Advanced Email Authentication: Beyond the Basics
Once you've implemented SPF, DKIM, and DMARC, there are additional technologies that can further secure your email infrastructure. This guide covers the advanced protocols that complete your email security posture.
The Verification Flow at the Receiving Server
Everything below builds on the core checks the receiving server runs the moment a message arrives. SPF and DKIM each produce a pass/fail result, DMARC combines them with alignment, and only then is a delivery decision made:
MTA-STS: Enforcing Encryption
MTA-STS (Mail Transfer Agent Strict Transport Security) ensures that emails to your domain are always encrypted during transit. Without it, attackers could perform downgrade attacks, forcing email to be sent unencrypted.
How MTA-STS Works
Announce support
You publish a DNS record announcing MTA-STS support for your domain.
Host the policy
You serve a policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt.
Senders fetch it
Sending servers check your policy before delivering email to you.
Enforce TLS
If your policy says "enforce," they only deliver over encrypted connections.
MTA-STS DNS Record
_mta-sts.example.com. IN TXT "v=STSv1; id=20260123T120000"MTA-STS Policy File
version: STSv1
mode: enforce
mx: mail.example.com
mx: *.mail.example.com
max_age: 86400mode: testing initially.
This allows you to receive reports without breaking email delivery. Move to enforce
once you're confident your mail servers support TLS properly.
TLS-RPT: Encryption Failure Reports
TLS-RPT (TLS Reporting) works alongside MTA-STS to send you reports when other servers have trouble encrypting email to you. It's like getting an error log for email encryption.
TLS-RPT DNS Record
_smtp._tls.example.com. IN TXT "v=TLSRPTv1; rua=mailto:tls-reports@example.com"Reports include information about:
- Failed TLS negotiations
- Certificate validation failures
- MTA-STS policy fetch failures
- DANE validation problems
DANE: Certificate Pinning via DNS
DANE (DNS-based Authentication of Named Entities) allows you to specify exactly which TLS certificate should be used for your mail server. This prevents attackers from using fraudulent certificates, even from compromised Certificate Authorities.
How DANE Works
Publish TLSA records
You add TLSA records to your DNSSEC-signed DNS zone.
Pin the certificate
These records contain cryptographic information about your certificate.
Senders verify
Sending servers verify your certificate matches what's published in DNS.
Reject mismatches
Even a valid CA-issued certificate is rejected if it doesn't match the pin.
DANE TLSA Record
_25._tcp.mail.example.com. IN TLSA 3 1 1 abc123def456...Getting Your DMARC Policy Right
Most of the protocols below assume an enforcing DMARC policy. p=none only
monitors — it stops nothing — while p=reject actually blocks spoofed mail. Move up the
ladder deliberately:
- Start at
p=nonewithrua=reporting to discover every legitimate sender. - Step up to
p=quarantine, thenp=rejectonce reports look clean. - Reach
p=rejectwithpct=100— the bar for BIMI and real anti-spoofing.
- Sit on
p=noneforever — it reports abuse but blocks none of it. - Jump straight to
p=rejectbefore reports confirm every sender is aligned. - Expect BIMI to show your logo while DMARC is below
p=quarantine.
BIMI: Brand Logos in Email
BIMI (Brand Indicators for Message Identification) displays your brand logo next to authenticated emails in supporting email clients. It's the reward for good email hygiene.
BIMI Requirements
- DMARC at p=quarantine or p=reject with
pct=100— enforcement is mandatory - Logo in SVG Tiny 1.2 Portable/Secure (SVG Tiny P/S) — strict subset of SVG with no scripts or external refs
- Mark Certificate — required by the major mailbox providers (no longer optional in practice):
- VMC (Verified Mark Certificate) — for trademarked logos. Required by Gmail, Yahoo Mail, Apple Mail.
- CMC (Common Mark Certificate) — cheaper alternative for non-trademarked logos. Accepted by Apple Mail and Yahoo; not accepted by Gmail.
Where BIMI displays today
- Gmail — web and mobile, requires VMC
- Apple Mail — iOS 16+ and macOS Ventura+, accepts VMC or CMC
- Yahoo Mail — VMC or CMC
- Fastmail, La Poste — basic BIMI support
- Microsoft Outlook — still no native BIMI support as of 2026
BIMI DNS Record
default._bimi.example.com. IN TXT "v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem"Implementation Priority Matrix
Here's how to prioritize these advanced features:
MTA-STS High
Easy. Needs an HTTPS subdomain and a TLS-capable MX. Start here.
TLS-RPT High
Very easy. Just needs an email address for reports. Pair it with MTA-STS.
BIMI Medium
Medium. Requires DMARC enforcement plus an SVG logo and a mark certificate.
DANE Lower
Hard. Depends on DNSSEC and careful certificate management. Tackle last.
Security Checklist
Use this checklist to track your email security implementation:
- SPF record with all sending sources
- DKIM signing enabled
- DMARC at p=reject
- MTA-STS in enforce mode
- TLS-RPT reporting enabled
- BIMI with brand logo
- DANE with DNSSEC
Test Your Configuration
Check how your domain scores on all these security measures: