We are running in a testing phase — please be patient and share your feedback.

Glossary

Everything you need to know about SPF, DKIM and DMARC records

Alignment

The match between the domain in the From header and the domain authenticated via SPF or DKIM. DMARC requires alignment with at least one of these protocols for an email to pass verification.

ARC – Authenticated Received Chain

ARC (Authenticated Received Chain) is a protocol that preserves email authentication results (SPF, DKIM, DMARC) when messages are forwarded. It addresses the problem where forwarding causes SPF or DKIM checks to fail because the forwarding server isn't in the original SPF record.

BEC (Business Email Compromise)

A type of fraud where an attacker impersonates or compromises a business email address to trick recipients into making payments, sharing credentials, or disclosing sensitive information. Often relies on email spoofing or account takeover.

BIMI – Brand Indicators for Message Identification

BIMI (Brand Indicators for Message Identification) is a standard that enables displaying the sender's logo directly in the recipient's email client. It requires a working DMARC policy of quarantine or reject and a certified logo (VMC certificate).

Blacklist

A list of IP addresses or domains identified as sources of spam or malicious activity. Maintained by anti-spam organizations (Spamhaus, Barracuda, SORBS). Being blacklisted significantly reduces email deliverability.

Bounce

An email that cannot be delivered and is returned to the sender. A hard bounce indicates permanent failure (non-existent address), while a soft bounce is temporary (full mailbox, server unavailable).

CAA

A CAA (Certification Authority Authorization) DNS record specifies which certificate authorities are permitted to issue TLS certificates for a given domain. Defined in RFC 8659.

CNAME Record

A DNS record type (Canonical Name) that maps one domain name to another. In email authentication, CNAME records are used for DKIM in Microsoft 365, where they point to public keys hosted by Microsoft.

DANE

DANE (DNS-based Authentication of Named Entities) is a mechanism defined in RFC 6698 that uses DNSSEC to publish TLS certificate information directly in DNS records (TLSA records).

DKIM - DomainKeys Identified Mail

What is DKIM?

DKIM (DomainKeys Identified Mail) is a method of digitally signing emails that allows the recipient to verify that the email actually comes from the domain listed as the sender and that it was not altered during transmission.

How does DKIM work?

  1. The sending server creates a cryptographic hash from the email content
  2. The hash is signed using the domain private key
  3. The signature is added to the email header as DKIM-Signature
  4. The receiving server gets the public key from DNS and verifies the signature
Example DKIM header:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=example.com; s=selector1;
  h=from:to:subject:date;
  bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;
  b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ...
Example DKIM record in DNS:
selector1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."

Explanation:

  • v=DKIM1 - DKIM protocol version
  • k=rsa - cryptographic algorithm type
  • p=... - public key in Base64 encoding
DKIM Benefits:
  • Ensures email integrity
  • Confirms sender authenticity
  • Improves trustworthiness with email providers
  • Helps fight phishing and spam

DMARC - Domain-based Message Authentication

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that combines SPF and DKIM. It allows domain owners to specify a policy for handling emails that do not pass authentication.

How does DMARC work?

  1. The receiving server checks SPF and DKIM records
  2. It checks the DMARC policy of the domain
  3. It applies the specified action (none, quarantine, reject)
  4. Optionally sends reports about results to the specified email address
Example DMARC record:
_dmarc.example.com TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; ruf=mailto:dmarc-failures@example.com; sp=reject; adkim=r; aspf=r"

Explanation:

  • v=DMARC1 - DMARC protocol version
  • p=quarantine - policy for domain (quarantine = quarantine)
  • rua=mailto:dmarc@example.com - address for aggregate reports
  • ruf=mailto:dmarc-failures@example.com - address for detailed failure reports
  • sp=reject - policy for subdomains
  • adkim=r - relaxed DKIM alignment
  • aspf=r - relaxed SPF alignment
DMARC policies:
  • none - monitoring only
  • quarantine - quarantine (spam)
  • reject - email rejection
DMARC Benefits:
  • Provides reports on domain usage
  • Allows gradual policy tightening
  • Protects against phishing and spoofing
  • Improves overall email communication security

DMARC Reports

DMARC reports are automatic reports sent by receiving mail servers to the domain owner. Aggregate reports (rua) summarize authentication results over a given period. Forensic reports (ruf) provide details about individual failures. Reports help monitor who is sending emails from your domain.

DNS – Domain Name System

What is DNS?

DNS (Domain Name System) is a hierarchical system that translates domain names (e.g. example.com) into IP addresses. It is essential for email authentication because SPF, DKIM, and DMARC records are published as TXT records in DNS.

Key DNS Records for Email

  • MX — specifies servers that accept email for a domain
  • TXT — contains SPF, DKIM, and DMARC records
  • CNAME — alias to another domain name, used e.g. for DKIM key delegation

DNSSEC

DNSSEC (Domain Name System Security Extensions) is a set of DNS extensions that enables cryptographic verification of authenticity and integrity of DNS responses, protecting against DNS spoofing.

Email Deliverability

The ability of an email to reach the recipient's inbox rather than being filtered to spam or rejected. Affected by sender reputation, authentication (SPF, DKIM, DMARC), content quality, and recipient engagement.

Email Deliverability

The rate at which emails successfully reach the recipient's inbox rather than being filtered to spam or rejected. Influenced by authentication (SPF, DKIM, DMARC), sender reputation, message content, and recipient engagement.

Email Spoofing

Email spoofing is a technique where an attacker forges the sender address in an email to make it appear as if the message comes from a trusted domain. SPF, DKIM, and DMARC protocols are designed to protect against spoofing.

