← Back to Crew
Sigil, the Signaler

Sigil

The Signaler
TECH
Age: 29 Birthday: Sep 3 Zodiac: Virgo Origin: Italian (Venice)
"Spoofers don't break in. They walk in dressed as you."

Identity

Patron of Authentication. Reads every flag three times. Protects who you actually are.

Who she is

Sigil reads the flags. Every one of them. Three times. She does this not because she's paranoid for sport, but because she's loyal to the people on the other end. The recipients in your subscribers' inboxes deserve to know that the sender claiming to be your brand is actually your brand. Without her, anyone can fly your colors. Spoofers, phishers, scammers. They can land in someone's inbox wearing your name and your logo. Sigil won't let that happen on her watch. The crew finds her exhausting because she'll ask three questions before answering one. Recipients find her invisible because she's already done her job before they've thought to wonder.

What's a Signaler?

If you've never been on a warship, here's the role in plain English. The Signaler is the officer responsible for the ship's flags, signal lamps, and verification codes. Their job is to prove which ship is which. When a stranger appeared on the horizon flying friendly colors, the Signaler verified those colors against the codebook before the captain trusted them. They sent and received messages, confirmed identities, and caught spoofers trying to slip in disguised. A good Signaler kept the convoy from being ambushed.

In email, that work is authentication. SPF, DKIM, DMARC, and BIMI are Sigil's flags, lamps, and codebooks. Their job is to prove your sending domain actually belongs to you. When a mailbox provider like Gmail receives an email claiming to be from your brand, Sigil's setup is what tells Gmail "yes, this is real" or "no, this is a spoofer."

Without her, anyone can claim to be you. With her, only you can.

What she takes care of

If you send email from a domain, Sigil is the one who proves the domain is yours. She publishes SPF records that list your authorized sending servers. She generates DKIM keys that cryptographically sign every outgoing message. She sets up DMARC policies that tell receivers what to do when something fails authentication, and reports back to you when spoofers try. If your brand is recognizable, she'll set up BIMI so your logo shows in the inbox. She watches the reports. She catches the impersonators. Without her, your domain is wide open.

Why "Sigil"?

Aural = relating to hearing, signals, vibration. Lan = from "lantern," signal lights, lighthouse, the visible light that means "this is who I am." Sigil = signal-light, the keeper of the visible signal that proves identity.

Sea-coded (lantern-keeper, signal officer) without being literal. Not a pun-bomb, more an evocation. Two syllables, stress on the second, easy to say, pairs cleanly with "the Signaler."

Skills

What she knows, ranked by depth.

LevelSkills
PrimarySPF / DKIM / DMARC
SecondaryWarmup / migration
SupportingReputation monitoring, Consent / opt-in, Reporting / dashboards, Privacy / law

Personality

How she talks, what she cares about, what drives the crew up the wall.

Voice rules

Three words: Careful. Direct. Loyal.

Paranoid in a careful way, not a panicky way. Triple-confirms before any action. Uses rhetorical question pairs ("Did you check that? Did you really?"). Short sentences when she's nervous, longer when she's explaining. Direct, no softening. Believes recipients deserve to know who's actually in their inbox.

Format: Open tag: Sigil's intro: / Close tag: — Sigil (the one approved em-dash exception). Plain English, run-ons fine, short paragraphs fine. No semicolons. Specific numbers beat adjectives. 1,200-1,500 words per article.

"Did you confirm the DKIM after that DNS change? No? Then we're sailing under a flag the port authority can't read."
"SPF, DKIM, DMARC. In that order. Skip one and you're flying with a hole in your sail."
"Most senders set up DMARC, then never read the reports. The reports are the whole point."
"Spoofers don't break in. They walk in dressed as you."

Fun facts

Favorite food
Strong black coffee, cold by the time she actually drinks it (because she keeps verifying the cup is hers).
Favorite pastime
Cryptic crosswords. She does the daily one three times (once in pen, once in pencil, once verifying).
Pet peeves
"I think it's set up." Setup either is or isn't. Also: people who lie about their lighthouse keeper backstories (she's met three).
Best friend on the crew
Warden. They're both checklist people. They have the same magnifying glass. They don't talk much, they're busy.
Friction with
Lyra. Lyra moves on instinct, Sigil moves on confirmation. They've had three full arguments about whether "feels right" counts as data. Lyra won two.
Personal quirk
Has a tiny bell on her wrist that rings if she moves too fast. Self-imposed.

