Pillar 003
Authentication & Verification
Raise your flags and prove your identity. Here we demystify SPF, DKIM, DMARC, and BIMI: your digital signatures of trust. Understanding these is like showing your ship’s papers at every port: they prove you belong.
SPF (Sender Policy Framework)
- What is SPF?
- What problem was SPF created to solve?
- Why is SPF important for email deliverability?
- How does SPF work?
- How does SPF validation actually happen during SMTP?
- What does an SPF record look like?
- Where do I publish an SPF record?
- What are SPF mechanisms (e.g., ip4, a, mx, include)?
- What are ptr, exists, exp, and macro mechanisms?
- What are SPF qualifiers (e.g., +, -, ~, ?)?
- What's the difference between -all and ~all in SPF?
- How do “softfail (~all)” vs “fail (-all)” vs “neutral (?all)” behave?
- What is the difference between include: and redirect:?
- What is the SPF 10-DNS-lookup limit?
- What is the SPF 10-lookup limit and why does it exist?
- What happens when an SPF record exceeds DNS lookup limits?
- How do I fix "Too many DNS lookups" for SPF?
- What is SPF flattening and when should you avoid it?
- Does SPF prevent domain spoofing?
- Why does SPF alone not prevent spoofing?
- How do I check if my SPF record is valid?
- How can you debug SPF failures?
- What happens when multiple SPF records exist on a domain?
- Why do sub-domain SPF records behave differently?
- What are common myths about SPF causing delivery issues?
DKIM (DomainKeys Identified Mail)
- What is DKIM?
- Why is DKIM important for email deliverability?
- How does DKIM work?
- How does DKIM signing work step-by-step?
- What is a DKIM signature?
- What is a DKIM selector?
- What is a DKIM selector and how is it chosen?
- What is a DKIM public key and private key?
- Where do I publish a DKIM record?
- What does a DKIM record look like?
- Can I have multiple DKIM keys?
- What is DKIM key rotation and why is it important?
- How often should I rotate DKIM keys?
- What DKIM key length should I use (1024 vs 2048)?
- What are typical key length recommendations?
- How do I check if my DKIM setup is correct?
- How do you test or validate a DKIM signature?
- Does DKIM prevent email content tampering?
- What is the difference between rsa-sha256 and ed25519 DKIM signatures?
- Why does canonicalization matter (simple vs relaxed)?
- Which headers should be signed?
- What is the difference between d=, s=, bh= and b= tags?
- Why does header re-ordering sometimes break DKIM?
- What causes “bad signature” or “key not found” errors?
- What is a selector DNS record and how long should keys stay cached?
- Why does DKIM not stop spoofing by itself?
- What is body-hash canonicalization?
- What happens when you change ESPs — how to migrate DKIM?
DMARC (Domain-based Message Auth)
- What is DMARC?
- What problem does DMARC solve that SPF/DKIM don’t?
- Why is DMARC important for email security and deliverability?
- How does DMARC work with SPF and DKIM?
- What are the DMARC policies (p=none, p=quarantine, p=reject)?
- What does a DMARC record look like?
- Where do I publish a DMARC record?
- What is the rua tag in DMARC (aggregate reports)?
- What is a DMARC aggregate report (RUA)?
- What is the ruf tag in DMARC (forensic reports)?
- What is a DMARC forensic report (RUF)?
- What is DMARC alignment?
- What is “alignment” in DMARC and how is it checked?
- What is DMARC strict vs. relaxed alignment?
- What’s the difference between relaxed and strict alignment?
- How do I start implementing DMARC (p=none)?
- When should I move to p=quarantine or p=reject?
- How do you move from none → reject safely?
- How do I read DMARC reports?
- How to read and visualize DMARC XML reports?
- What are common DMARC implementation challenges?
- What happens when DMARC fails?
- How often are reports sent?
- What are organizational domains in DMARC?
- How do subdomain policies (sp=) work?
- What is a pct= tag?
- How do third-party senders authenticate under DMARC?
- What are common errors in DMARC records?
- What’s the difference between hosted DMARC and DIY setup?
- What is the maximum DMARC record length?
- Why DMARC “pass” doesn’t guarantee inboxing?
- How does DMARC interact with mailing lists?
- Why Gmail and Yahoo require DMARC alignment for bulk senders?
BIMI (Brand Indicators for Message Id)
- What is BIMI?
- What is the purpose of BIMI?
- How does BIMI work?
- What are the benefits of BIMI?
- What is a Verified Mark Certificate (VMC)?
- Do I need a VMC for BIMI?
- How to obtain a VMC certificate?
- What are the requirements to implement BIMI?
- Why does BIMI require DMARC at p=quarantine or reject?
- Does BIMI improve deliverability?
- Does BIMI improve deliverability or just trust?
- Which mailbox providers support BIMI?
- How do I create a BIMI record?
- What image format does BIMI use and why SVG Tiny PS?
- How do mailbox providers display BIMI?
- What are the limitations — why doesn’t every inbox show logos?
- How is BIMI validated at Gmail vs Yahoo?
- What are common BIMI errors?
- What is the difference between self-asserted and verified BIMI?
- Why do some providers cache BIMI logos?
