Tbps in early September, then 22.2 Tbps later in September, and finally a 31.4 Tbps attack on December 19, 2025 — the largest publicly reported DDoS attack to date and still the record as of mid-2026. Most lasted under a minute, and the largest traced to the Aisuru-Kimwolf botnet built largely from compromised IoT devices.

These hyper-volumetric, ultra-short bursts are designed to overwhelm before defenses react. If your site isn't behind a CDN with DDoS protection, even a fraction of this volume can take your origin down. Uptime monitoring with low check intervals (60 seconds or less) is the fastest way to detect an attack in progress.

Sources: Cloudflare Q4 2025 DDoS report, BleepingComputer: 22.2 Tbps

Robots.txt isn't legally binding — but it's becoming a battleground

A pair of late-2025 court rulings sharpened the legal status of robots.txt. In December 2025, in Ziff Davis v. OpenAI, a U.S. federal judge in the Southern District of New York held that robots.txt is not a technological measure that "effectively controls access" under the DMCA — likening it to a "keep off the grass" sign — so ignoring it isn't unlawful circumvention. Days earlier, Germany's Higher Regional Court of Hamburg, in Kneschke v. LAION, upheld AI training under the EU text-and-data-mining exception but ruled that opt-outs must be machine-readable to count — making robots.txt-style declarations the proper mechanism, even if not legally enforceable on their own.

The practical upshot: robots.txt is still a voluntary convention in court, but it's now central to the licensing-and-litigation fights between publishers and AI companies. Keep yours accurate and machine-readable.

Sources: Eric Goldman: Ziff Davis v. OpenAI, Inside Tech Law: Kneschke v. LAION

Let's Encrypt nears a billion active certificates

In its ten-year retrospective (December 2025), Let's Encrypt reported it had issued more than 7 billion certificates since 2015, was issuing over 10 million certificates a day, and was approaching 1 billion active certificates. HTTPS now accounts for roughly 80% of page loads globally and around 95% in the United States.

The flip side of this scale is constant renewal risk: because Let's Encrypt certificates are short-lived (and getting shorter), a single ACME misconfiguration, a DNS provider outage during validation, or an expired domain can silently break renewal — and you won't know until the certificate expires. Automated certificate monitoring catches these failures before browsers do.

Sources: Let's Encrypt: 10 years


Mid-2025

CA/Browser Forum votes to cut certificate lifetimes to 47 days

On April 11, 2025, the CA/Browser Forum approved Ballot SC-081v3, setting a schedule to reduce the maximum TLS certificate lifetime from 398 days to 47 days by March 2029, with steps at 200 days (March 2026) and 100 days (March 2027). Apple proposed the ballot; Google, Mozilla, and the major CAs backed it, and it passed with no votes against.

This is the biggest change to SSL/TLS operations since Let's Encrypt made free certificates mainstream. At 47 days, manual renewal becomes operationally impossible, and automation via ACME (Let's Encrypt, ZeroSSL, Google Trust Services) becomes mandatory. If you still renew certificates by hand, this was your warning to migrate — and to monitor expiry dates closely through the transition.

Sources: CA/Browser Forum Ballot SC-081v3, DigiCert

Microsoft enforces bulk sender authentication

Starting May 5, 2025, Microsoft began requiring SPF, DKIM, and DMARC for high-volume senders (5,000+ messages per day) to Outlook.com, Hotmail.com, and Live.com. Non-compliant mail was first routed to Junk during a grace period; outright rejection (SMTP error 550 5.7.515) followed in November 2025, around the same time Gmail escalated to deferring and rejecting non-compliant bulk mail.

Microsoft was the last major provider to enforce these rules. With Google, Yahoo, and Microsoft all requiring authentication, correctly configured DNS records (SPF, DKIM, DMARC) are no longer optional for any domain that sends email at scale — including the domain your monitoring alerts come from.

Sources: Microsoft Tech Community, dmarcian

Chrome distrusts two certificate authorities

On May 30, 2025, Google announced it was removing default trust for two Chunghwa Telecom roots and one Netlock root from the Chrome Root Store, citing "a pattern of compliance failures." Certificates with signed certificate timestamps after July 31, 2025 chaining to those roots are distrusted, enforced from Chrome 139.

CA distrust events are invisible until they aren't — they surface when you're using certificates from a smaller or regional CA. SSL monitoring that validates the full chain gives you early warning if your CA falls out of a browser's trust store.

Sources: Google Security Blog

Cloudflare blocks AI crawlers by default and launches "Pay Per Crawl"

On July 1, 2025, Cloudflare became the first major infrastructure provider to block AI crawlers by default for new domains, and launched a "Pay Per Crawl" marketplace letting publishers charge AI bots a micropayment per request. The move built on the one-click "Block AI bots" toggle Cloudflare had shipped in July 2024, and it shifted the default for a large chunk of the web from "open to AI crawlers" to "blocked unless you opt in." In the months that followed, Cloudflare reported customers blocking hundreds of billions of AI scraping requests.

For sites without a CDN-level control, robots.txt remains the primary (and often inadequate) defense. For everyone else, edge-level bot management is now the more reliable lever.

Sources: Cloudflare: Pay Per Crawl, Nieman Lab

Cloudflare's 1.1.1.1 resolver goes down for an hour

On July 14, 2025, an internal configuration error withdrew the BGP routes for Cloudflare's 1.1.1.1 public DNS resolver, knocking it offline globally for about 62 minutes. A coincident, unrelated route announcement from another network briefly looked like a hijack but was an effect, not the cause.