Relationships

Who she works with and why.

Warden
Both verification people. Both checklists. They share a magnifying glass and a low tolerance for ambiguity.
Spark
Authentication has to be solid before warming starts. Sigil clears the path, Spark walks it.
Reef
Authentication failures show up in reputation monitoring. Reef sees the damage when Sigil's work is skipped.
Vega
DMARC reports are analytics in disguise. Vega reads the same data through a different lens.

Backstory

Three stories that made Sigil who she is. The core of the character.

Sigil was nine years old. Her family had kept the same lighthouse off the Welsh coast for six generations. She'd been taught the regional flag codes since she could read, and she sat in the lantern room every evening watching ships come and go.

One evening she saw a merchant trading vessel flying the colors of a friendly company. The hull paint was wrong. Slightly too fresh, slightly the wrong shade. The flags were perfect. Everything else was off.

She told her father. Her father told the harbormaster. The harbormaster boarded the ship and found a smuggling crew that had repainted a known smuggler's hull and copied the friendly flags from a real ship's logbook.

Sigil learned at nine: the flag is not the proof. The flag is what they want you to see. The proof is the rest of the ship, the codebook, the verification, the things that don't paint over easily.

She's been triple-checking signals ever since.

When Sigil was twenty, she was the junior signal officer on a convoy of four merchant ships under naval escort. They were running goods through a stretch of water known for piracy. A vessel approached flying the convoy commodore's recognition signal. The senior signal officer accepted it without verification. The vessel turned out to be pirates with a stolen codebook. Two of the four merchants were boarded and lost.

Sigil blamed herself for not insisting on the secondary verification. She'd known the procedure. She'd been told not to challenge a senior officer's call. She didn't push. People died.

She doesn't tell this story often. But she runs every signal three times now, and she doesn't care who finds it tedious. The cost of the cheaper version is a story she already knows.

Recent. A small ecommerce sender she was advising had set up SPF and DKIM but kept putting off DMARC. They thought they were "mostly authenticated." Their excuse was always "we'll do it next month."

Then a phishing campaign started. Someone had built a near-perfect copy of the sender's order-confirmation emails, complete with a fake login page, and was sending it to the sender's actual customer list (likely scraped from a breach). Customer support was flooded with confused complaints. The brand's name was getting dragged.

Sigil walked them through DMARC setup over a single afternoon. They published p=reject the next morning.

By that evening, the phishing campaign had collapsed. Mailbox providers that respect DMARC (which is most of them now) started rejecting the spoofs at the gate. The phisher moved on within a week to softer targets.

The lesson Sigil teaches now: DMARC is not optional. It's the only thing that makes "this is really us" a verifiable claim instead of a hopeful assertion. Without it, anyone with a free email server and a screenshot can wear your face.

Articles

Sigil's long-form wisdom. 3 written, 12 more planned. Start with these.

Sigil's intro:

If you've been told to "set up your email authentication" and nodded politely without knowing what that meant, this is for you. There's nothing embarrassing about not knowing. Most senders run for years without it. That's why most senders eventually get spoofed.

When you send an email, the receiver has to make a decision. Is this real? Did it actually come from the company it says it came from? Or is it from a spoofer wearing the company's face?

Email authentication is the system that lets the receiver answer that question. Without it, every email is a stranger in a uniform. The uniform might be real. It might be borrowed. The receiver has no way to tell.

Authentication has three parts. They're abbreviated, which is why they sound intimidating, but each one does a single, simple job.

SPF (Sender Policy Framework). This is the public list of which mail servers are allowed to send email for your domain. You publish it as a small DNS record. When a receiving server gets an email claiming to be from your domain, it checks: "did this email come from one of the servers on the list?" If yes, SPF passes. If no, SPF fails.

That's all SPF does. It's a guest list at the door of a club. Either the sending server is on the list, or it isn't.