Envelope Sender (MAIL FROM)

The envelope sender (also known as MAIL FROM or Return-Path) is the sender address specified in the SMTP envelope of an email. It differs from the From header address that recipients see. SPF verifies this envelope address, not the From header.

From Header

The From header is the email header field that contains the sender address visible to recipients in their email client. Unlike the envelope sender (MAIL FROM), it is easily forgeable. DMARC ensures that the From header address aligns with the domain verified by SPF or DKIM.

How To Set Up Your Domain

Step-by-step implementation guide

1SPF
  1. Identify all servers that send emails for your domain
  2. Create SPF record in DNS
  3. Start with soft policy (~all)
  4. Test and gradually tighten to -all
2DKIM
  1. Generate key pairs (private/public)
  2. Configure email server
  3. Publish public key in DNS
  4. Test email signing
3DMARC
  1. Start with p=none policy
  2. Set up reporting email
  3. Analyze received reports
  4. Gradually tighten policy
Important tips:
  • Gradual approach: Always implement gradually and test
  • Monitoring: Monitor reports before tightening policies
  • Testing: Use testing tools before deployment
  • Backup: Always backup original DNS records
  • Documentation: Keep records of all changes
Back to domain check

HTTPS

HTTPS is a secure encrypted connection between a browser and a website. It protects login credentials, forms and payment details, and prevents data from being read or modified in transit.

More information

IP Warmup

The process of gradually increasing email sending volume from a new IP address to build positive reputation with email providers. Starts with a small volume to the most engaged recipients and scales up over 4-8 weeks.

MTA-STS

MTA-STS (Mail Transfer Agent Strict Transport Security) is a mechanism defined in RFC 8461 that allows a domain to require encrypted TLS connections for incoming emails and prevent STARTTLS downgrade attacks.

MX Record

An MX record (Mail Exchanger) is a DNS record that specifies which mail servers accept emails for a given domain. In an SPF record, the mx mechanism authorizes sending from the IP addresses of these servers.

NIS2

European Union directive (EU 2022/2555) on measures for a high common level of cybersecurity. It establishes mandatory security measures and incident reporting requirements for essential and important entities across the EU.

PermError

PermError (Permanent Error) is a permanent error during SPF record evaluation. The most common causes are multiple SPF records on a single domain, syntax errors in the record, or exceeding the 10 DNS lookup limit. When a PermError occurs, SPF authentication fails.

Phishing

Phishing is a fraudulent technique where an attacker impersonates a trusted person or organization to trick victims into revealing sensitive information (passwords, credit card numbers, etc.). Email spoofing is one of the primary tools used in phishing attacks.

Sender Reputation

A score assigned by email providers based on the sending history of a domain or IP address. Low reputation causes emails to be filtered to spam. Factors include complaint rates, bounce rates, sending volume, and authentication.

Spam Trap

An email address operated by anti-spam organizations or email providers to identify spam senders. Two types exist: pristine traps (never belonged to a real user) and recycled traps (repurposed from inactive accounts).

SPF - Sender Policy Framework

What is SPF?

SPF (Sender Policy Framework) is an email authentication method that allows domain owners to specify which servers are authorized to send emails on behalf of their domain. SPF record is published in DNS as a TXT record.

How does SPF work?

  1. When an email server receives a message, it checks the SPF record of the sender domain in DNS
  2. It compares the IP address of the sending server with the list of allowed IP addresses in the SPF record
  3. Based on this comparison, it decides whether to accept, reject or mark the email as suspicious
Example SPF record:
v=spf1 include:_spf.google.com include:spf.protection.outlook.com ip4:192.168.1.10 ~all

Explanation:

  • v=spf1 - SPF protocol version
  • include:_spf.google.com - allows Google Workspace servers
  • include:spf.protection.outlook.com - allows Microsoft 365 servers
  • ip4:192.168.1.10 - allows specific IP address
  • ~all - soft fail for other servers
SPF Benefits:
  • Protects against domain spoofing
  • Improves email deliverability
  • Reduces the likelihood that your emails end up in spam
  • Helps protect your domain reputation

SPF Flattening

An SPF record optimization technique that replaces nested include mechanisms with direct IP addresses (ip4/ip6). It reduces the number of DNS lookups required to evaluate the record, helping stay within the 10 DNS lookup limit defined in RFC 7208. Requires automation since service IP addresses may change.

SRS – Sender Rewriting Scheme

Sender Rewriting Scheme (SRS) is a technique for rewriting the envelope sender address when forwarding emails, so that the forwarded message passes SPF checks at the destination server.

STARTTLS

STARTTLS is an SMTP protocol extension that allows upgrading an unencrypted connection to an encrypted one using TLS. Unlike implicit TLS, communication starts unencrypted and is then upgraded.

TLS

TLS (Transport Layer Security) is a cryptographic protocol that provides encrypted communication between two parties. In email context, it protects message transmission between mail servers from eavesdropping.

TLS-RPT

TLS-RPT (SMTP TLS Reporting) is a mechanism defined in RFC 8460 that allows a domain to receive reports about successful and failed TLS connections during email delivery.

TLSA Record

A TLSA (Transport Layer Security Authentication) DNS record contains a fingerprint of a server's TLS certificate or public key. It is used as part of the DANE mechanism (RFC 6698) to verify that a server presents the correct certificate.

TXT Record

A TXT record is a type of DNS record used to store arbitrary text. In the context of email authentication, TXT records are used to publish SPF rules, DKIM public keys, and DMARC policies.