// email standards · reference

The standards that decide if your mail is trusted.

Email authentication is the set of open standards that let a receiving server tell your real message from a forgery. This is a plain-English reference to the ones that matter — SPF, DKIM, DMARC, and especially ARC, which keeps forwarded and relayed mail from wrongly landing in spam — plus MTA-STS, DANE, and BIMI.

RadMail is pre-release, with its engine live in a test bed on two real businesses. This is reference material on the open email-authentication standards RadMail respects and recommends. RadMail's outbound setup helps a tenant publish SPF, DKIM, and DMARC and walk the DMARC policy safely from none to quarantine to reject; the other standards below are ones it recommends and explains, not settings it changes on your DNS for you.

the honest frame :: a tool, not a guaranteeread first

Email authentication is a tool, not a guarantee. Publishing these records makes a receiving server far more able to tell a real message from a forged one, which protects your domain's reputation and your recipients. It does not by itself guarantee delivery, and no single record makes a domain impossible to spoof. Treat this as raising the floor, not sealing the door.

The standards, one by one.

SPFSender Policy Framework

TXT

Lists which servers are allowed to send mail for your domain.

SPF is a single TXT record on your domain that names the mail servers and services authorized to send on its behalf. A receiving server reads it, checks the sending server's IP against the list, and records a pass or fail. You publish exactly one SPF record per domain; multiple SPF records silently break authentication, so additional senders are added as `include:` mechanisms inside the one record.

Without SPF, anyone can put your domain in the envelope sender and a receiver has no authorized-sender list to check it against. SPF is the oldest and most widely honored of these checks, and DMARC needs at least one of SPF or DKIM to align before it will pass.

RadMail RadMail's outbound setup helps a tenant assemble the correct single SPF record, including the send-path `include:` it needs, and flags the two-SPF-records mistake.

DKIMDomainKeys Identified Mail

TXT (CNAME on some providers)

Cryptographically signs each message so tampering is detectable.

DKIM attaches a digital signature to every outbound message using a private key held by your sending service; the matching public key is published as a TXT record at a selector subdomain (for example `selector._domainkey.yourdomain.com`). A receiver fetches the public key, verifies the signature, and confirms the signed parts of the message were not altered in transit. Unlike SPF, DKIM survives a simple relay because it travels with the message, not the connection.

DKIM proves a message genuinely came from your domain and arrived intact, which both raises trust and is the auth result most likely to still pass after mail is forwarded. A DMARC policy passes when either SPF or DKIM aligns with the visible From domain — DKIM is usually the more resilient of the two.

RadMail RadMail's outbound setup helps a tenant publish the DKIM public-key record and manage the selector so signed mail verifies.

DMARCDomain-based Message Authentication, Reporting & Conformance

TXT

Tells receivers what to do when SPF and DKIM don't line up — and reports back.

DMARC is a TXT record at `_dmarc.yourdomain.com` that sets a policy (`p=none`, `p=quarantine`, or `p=reject`) for mail that fails alignment, and an address to send aggregate reports to (`rua=`). Alignment means the domain that passed SPF or DKIM matches the domain a human sees in the From header. DMARC ties SPF and DKIM together and makes their results actionable.

SPF and DKIM alone don't tell a receiver what to do with a failure — DMARC does, and its reports are how you discover who is sending as your domain before you tighten the policy. The safe rollout is `p=none` first to watch the reports, then `quarantine`, then `reject` once your legitimate mail all aligns.

RadMail RadMail's outbound setup helps a tenant publish DMARC and walk the policy from none to quarantine to reject with a readiness view — the safe, staged path, never a jump straight to reject.

ARCAuthenticated Received Chain

message header (no DNS record)

Preserves the original pass results when mail is forwarded or relayed, so honest forwarded mail isn't wrongly failed.

ARC is designed for the case that breaks plain SPF and DMARC: forwarding. When a mailing list, a forwarder, or a relay modifies a message or re-sends it from its own servers, the original SPF can no longer match and a strict DMARC policy may reject a perfectly legitimate message. ARC lets each intermediary cryptographically record the authentication results it saw on arrival and seal that record into the message, so a later receiver can see 'this message failed SPF now, but a trusted hop already verified it passed before forwarding' and choose to honor that chain.

