Five Pillars to improve Email Delivery and Security- SPF, DKIM, DMARC, ARC and BIMI

Five Pillars to improve Email Delivery and Security- SPF, DKIM, DMARC, ARC and BIMI

It just takes a few lines of code in Python or PHP or Ruby to send an email that looks like it has been sent from your official mail id. And depending on the contents of the mail the reputation of your email id, domain and organization gets affected.

This method, often described as spoofing, is the root cause of most of the phishing attacks globally. Phishing is an attack that tricks the user to click on a link or form inside an email and fill confidential information including passwords and other personal information. Phishing has resulted in over 100 billion dollars of collateral damage for corporations globally in the past decade, estimates by IBM.

To prevent spoofing, and also to ensure that Phishing is prevented, technologists have developed over the past few years several mechanisms and standards that protect email systems from attacks. These mechanisms also improve email security and delivery.

However, these mechanisms also act as a double-edged sword. Sometimes they result in false positives, and well-intentioned emails end up in spam boxes.

It gets even more complicated when you are running a multi-domain routing solution and understanding the underlying technologies, mechanisms and protocols are very important for a successful messaging platform implementation.

Let’s try to understand the basic building blocks first.

Domain Name – This is the fundamental identifier of an email. It’s the identifier after the ‘@’ symbol.

MX Record – A mail exchanger record (MX record) is the address of the mail server responsible for accepting email messages addressed to a domain, that's configured in the Domain Server management system. You can have one or more MX records, each pointing to a resource where a mail server exists. Multiple MX records help you load balance mail service and also provide redundancy.

Till a decade back, you only had to worry about MX records and whether they are pointed correctly, and whether servers are load balanced the right way.

But with phishing, spamming, spoofing and other modern attacks we need to now worry about other ideas too.

Central to these are three technologies which are DMARC, DKIM, and SPF which are essentially email authentication methods. Also important are ARC and BIMI, which also helps provide legitimacy to the email. A domain can list all the servers they send emails from via Sender Policy Framework (SPF). Imagine this to the page on a bank website that lists all the branches of the bank with their official telephone numbers. And you can always refer to this page, and verify whether a call from the bank is calling from an authorized number. Since SPF records list all the IP addresses of all the servers that are allowed to send emails on behalf of the domain, it’s a very good way to rule out a rogue mail server. While SPF does a good job of identifying whether the source is authentic or not, it still it’s not good enough to verify whether the email is authentic or not. Think of it this way. You verified that the number belongs to an authentic branch of the bank, but still you cannot be sure whether the person on the other line is a bona fide employee of the bank whom you can trust. In the real world of messaging frauds, hackers find ways to spoof incoming mail by manipulating the headers to change an IP address to match those found in the SPF record of the domain. This is tricky but a good hacker can achieve this very easily.

DKIM to the rescue

To prevent such IP spoofing, domain owners use DomainKeys Identified Mail (DKIM) to sign emails from the domain. This is a digital signature that uses cryptography and verifies that the email did indeed come from the domain. DKIM records store the domain’s public keys. Private Keys associated with the domain are sent as part of email headers. When an email is received, the recipient server can verify the sender’s public key against the private key sent via the message. The signed key sent is like a signature on a check leaf which a teller or a clerk can verify. It gives additional security to the SPF check. DMARC after SPF & DKIM is checked Domain-based Message Authentication Reporting and Conformance (DMARC) instructs a recipient server what to do after checking SPF and DKIM. A domain's DMARC policy can be set in several ways. You can quarantine emails, or even bounce them. A DMARC record can also send reports to domain administrators about DMARC activity, and parsing mail administrators can fine-tune policies, or understand security threats. DKIM, SPF, and DMARC records are always stored as DNS TXT records. A DNS TXT record stores text that a domain owner wants to associate with the domain. Since these records are textual it can convey a lot of information.


While DMARC does a good job of handling emails that fail SPF and DKIM authentication, in cases of distribution lists and forwarded messages, there can be false positives. Authenticated Received Chain (ARC) is an email authentication system designed to allow an intermediate mail server like a mailing list or forwarding service to sign an email's original authentication results. This allows a receiving service to validate an email when the email's SPF and DKIM records are rendered invalid by an intermediate server's processing. ARC is still not accepted by all mail service providers, as the ARC signing mechanism can be counterfeited too. But it does provide a mechanism for accepting emails that fail SPF and DKIM checks. Brand Indicator Message Identification (BIMI) is another standard that improves your brand visibility. Your BIMI record is a line of text that includes the URL of your brand logo Scalable Vector Graphics (SVG) file and can be again included as a DNS TXT record. Remember even BIMI can be counterfeited. Why manage these mechanisms? Netzary offers fully managed services for managing these mechanisms including analyzing and parsing DMARC messages and providing you insights into attempts of phishing and other security threats on your domain. If you are a customer of our Hybrid email services cutting across different mail services, you get this service free of cost.

Hence to improve your brand appeal, mail deliverability, overall security and business compliance pay attention to these pillars. Talk to us for a free consulting assignment to get your email platform on steroids.

S Ramdas is the founder of Netzary Infodynamics. You can reach him on