DKIM (DomainKeys Identified Mail). This adds a cryptographic signature to every outgoing email. You publish a public key in your DNS. The sending server signs each email with the matching private key. The receiving server checks: "does this signature match the public key?" If yes, the email's content hasn't been tampered with in transit, and it really came from someone holding your private key. If no, something's off.

That's all DKIM does. It's a wax seal on a letter. Either the seal is intact and matches your stamp, or it doesn't.

DMARC (Domain-based Message Authentication, Reporting & Conformance). This is the policy and the reporting layer on top of SPF and DKIM. It tells receiving servers: "if an email claiming to be from my domain fails SPF and DKIM, here's what I want you to do with it." The options are none (do nothing, just monitor), quarantine (send it to spam), or reject (refuse it entirely).

DMARC also tells receivers where to send daily reports about what they're seeing. Those reports are how you find out who's spoofing you, where they're sending from, and whether your own setup is working.

That's all DMARC does. It's the policy poster at the door that says "if anyone shows up without a guest list pass and a verified seal, throw them out, and tell me about it."

Three parts. SPF lists who can send. DKIM signs each message. DMARC enforces the policy and reports the results.

I tell every sender I work with: SPF, DKIM, and DMARC are not advanced moves. They're the floor. They're what every other email best practice assumes you've already done. List hygiene matters less if anyone can pretend to be you. Beautiful design matters less if your customers can't trust the From line. Authentication is the load-bearing wall.

It takes about an afternoon to set up the first time. Less if you have access to your DNS and your ESP's documentation.

Most senders never make the afternoon for it. The ones who do never look back.

You're already on the right ship for reading this. Now go publish your SPF record.

— Sigil

Sigil's intro:

DMARC is the only authentication piece that actually has teeth. SPF and DKIM are checks. DMARC is the policy that decides what to do when the checks fail. Most senders publish DMARC at p=none and stop. That's the same as building a fence with a sign that says "please don't climb." Here's how to build the fence properly.

DMARC has three policies. They sit at three different levels of enforcement. You don't pick one and stick with it. You walk through them in order, in sequence, over weeks. Skipping the early stages is how senders break their own legitimate mail.

p=none. Monitor mode. Receivers do nothing different. Everything that fails authentication still gets delivered as if DMARC weren't there. The only thing this policy does is start sending reports back to you about who's claiming to be your domain and whether they're passing or failing.

p=quarantine. Soft enforcement. Receivers send authentication failures to the spam folder. Nothing gets blocked outright, but anything claiming to be your domain that can't prove it ends up where most people don't look.

p=reject. Hard enforcement. Receivers reject authentication failures at the gate. The recipient never sees the email at all. Spoofers fail. Phishers fail. Misconfigured legitimate mail also fails, which is why you cannot start here.

You start at none. You move to quarantine. You finish at reject. The whole journey takes about 8-12 weeks for most senders, longer for big companies with sprawling sending infrastructure.

The whole journey is 8-12 weeks. The cost is mostly attention, not money. The payoff is permanent. Once a domain is at p=reject and stable, the spoofing problem is functionally solved for that domain.

Most senders never get there. The ones who do never look back.

— Sigil

Sigil's intro:

The most common DMARC mistake I see is a sender who published the record, never set up reporting, and now thinks they're "done with DMARC." They are not done with DMARC. They have done about 5% of the work. Here's why.

DMARC at p=none does nothing on its own.

I'll say that twice because senders forget it. DMARC at p=none does nothing on its own. It doesn't block spoofers. It doesn't quarantine bad mail. It doesn't stop phishing. It is monitoring mode. Its only job is to generate reports.

If you set up DMARC at p=none and never read the reports, you've published a security camera and never looked at the recordings. The camera is on. The recordings exist. Nobody is watching them. The break-in happens. The footage is fine. Nobody knows.

That's where most senders are right now. They published p=none. They got a green checkmark in some auth-checker tool. They moved on. They are now exactly as exposed to spoofing as they were before, except they pay the DNS lookup cost.

If you have DMARC at p=none and no reporting, you have homework. Go set up a parser. Then you can actually call it monitoring.

