SPF, DKIM, DMARC, MTA-STS, TLS-RPT and BIMI Explained - Postmaster+ by OptiPub

SPF, DKIM, DMARC, MTA-STS, TLS-RPT and BIMI Explained

Email authentication is a crucial part of ensuring the safety, security, and deliverability of emails. Without it, malicious actors can easily spoof email addresses to impersonate individuals or organizations, leading to phishing attacks, scams, and tarnishing of the impersonated entity's reputation. The adoption of email authentication protocols can help mitigate these risks.

  1. SPF (Sender Policy Framework): SPF allows the owner of a domain to specify which mail servers are authorized to send emails on behalf of the domain. This helps receiving mail servers determine if the incoming email is from a trusted source or not.

  2. DKIM (DomainKeys Identified Mail): DKIM provides a method for validating a domain name identity associated with a message through cryptographic authentication. This means it can verify that the email was not altered during transit (protecting the integrity of the message) and that it indeed comes from the specified domain.

  3. DMARC (Domain-based Message Authentication, Reporting & Conformance): DMARC builds on SPF and DKIM by adding a policy that specifies what should be done with messages that fail SPF or DKIM checks, and reporting capabilities that provide insights about attempts to send email on behalf of the domain. This assists in actively managing spoofing attempts and understanding the domain's email security performance.

  4. MTA-STS (Mail Transfer Agent Strict Transport Security): MTA-STS is a protocol that enhances email transport security by enforcing the use of secure (TLS) connections between mail servers, preventing email interception and attacks that strip TLS encryption.

  5. TLS-RPT (TLS Reporting): TLS-RPT, also known as TLS Reporting, provides a mechanism for reporting Transport Layer Security (TLS) related information about email transmissions. It enables domain owners to receive reports on the success, failures, and potential issues with TLS connections used in email delivery.

  6. BIMI (Brand Indicators for Message Identification): BIMI allows organizations to display their logo in recipients' inboxes, offering visual assurance that the email is indeed from the company it claims to be from. This requires the sender to have implemented DMARC.

Each of these mechanisms addresses different aspects of email security and identity, and together they provide a comprehensive suite of protections against email spoofing, phishing, and other email-based attacks.

By implementing all these mechanisms, a domain owner significantly reduces the risk of their domain being misused. It enhances the trust in their email communications, improving the likelihood of their messages reaching the intended recipients' inboxes while protecting their brand's reputation. However, it's worth noting that implementing these mechanisms should be done with care, as improper configurations can lead to email delivery issues.

SPF, DKIM, DMARC, MTA-STS, TLS-RPT and BIMI Timeline

  1. SPF (Sender Policy Framework):

    • Introduced in 2003 by Meng Weng Wong.
    • Published as an experimental proposal in RFC 4408.
    • Standardized in RFC 7208 in 2014.

  2. DKIM (DomainKeys Identified Mail):

    • Developed in 2004 by a team of engineers from Yahoo!.
    • Published as an experimental proposal in RFC 4871.
    • Standardized in RFC 6376 in 2011.

  3. DMARC (Domain-based Message Authentication, Reporting, and Conformance):

    • Introduced in 2012 by a group of industry organizations, including PayPal, Google, Microsoft, and Yahoo!.
    • Published as an informational RFC 7489.

  4. MTA-STS (Mail Transfer Agent Strict Transport Security):

    • Introduced in 2017 by a group of email service providers and experts.
    • Published as a proposed standard in RFC 8461.

  5. TLS-RPT (TLS Reporting):

    • Introduced in 2018 by the Internet Engineering Task Force (IETF).
    • Designed to provide a mechanism for reporting TLS-related information.
    • Published as a proposed standard in RFC 8460.

  6. BIMI (Brand Indicators for Message Identification):

    • Proposed in 2018 by a consortium of companies, including Google, Microsoft, and Fastmail.
    • Currently in the pilot phase, specifications being finalized.

Example DNS Records for SPF, DKIM, DMARC, MTA-STS, TLS-RPT and BIMI

Type Host Value
SPF example.com v=spf1 mx -all
DKIM selector._domainkey.example.com v=DKIM1; k=rsa; p=MIIBIjANBg... (truncated public key)
DMARC _dmarc.example.com v=DMARC1; p=reject; rua=mailto:reports@example.com
MTA-STS _mta-sts.example.com v=STSv1; id=20230514
TLS-RPT _smtp._tls.example.com v=TLSRPTv1; rua=mailto:tlsrpt@example.com
BIMI default._bimi.example.com v=BIMI1; l=https://example.com/logo.svg

Notes:

  1. The example DNS records are simplified for illustrative purposes.
  2. The DKIM record requires a public key which is generally quite long and has been truncated in this example.
  3. The BIMI record includes a URL to an SVG image for the logo. This URL should be HTTPS and the image must meet certain requirements.
  4. The MTA-STS record also requires a corresponding policy file to be hosted at https://mta-sts.example.com/.well-known/mta-sts.txt. The ID in the DNS record should match the ID in the policy file.