Email Security Overview

Email security is built on a foundation of DNS-based authentication protocols that work together to prevent spoofing, phishing, and other email-based attacks.

The Email Security Stack

Modern email security relies on several complementary protocols:

┌─────────────────────────────────────────┐
│              BIMI                       │  Brand visibility
├─────────────────────────────────────────┤
│              DMARC                      │  Policy & Reporting
├─────────────────────────────────────────┤
│         SPF          │      DKIM        │  Authentication
├─────────────────────────────────────────┤
│    MTA-STS    │  TLS-RPT  │   DANE      │  Transport Security
├─────────────────────────────────────────┤
│             DNSSEC                      │  DNS Security
└─────────────────────────────────────────┘

Authentication Protocols

SPF (Sender Policy Framework)

Purpose: Specifies which mail servers are authorized to send email for your domain.

How it works:

1. You publish a list of authorized senders in DNS
2. Receiving servers check if the sending server is on the list
3. Unauthorized senders fail SPF verification

Learn more about SPF →

DKIM (DomainKeys Identified Mail)

Purpose: Adds a cryptographic signature to emails, proving they haven't been tampered with.

How it works:

1. Your mail server signs outgoing emails with a private key
2. You publish the public key in DNS
3. Receiving servers verify the signature using your public key

Learn more about DKIM →

DMARC (Domain-based Message Authentication)

Purpose: Ties SPF and DKIM together with policies and reporting.

How it works:

1. You publish a policy in DNS (none, quarantine, or reject)
2. Receiving servers check SPF and DKIM alignment
3. Failed emails are handled according to your policy
4. You receive reports about authentication results

Learn more about DMARC →

Transport Security

MTA-STS (Mail Transfer Agent Strict Transport Security)

Purpose: Ensures email is transmitted over encrypted TLS connections.

How it works:

1. You publish a policy requiring TLS
2. Sending servers must use TLS to deliver email
3. Prevents downgrade attacks and interception

Learn more about MTA-STS →

TLS-RPT (TLS Reporting)

Purpose: Provides visibility into TLS connection failures.

How it works:

1. You publish a reporting address in DNS
2. Sending servers report TLS connection issues
3. You receive reports to diagnose problems

Learn more about TLS-RPT →

DNS Security

DNSSEC (DNS Security Extensions)

Purpose: Ensures DNS responses are authentic and haven't been tampered with.

How it works:

1. DNS responses are cryptographically signed
2. Resolvers verify signatures before accepting responses
3. Prevents DNS spoofing and cache poisoning

Learn more about DNSSEC →

Brand Protection

BIMI (Brand Indicators for Message Identification)

Purpose: Displays your brand logo in email clients for authenticated messages.

How it works:

1. You publish a logo URL in DNS
2. Email clients display the logo for DMARC-authenticated emails
3. Recipients can visually identify legitimate messages

Learn more about BIMI →

How They Work Together

Authentication Flow

Sender                          Receiver
  │                                │
  │  Send email                    │
  │ ──────────────────────────────>│
  │                                │
  │                          Check SPF
  │                          (Is sender authorized?)
  │                                │
  │                          Check DKIM
  │                          (Is signature valid?)
  │                                │
  │                          Check DMARC
  │                          (Are SPF/DKIM aligned?)
  │                                │
  │                          Apply Policy
  │                          (none/quarantine/reject)
  │                                │
  │  Deliver / Reject / Quarantine │
  │ <──────────────────────────────│
  │                                │
  │  Send DMARC Report             │
  │ <──────────────────────────────│

Why All Three Matter

Without	Risk
SPF	Anyone can send email claiming to be from your domain
DKIM	Emails can be modified in transit without detection
DMARC	No policy enforcement, no visibility into attacks

Implementation Priority

If you're starting from scratch, implement in this order:

1. SPF - Quick to set up, immediate protection
2. DKIM - Requires mail server configuration
3. DMARC - Start with p=none for monitoring
4. TLS-RPT - Simple DNS record
5. MTA-STS - More complex setup
6. DNSSEC - Enable at registrar
7. BIMI - After DMARC is at p=quarantine or higher

Common Misconceptions

"SPF alone is enough"

SPF only checks the envelope sender, not the visible From header. Attackers can still spoof the From header while passing SPF.

"DKIM guarantees the sender"

DKIM only proves the email wasn't modified and came from a domain—not necessarily your domain. DMARC provides alignment.

"p=none means no protection"

DMARC p=none enables monitoring but doesn't enforce anything. It's a starting point, not the goal.

"Email security is too complex"

Each protocol serves a specific purpose. Implement them progressively, and tools like MailShield simplify monitoring.

Next Steps

• Learn about SPF
• Learn about DKIM
• Learn about DMARC
• Why Email Security Matters