Until then, the camera is on. Nobody is watching.

— Sigil

Full article list: 15 articles planned. 3 written (above). Remaining 12 have synopses and will be written as the game builds out. Topics include SPF in Plain English, DKIM Without the Cryptography Lecture, Reading Your DMARC Reports, BIMI, Alignment, the 10-DNS-Lookup Trap, Multi-ESP Authentication, MTA-STS, and the 30-Day Authentication Audit.

Visual Brief

V1 hero pose specification for the designer. One illustration. Sticker-style. White background. Match WU asset aesthetic.

Pose
Standing three-quarter view, body slightly turned to the side, one eye looking through her flag-checker monocle held in her right hand. The non-monocle eye visible to the viewer with a focused, slightly skeptical expression. Her left hand resting loosely at her hip near the brass lantern. The pose is "I'm verifying you" without being unfriendly.
Body & face
  • Adult cute proportions, ~1:3 head-to-body
  • 29 apparent age. Italian (Venice).
  • Hair: short, dark brown, just visible under the cap, ear-length on the sides
  • Skin: pale-warm with a slight pink at the cheeks (long hours in cold lantern rooms)
  • Eyes: alert, focused. Small intense dot pupil, eyebrow slightly arched
  • Small mouth, neutral closed-lip with a faint upturn at one corner
  • A small mole or beauty mark at the corner of her mouth
Outfit (locked)
  • Goldenrod-yellow signal-officer's coat, knee-length, double-breasted with two columns of brass buttons
  • Stand-up navy collar and navy turned-back cuffs
  • Tiny semaphore-flag pin on her left lapel
  • White shirt collar visible at the neck
  • Navy peaked cap with a small gold flag emblem on the front band
  • Dark navy work trousers, slightly tapered, tucked into low brown leather boots
  • Plain leather belt with a small brass D-ring (lantern hangs from it)
Props
  • Brass flag-checker monocle held to her right eye. Round, brass-rimmed, leather lanyard around her neck. (Signature prop, never appears without it)
  • Brass lantern hanging from her belt at her left hip. Glass panes on four sides, small brass loop on top.
  • Flag-coding notebook tucked into the inside breast pocket, just the top edge visible
Colors (locked)
Dominant: goldenrod-yellow (coat)
Secondary: navy (collar, cuffs, cap, trousers)
Accent: brass (buttons, monocle, lantern, belt ring)
Skin: pale-warm beige
Hair: dark brown
What she does NOT have
  • No magical glow effects on the lantern (unlit in this pose)
  • No animal companion in V1 (deferred: small luminous-yellow signal beetle on her shoulder)
  • No floating semaphore symbols
  • No detailed scene background (white only)
  • No DMARC/SPF text floating around her
Style reference: Match existing WU brand characters. See WU/public/assets/captain/ for uniform structure, double-breasted coat, brass buttons, peaked cap pattern. See WU/public/assets/pirate/ for working-character holding-prop composition.

Game Content

Cards and tasks that belong to Sigil in the Shipshape game.

Cards (5)

Run an authentication audit across every tool that emails for you
You tell us which tools send your email, we receive a test from each and verify SPF, DKIM, and DMARC ourselves.
Progress your DMARC policy toward full enforcement
We check your current DMARC policy and tell you if you're ready to step up. If you're already at p=reject, this card takes 10 seconds.
Check your SPF lookup count and flatten if needed
We count your SPF lookups automatically. Under 8, you're fine. Over 10, your authentication is silently breaking.
Set up or clean up a sending tool's authentication
Added a new tool that sends email for you? Or retired one and left its DNS behind? This card handles both directions.
Check your BIMI readiness (bonus)
Extra credit. If your DMARC is at enforcement, you might qualify to show your logo in the inbox. Worth exploring if you're ready, not urgent if you're not.

Tasks

566 tasks in Sigil's task inventory, covering SPF, DKIM, DMARC, BIMI, alignment, multi-ESP authentication, parked domains, subdomain strategy, key rotation, and the 30-day audit cycle. Tasks range from Quick (5-15 min) to Deep (2+ hours) and span one-time setup, quarterly reviews, and event-triggered maintenance.