Authentication
SPF, DKIM, DMARC, BIMI, ARC and the DNS records that prove your mail is yours.
Start with the pillar guide for the full model, follow the diagnostic workflow for the current problem, and use the commercial destination when the evidence needs to become a repeatable team process.
Monitor DMARC and sender authenticationTurn DNS records and aggregate reports into sender inventory, alignment evidence, and an enforcement plan.
Authentication work should first answer which services are allowed to send, which domains they sign with, and whether those identifiers align with the visible From domain. Policy changes come after the sender map is trustworthy.
Use aggregate reporting to separate legitimate sources from unknown traffic, then raise enforcement in stages. A rushed reject policy can break mail that is business-critical but poorly inventoried.
BIMI, ARC, MTA-STS, TLS-RPT, and DNSSEC do different jobs. Treat them as supporting evidence around authentication rather than as substitutes for SPF, DKIM, and DMARC alignment.
Inspect SPF and DMARC records before changing policy.
Open workflowSeparate raw SPF or DKIM pass from DMARC-aligned identity.
Open workflowLabel legitimate and unknown senders before moving toward reject.
Open workflowExpand mechanisms, count DNS lookups, and identify policy risks.
Inspect policy, reporting, alignment, and subdomain behavior.
DMARC rollout: from p=none to p=reject without breaking mail
The exact six-week schedule for moving from monitoring-only DMARC to full enforcement, with the report-reading checkpoints that keep you safe.
Read pillarUse RUA report evidence to label known senders, investigate unknown sources, and avoid breaking legitimate mail during policy rollout.
ReadWhy rotating DKIM keys matters, when to do it, and the exact two-selector cutover that keeps signatures valid through the change.
ReadUse practical SPF examples to understand mechanisms, qualifiers, includes, redirects, DNS lookup limits, and common failure modes.
ReadUnderstand how SPF, DKIM, and DMARC work together, why alignment matters, and when to move from a checker to monitoring.
ReadReview BIMI prerequisites, logo requirements, certificate options, DNS publication, and the limits of mailbox-provider display.
ReadPublish MTA-STS safely, collect TLS reports, diagnose transport failures, and move from testing to enforcement with evidence.
ReadSee how relaxed and strict SPF or DKIM alignment compare authenticated domains with the visible From domain.
ReadUnderstand ARC sets, chain validation, forwarding scenarios, and why ARC preserves authentication evidence without making DMARC pass.
ReadLearn how DNSSEC protects DNS answers, where it supports email security, and why it does not directly guarantee authentication or inbox placement.
ReadChoose when to move from monitoring to quarantine or reject using aligned sender coverage, unknown-source volume, and report evidence.
ReadLearn what MX records do, how priority and fallback work, which DNS mistakes break inbound mail, and how to verify MX routing safely.
Read
