Are there new authentication standards being developed?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've gotten SPF, DKIM, and DMARC working. Now people are mentioning BIMI, ARC, and MTA-STS like they're the next must-have. Should you care? Which ones actually matter for your deliverability? Here's the honest breakdown.
BIMI (Brand Indicators for Message Identification) shows your verified brand logo right inside the inbox. No more generic envelope icons. If you've got strong DMARC enforcement, BIMI is achievable, and major providers like Gmail and Yahoo are rolling out support. It's not mandatory, but it's a nice trust signal. Implement it after DMARC is locked down.
ARC (Authenticated Received Chain) solves a real problem. When your email gets forwarded through a mailing list or relay service, authentication breaks. ARC preserves the chain of custody through those hops. If you're sending through forwarding services or mailing lists, ARC helps. If you're sending direct, it's less urgent.
MTA-STS (Mail Transfer Agent Strict Transport Security) forces encrypted connections between mail servers. It prevents encryption downgrade attacks. It's solid security practice, but adoption is still modest. If you're security-conscious or sending sensitive data, set it up. For standard bulk mail, it's a nice-to-have.
Prioritization: Get SPF, DKIM, and DMARC perfect first. Then layer in BIMI for brand trust. Add ARC if you're using mailing lists. MTA-STS is the cherry on top if you're security-obsessed. None of these guarantee inbox placement, but they all reduce friction with modern mailbox providers.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.