When a major public resolver fails, sites appear "down" to anyone using it — even though the sites themselves are fine. It's another argument for monitoring resolution from multiple vantage points rather than trusting a single resolver.

Sources: Cloudflare post-mortem


Early 2025

Let's Encrypt signals the move to much shorter certificate lifetimes

On January 16, 2025, Let's Encrypt announced plans to issue certificates with lifetimes far shorter than 90 days — down to about six days — along with certificates for IP addresses. The announcement made clear the whole industry was heading toward short-lived certificates, turning automated renewal from a best practice into a survival requirement. (A week later, on January 22, Let's Encrypt also announced it would end its expiration-reminder emails, citing cost and privacy — pushing responsibility for expiry tracking onto site operators and their monitoring tools.)

Sources: Let's Encrypt: 6-day and IP certs, Let's Encrypt: ending expiration emails

Expired domains turn out to control thousands of live backdoors

In January 2025, security firm watchTowr Labs registered more than 40 abandoned command-and-control domains for as little as $20 each — and in doing so took control of over 4,000 still-active malware backdoors that were quietly "phoning home" to those domains. It's a vivid demonstration of expired-domain risk: a lapsed domain doesn't just disappear, it can be claimed by anyone, including for malicious purposes.

The defensive lesson applies to ordinary sites too. Monitor your domains' expiry dates independently of registrar auto-renewal, which fails more often than people expect.

Sources: BleepingComputer, The Hacker News

The root zone's signing key begins its rollover

On January 11, 2025, the rollover of the DNS root zone's Key Signing Key (KSK-2024) formally began — the cryptographic anchor that the entire DNSSEC chain of trust depends on. The new key will not begin signing until October 2026, and resolver adoption has been smooth so far. It's a reminder that DNSSEC's trust chain runs all the way up to a single key at the root, and that key-management events ripple outward to every signed domain.

Sources: Verisign blog


Late 2024

Google and Yahoo escalate bulk sender enforcement

From late 2024 onward, Google escalated enforcement of its February 2024 bulk sender requirements from warnings to active rejections, and Yahoo mirrored the move. The thresholds, now strictly enforced for senders of 5,000+ messages per day, include SPF, DKIM, and DMARC authentication, spam-complaint rates below 0.3%, one-click unsubscribe in marketing email, and TLS for transmission.

For website infrastructure, this made DNS record correctness critical. A missing SPF include, a rotated DKIM key that wasn't updated in DNS, or a p=none DMARC policy could mean your transactional and monitoring emails silently stop arriving.

Sources: Google bulk sender guidelines, Mailgun

Apple Mail Privacy Protection reshapes email metrics

By late 2024, Apple Mail Privacy Protection (MPP) was active for the large majority of Apple Mail users — widely cited around 95% of users who enabled the privacy prompt — and Apple Mail accounts for roughly half of all email opens globally. As a result, open rates became unreliable as a deliverability signal.

This matters for monitoring tools that track whether alert emails were "read" via open-tracking pixels: with MPP, Apple Mail alerts register as "opened" whether or not anyone saw them. Don't rely on email open receipts to confirm your alerting pipeline is working — use an independent heartbeat check instead.

Sources: Litmus: email client market share, Litmus: MPP for marketers

Google retires the "Cached" link, and INP replaces FID

Two 2024 changes still shape how site operators diagnose problems. Through 2024, Google fully removed the "Cached" link (and the cache: operator) from search results — eliminating a free, decades-old way to see the last version Google crawled; the URL Inspection tool in Search Console and the Wayback Machine are now the alternatives. Separately, on March 12, 2024, Interaction to Next Paint (INP) replaced First Input Delay (FID) as a Core Web Vital, with a stricter 200ms "good" threshold that caught out many JavaScript-heavy sites.

Both reinforce the same habit: monitor continuously rather than spot-checking, because the easy diagnostic shortcuts keep disappearing.

Sources: Search Engine Land: cache link retired, web.dev: INP replaces FID


What to watch for the rest of 2026

  • Certificate lifetimes keep shrinking. The 200-day maximum is now in effect (March 2026); 100 days follows in March 2027 and 47 days in March 2029. Let's Encrypt's own default drops toward 45 days starting 2027. Automate renewal now.
  • AI crawler proliferation and pushback. New AI crawlers appear monthly, and the response is escalating — default-deny robots.txt, pay-per-crawl, and now publisher billing and litigation. Review your robots.txt regularly; blocking one bot today doesn't block next month's.
  • DNSSEC fragility. The .de outage showed how a registry-side signing error looks identical to a global outage. With the root KSK rollover completing in October 2026, DNSSEC monitoring matters more, not less.
  • Concentration risk. AWS, Azure, and Cloudflare each had major outages in the last year. Monitor from multiple locations and don't depend on a single provider's status page.
  • New gTLD round. ICANN's application window (April–August 2026) will eventually expand the TLD landscape — and with it the set of registry policies to track.
  • Email authentication is now mandatory. With DMARCbis standardized and Gmail/Microsoft rejecting non-compliant bulk mail, broken SPF/DKIM/DMARC means missed alerts. Monitor your sending domain's DNS records.

This page is updated regularly. Last updated June 23, 2026.