Email security, defined
The jargon of email authentication, in plain English - with a link to go deeper on each.
Email security is full of acronyms, and most explanations assume you already know the others. This glossary keeps it plain. Whether you run your own domains or look after clients’, these are the terms you’ll meet when you set up authentication, read your reports and tighten things down. Where a term has its own how-it-works page, we’ve linked it.
Authentication & identity
SPF
Sender Policy Framework – a DNS record listing which mail servers are allowed to send email for your domain. Receivers check the sending server against it. More →
DKIM
DomainKeys Identified Mail – a cryptographic signature added to each message so receivers can confirm it really came from your domain and wasn’t altered in transit. More →
DMARC
Domain-based Message Authentication, Reporting & Conformance – ties SPF and DKIM to your visible “From” address, tells receivers what to do with mail that fails, and asks them to report back. More →
Alignment
Also called identifier alignment. DMARC only passes when the domain proven by SPF or DKIM matches the domain in the visible “From” address. SPF or DKIM passing on its own isn’t enough.
DKIM selector
A short label inside a DKIM signature that points to which public key in your DNS to use. It lets you run, and rotate, several keys at once. More →
ARC
Authenticated Received Chain – preserves the original authentication results as a message is forwarded, so legitimate forwarded mail isn’t wrongly failed.
Policy & reporting
DMARC policy (p=)
Your instruction to receivers: p=none monitors only, p=quarantine sends failures to spam, p=reject blocks them outright. Only reject actually stops spoofing. Get to reject →
RUA (aggregate reports)
Daily XML summaries of all mail seen using your domain – who sent it, how much, and whether it passed. This is the data you use to tune your setup. More →
RUF (failure reports)
Forensic reports – copies of individual messages that failed authentication, the closest thing to seeing an attack as it happens. Not every receiver sends them. More →
Subdomain policy (sp=)
A DMARC tag that sets a different policy for your subdomains than for the main domain – handy for locking down subdomains that should never send mail.
Transport security
MTA-STS
Mail Transfer Agent Strict Transport Security – tells other servers to deliver mail to you only over an encrypted TLS connection, blocking downgrade and interception attacks. More →
TLS-RPT
TLS Reporting – asks sending servers to report back when they couldn’t deliver to you securely over TLS, so you can spot encryption and delivery problems early. More →
DNSSEC
DNS Security Extensions – cryptographically signs your DNS records so attackers can’t forge or tamper with the answers people get for your domain. More →
Threats & reputation
Spoofing
Forging the “From” address so a message appears to come from your domain when it didn’t. A DMARC policy of p=reject is what stops it reaching inboxes.
Phishing
Fraudulent messages that trick people into handing over credentials, money or data – usually by impersonating a trusted brand, colleague or service.
Business Email Compromise (BEC)
Targeted fraud where an attacker poses as an executive, supplier or colleague to authorise payments or divert data. Often relies on spoofing or lookalike domains.
Display-name spoofing
Faking only the friendly sender name (e.g. “Finance Team”) while the real address is unrelated. SPF, DKIM and DMARC don’t check the display name, so it can slip past authentication.
Blocklist / DNSBL
A published list of IPs or domains known for spam or abuse. Mail servers query these DNS-based blocklists to decide whether to reject or flag mail – landing on one hurts your deliverability.
DNS plumbing
MX record
Mail Exchanger record – the DNS entry that tells the world which servers receive email for your domain.
TXT record
A free-form DNS text record. SPF, DMARC and DKIM are all published as TXT records.
SPF 10-lookup limit
SPF is allowed a maximum of 10 DNS lookups while it’s evaluated. Add enough cloud senders via “include” and you exceed it – and SPF stops passing. More →
SPF flattening
Replacing the “include” entries in your SPF record with the raw IP addresses they resolve to, keeping you safely under the 10-lookup limit. More →
permerror
The permanent error SPF returns when it’s broken – most often from exceeding the 10-lookup limit. In practice it usually means SPF can no longer pass.
Forwarding
When a mailbox or mailing list re-sends your message, the sending server changes, so SPF breaks – even for genuine mail. DKIM (and ARC) are what survive forwarding, which is why DMARC needs both.
See these on your own domain
Run a free check – we’ll show you which of these are in place and which aren’t.
Check your domain