This is the real-deliverability problem behind a lot of 'my forwarded mail lands in spam' reports: a legitimate message relayed through a forwarder trips the receiver's DMARC check because the path changed. ARC gives receivers a way to trust the earlier verdict instead of blaming the forwarder, which is exactly why it matters for anyone whose mail is forwarded, run through a list, or relayed through another service. ARC does not override a receiver's own judgment — it supplies evidence a receiver may weigh.

RadMail RadMail respects and recommends ARC: when RadMail relays or forwards mail, preserving the received chain is how honest forwarded messages keep their earned trust. RadMail does not ask you to configure ARC on your DNS — it is handled by the relaying service, not by a record you publish.

MTA-STSSMTP MTA Strict Transport Security

TXT + HTTPS policy file

Requires that mail to your domain be delivered over encrypted, certificate-validated TLS.

MTA-STS lets a domain declare that sending servers must use TLS with a valid certificate when delivering mail to it, closing a downgrade gap where an attacker on the network could strip encryption. It is published as a DNS TXT record at `_mta-sts.yourdomain.com` plus a policy file served over HTTPS at `mta-sts.yourdomain.com`. A companion record, TLS-RPT (`_smtp._tls.yourdomain.com`), asks receivers to report TLS delivery failures back to you.

Without MTA-STS, SMTP will quietly fall back to an unencrypted connection if TLS negotiation is interfered with. For a domain that handles sensitive correspondence, requiring validated TLS on inbound mail is a meaningful hardening step and its TLS-RPT reports surface delivery problems you would otherwise never see.

RadMail RadMail recommends MTA-STS for regulated and sensitive senders and explains it here. It involves a DNS record plus an HTTPS-hosted policy file on your own infrastructure — RadMail does not host that policy file for you.

DANEDNS-based Authentication of Named Entities

TLSA (requires DNSSEC)

Pins the exact TLS certificate for your mail server using DNSSEC, an alternative to MTA-STS.

DANE publishes a TLSA record that ties your mail server's TLS certificate to your domain, so a sending server can verify it is talking to the right server with the right certificate. Its trust comes from DNSSEC — the cryptographic signing of DNS itself — rather than from the public certificate authorities and HTTPS that MTA-STS relies on. DANE and MTA-STS solve the same downgrade problem by different roots of trust.

DANE gives strong, DNSSEC-anchored assurance against TLS downgrade and man-in-the-middle interception on the mail path, and is favored in environments that already run DNSSEC. It requires DNSSEC to be enabled on your zone, which not every DNS provider supports, so it is the more advanced of the two transport-security options.

RadMail RadMail recommends DANE where a domain already runs DNSSEC, and treats it as an alternative to MTA-STS rather than a duplicate. It depends on DNSSEC support at your DNS provider — RadMail explains it but does not enable DNSSEC or publish TLSA records on your zone.

BIMIBrand Indicators for Message Identification

TXT (+ hosted SVG logo)

Shows your verified logo next to authenticated mail — but only after DMARC is at enforcement.

BIMI lets a domain publish a TXT record pointing at a logo (an SVG Tiny P/S file) that participating mailbox providers can display beside your messages. Crucially, BIMI only takes effect once your domain is at an enforcing DMARC policy (`quarantine` or `reject`), and some providers additionally require a Verified Mark Certificate (VMC) proving you own the trademark on the logo. BIMI is the visible reward for having done the authentication work underneath it.

BIMI turns invisible authentication into something a recipient can actually see, which supports recognition and trust — but it is strictly downstream of SPF, DKIM, and an enforced DMARC policy, so it is the last step, not the first. Chasing the logo before DMARC is enforced simply won't work.

RadMail RadMail recommends BIMI as the final step after DMARC reaches enforcement, and explains its DMARC and VMC prerequisites honestly. Publishing the BIMI record and obtaining any Verified Mark Certificate are steps you take with your DNS provider and a certificate issuer.