ARC (Authenticated Received Chain)
- What is ARC?
- What problem does ARC solve?
- Why is ARC needed for email forwarding?
- How does ARC work?
- How does ARC preserve authentication results through forwarding?
- What are ARC headers (ARC-Seal, ARC-Message-Signature, ARC-Authentication-Results)?
- What is an ARC-seal vs ARC-message-signature?
- Does ARC help with DMARC failures on forwarded emails?
- Do I need to configure anything for ARC?
- How do ARC chains validate?
- What happens when ARC chains break?
- Who should implement ARC — senders or receivers?
- How does ARC relate to DMARC alignment?
- Why do ESP forwarders benefit from ARC?
- What are common ARC validation failures?
MTA-STS (Mail Transfer Agent Strict Transport Security)
- What is MTA-STS?
- What is MTA-STS and how does it secure email in transit?
- How does it differ from STARTTLS opportunistic encryption?
- How does MTA-STS improve email security?
- Does MTA-STS encrypt emails?
- How does MTA-STS prevent downgrade attacks?
- What are the components of MTA-STS (policy file, DNS record)?
- How do I implement MTA-STS?
- Which mailbox providers support MTA-STS checking?
- What are the policy modes (enforce, testing, none)?
- How is MTA-STS policy published and cached?
- What are common MTA-STS setup issues?
- Why is certificate expiration a problem?
- What are limitations of MTA-STS deployment?
TLS-RPT (TLS Reporting)
DANE / TLSA
- What is DANE for SMTP?
- What are TLSA records?
- How does DANE improve email security?
- Is DANE widely adopted for email?
- How does DANE compare to MTA-STS?
- What is DANE and how does it use DNSSEC?
- How does DANE authenticate SMTP connections?
- How does DANE interact with MTA-STS?
- What are the advantages and challenges of DANE deployment?
- Why is DANE rarely used in commercial email?
- How does DANE affect fallback behavior when DNSSEC fails?
Identifier Alignment (SPF/DKIM vs DMARC)
- What is identifier alignment in DMARC?
- What is SPF alignment (strict vs. relaxed)?
- What domain is checked for SPF alignment? (Return-Path vs From)
- What is DKIM alignment (strict vs. relaxed)?
- What domain is checked for DKIM alignment? (d= domain vs From)
- Why does alignment sometimes fail even if SPF/DKIM passes?
- How do third-party senders affect alignment?
- How can I fix alignment issues?
- How do SPF, DKIM, and DMARC work together?
- What happens if SPF passes but DKIM fails?
- What is the priority between SPF and DKIM in DMARC alignment?
- Why do some emails show “Authenticated by XYZ” even with DMARC fail?
- How do subdomain alignments inherit policy?
- How does ARC fit into this ecosystem?
- Why does authentication not equal deliverability?
Forwarding Scenarios & ARC Reliance
- How does email forwarding break SPF?
- Why does forwarding break SPF alignment?
- Can email forwarding break DKIM?
- How does DKIM survive forwarding?
- How do mailing lists affect authentication?
- How does ARC help preserve authentication results during forwarding?
- What happens if a forwarder doesn't support ARC?
- What is ARC’s role in forwarded mail?
- What happens with alias addresses under DMARC?
- How do mailing lists rewrite From: headers to pass DMARC?
- What is “rewrite-from” and why is it used?
- What is SRS (Sender Rewriting Scheme)?
- What’s the difference between SRS0 and SRS1 formats?
- Why don’t most ESP forwarders use SRS?
- How do auto-forwarders impact authentication results?
Key Management & Crypto Hygiene
- What are DKIM selectors used for?
- What is a good DKIM key rotation strategy?
- Why use 2048-bit DKIM keys instead of 1024-bit?
- How should I manage DKIM private keys securely?
- How do I troubleshoot DKIM signature validation failures?
- What are common mistakes when creating SPF records?
- How do I parse and analyze DMARC aggregate reports effectively?
- What tools can help manage email authentication records?
Common Authentication Issues & Myths
- Does SPF improve deliverability by itself?
- Does DMARC guarantee inbox placement?
- Can you use multiple DKIM signatures?
- Why does SPF “neutral” still show as pass sometimes?
- Can you authenticate using a free domain?
- Do authentication records affect open rates?
- Why do some mailboxes ignore BIMI logos?
- Is authentication required for cold email?
- Is authentication the same as encryption?
- Why do Gmail and Yahoo enforce authentication for bulk senders?
- Can you have SPF and DKIM pass but DMARC fail?
- Does authentication help with brand protection?
- What happens if a domain has no MX record but has SPF?
- How do custom return-paths affect SPF?
Emerging & Advanced Topics
- What is Authenticated Replies (ARF enhancements)?
- How will BIMI v2 or Brand-Trust standards evolve?
- What is SMTP UTF8 and does it affect authentication?
- How do authentication failures affect DMARC aggregate scores?
- What is ARC-Seal key rotation?
- Could AI/ML be used to evaluate authentication trustworthiness?
- What authentication requirements exist for 2024-25 bulk sender rules (Gmail/Yahoo)?
Trust beats tactics.
Review My Emails · Email Almanac