DNSSEC provides a way to ensure that the DNS answers a client is receiving from a DNS resolver are correct and have not been tampered with. DNSSEC must be configured at the domain's registrar and nameservers.
Learn more about DNSSEC.
Sender Policy Framework (SPF) authenticates email by checking the sending email server IP address against a list of domains provided by the SPF record of the envelope from domain. The SPF record can include other records, with up to 10 DNS lookups.
Learn more about SPF.
Record: v=spf1 -all all: fail
v=spf1 -all
fail
Domain-based Message Authentication, Reporting, and Conformance (DMARC) ensures that the SPF and DKIM authentication mechanisms actually authenticate against the same base domain that the end user sees.
Learn more about DMARC.
Record: v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s Location: example.com
v=DMARC1;p=reject;sp=reject;adkim=s;aspf=s
example.com
Brand Indicators for Message Identification (BIMI) is an emerging email specification that allows brand images such as logos to appear in the inbox and/or next to the from address in supporting mailbox providers.
Learn more about BIMI.
SMTP MTA Strict Transport Security (MTA-STS) provides a way for domain owners to tell email services that they should only send email to the domain over a verified TLS connection to specific email servers. This prevents man-in-the-middle attacks when the sending email server supports it.
Learn more about MTA-STS.
SMTP TLS Reporting (TLSRPT) is a mechanism for sending email servers to provide statistics to domain owners about failures to establish TLS connections for SMTP. This allows domain owners to proactively identify TLS misconfigurations and man-in-the-middle attacks.
Learn more about TLSRPT.
Record: ns.icann.org. noc.dns.icann.org. 2025082283 7200 3600 1209600 3600
ns.icann.org. noc.dns.icann.org. 2025082283 7200 3600 1209600 3600