The safe rollout order.

Do these in order. The one mistake to avoid is jumping DMARC straight to p=rejectbefore you've read the reports — that can start dropping your own legitimate mail.

rollout :: floor-raising sequence
  1. 1. Publish SPFOne TXT record listing every service that sends for your domain. Confirm there is exactly one SPF record.
  2. 2. Turn on DKIMPublish the public-key record for your sending service's selector so every message is signed.
  3. 3. Start DMARC at p=nonePublish _dmarc with p=none and an rua address, then read the aggregate reports to find every legitimate sender.
  4. 4. Move DMARC to quarantine, then rejectOnce your real mail all aligns on SPF or DKIM, tighten the policy in stages. Don't jump straight to reject.
  5. 5. Consider ARC, MTA-STS/DANE, then BIMIARC helps forwarded mail keep its earned trust; MTA-STS or DANE harden the transport; BIMI shows your logo once DMARC is enforcing.

Set it up on your DNS provider.

Concrete, correct SPF / DKIM / DMARC walkthroughs for the DNS host your domain actually lives on.

Common questions.

What is the difference between SPF, DKIM, and DMARC?

SPF lists which servers may send mail for your domain, DKIM cryptographically signs each message so tampering is detectable and the signature survives forwarding, and DMARC ties the two together — it tells receivers what to do when neither aligns with your visible From address and sends you reports on who is using your domain. You generally publish all three, in that order, starting DMARC at p=none.

What is ARC and why does forwarded email land in spam without it?

ARC, the Authenticated Received Chain, preserves the original authentication results when a message is forwarded or relayed. Plain SPF breaks on forwarding because the sending path changes, so a strict DMARC policy can reject a legitimate forwarded message; ARC lets each intermediary seal in the pass results it saw, so a later receiver can honor the earlier verdict instead of failing honest forwarded mail. It supplies evidence a receiver may weigh — it does not override the receiver's own judgment.

Does email authentication guarantee my mail gets delivered?

No. Authentication is a tool, not a guarantee. SPF, DKIM, and DMARC make it far easier for a receiving server to tell your real mail from a forgery, which protects your domain's reputation and your recipients, but delivery also depends on sending reputation, content, and each receiver's own policy. No single record makes a domain impossible to spoof or delivery certain.

What order should I set up email authentication in?

Publish SPF first, then DKIM, then DMARC at p=none so you can read the reports and find every legitimate sender. Once your real mail all aligns, move DMARC to quarantine and then reject. ARC, MTA-STS or DANE, and finally BIMI come after that foundation is in place — BIMI in particular only works once DMARC is at an enforcing policy.

What is the difference between MTA-STS and DANE?

Both require that mail to your domain be delivered over validated TLS, closing a downgrade gap, but they anchor trust differently: MTA-STS relies on the public certificate authorities and an HTTPS-hosted policy file, while DANE relies on DNSSEC and a TLSA record. DANE needs DNSSEC enabled on your zone; MTA-STS does not. They solve the same problem two ways, so most domains pick one.

Do I need a Verified Mark Certificate to show my logo with BIMI?

It depends on the mailbox provider. BIMI first requires an enforcing DMARC policy (quarantine or reject); on top of that, some providers display your logo only if you also hold a Verified Mark Certificate proving you own the trademark on it, while others will show a logo without one. BIMI is always the last step, downstream of SPF, DKIM, and enforced DMARC.

What does RadMail actually do about email authentication?

RadMail's outbound setup helps a tenant publish SPF, DKIM, and DMARC and walk the DMARC policy safely from none to quarantine to reject, and its deliverability view is built around reply-correlation — which sends actually earned a reply, not just an open. RadMail respects and recommends ARC, MTA-STS, DANE, and BIMI and explains them, but those are standards handled at your DNS provider or by the relaying service, not settings RadMail changes on your DNS for you. RadMail is pre-release, with its engine live in a two-business test bed.

radmail@inbox:~$ dig +short TXT _dmarc.yourdomain.com