SSL Checker DMARC Meta Tags Site Speed Broken Links AI Chat Bookings Try ModusOp

Email Authentication Glossary

A reference of every term that turns up in email authentication — SPF, DKIM, DMARC, BIMI, ARC, alignment, selectors, and the rest. Bookmark and come back as needed.

ABCDEFHMOPQRSTV

A

Alignment
DMARC's requirement that the SPF or DKIM-authenticated domain match (or fall under) the visible From domain. A pass without alignment doesn't satisfy DMARC. Two modes: relaxed (default — subdomains count) and strict (exact match required).
ARC (Authenticated Received Chain)
Headers that let intermediaries (mailing lists, gateways) preserve a record of original authentication, so receivers can accept modified messages without DMARC failures. See our forwarding guide.
Authentication-Results Header
An RFC 8601 header that receivers add to messages, recording the SPF, DKIM, and DMARC results they observed. Useful for debugging — Gmail, Outlook, and most major receivers populate it.

B

BIMI (Brand Indicators for Message Identification)
A standard for displaying verified brand logos next to messages in supporting inboxes. Requires DMARC enforcement and an SVG logo published in DNS. See our BIMI guide.
Bounce
A failed delivery returned to the sender. Hard bounces (mailbox doesn't exist) are permanent; soft bounces (mailbox full, server temporarily down) are transient.

C

Canonicalization
How DKIM normalises headers and body before computing the signature hash. simple requires exact byte match; relaxed forgives whitespace changes. Most modern signers use relaxed/relaxed.

D

DKIM (DomainKeys Identified Mail)
An authentication method where the sender cryptographically signs each message; receivers verify the signature against a public key in DNS. Survives forwarding because the signature is in the headers. See our DKIM guide.
DMARC (Domain-based Message Authentication, Reporting & Conformance)
The policy layer on top of SPF and DKIM. Tells receivers what to do with mail that fails authentication, and arranges aggregate reports back to the sender. See our policy progression guide.
Disposition
What a receiver did with a message — none, quarantine, or reject. Reported in DMARC aggregate reports under policy_evaluated/disposition.

E

Envelope From / Return-Path
The "from" address used at the SMTP layer (visible in MAIL FROM:), which can differ from the visible From: header. SPF authenticates against the envelope From; DMARC alignment compares the envelope From to the header From.

F

Failure Report (RUF)
Per-message DMARC failure report, sent on each failure (or per the fo setting). More granular than aggregate reports but rarely sent in practice — most providers don't generate them.
From Rewriting
A technique where mailing lists replace the visible From with the list's own address (with the original sender in Reply-To), so the message can be re-signed with the list's DKIM and pass DMARC.

H

Hardfail / Softfail (SPF)
The -all qualifier (hardfail) tells receivers to reject non-matching mail; ~all (softfail) tells them to accept but mark as suspicious. See our SPF guide.
Header From
The "From:" line visible to recipients in their mail client. The domain of this address is what DMARC alignment checks against.

M

MTA (Mail Transfer Agent)
A server that sends and receives email. Postfix, Exim, Sendmail, and Microsoft Exchange are MTAs.
MTA-STS (Mail Transfer Agent Strict Transport Security)
A standard that lets a receiving domain advertise it requires TLS for inbound mail and tells senders to refuse to deliver over plain SMTP. Email's equivalent of HTTPS HSTS.

O

opendkim / opendmarc
Open-source milters (mail filters) for Postfix/Sendmail that handle DKIM signing/verification and DMARC evaluation respectively. Standard tooling on self-hosted Linux mail servers.

P

p= (DMARC policy)
The DMARC tag specifying enforcement level: none (observation only), quarantine (mark as spam), or reject (refuse delivery).
pct=
The percentage of messages a DMARC policy applies to. pct=10 means 10% of failing mail gets the policy; the other 90% gets p=none treatment. Used during gradual rollouts.
Public Key (DKIM)
The non-secret half of a DKIM keypair, published as a TXT record in DNS. Used by receivers to verify signatures. Should be 2048 bits as of 2026.

Q

Quarantine
A DMARC disposition asking receivers to deliver failing messages to a spam or junk folder rather than the inbox. Less severe than reject.

R

Reject
A DMARC disposition asking receivers to refuse delivery of failing messages at the SMTP layer. The strongest enforcement level.
rua=
The DMARC tag specifying where to send aggregate reports. Format: rua=mailto:[email protected].
ruf=
The DMARC tag specifying where to send per-message failure reports. Less commonly populated than RUA.

S

Selector (DKIM)
A label that identifies which DKIM key was used to sign a message. The receiver looks up {selector}._domainkey.{domain} in DNS to find the matching public key.
Sender Domain
The domain claimed in the message's From header. The domain DMARC enforces against.
SPF (Sender Policy Framework)
An authentication method where the domain owner publishes a list of authorised sending IPs; receivers verify the connection IP against the list. Doesn't survive forwarding. See our SPF guide.
Spoofing
Sending mail with a forged From address. The primary threat DMARC defends against. Phishing usually involves spoofing.
sp=
The DMARC tag specifying a separate policy for subdomains. sp=reject on the apex protects all subdomains, including ones you don't actually use.

T

TLS-RPT
A standard for receivers to publish a reporting endpoint for TLS errors during inbound delivery. Pairs with MTA-STS for diagnosing transport-level issues.

V

Verified Mark Certificate (VMC)
A digital certificate issued by a CA proving you legally own the trademark on a logo. Required by Gmail to display your BIMI logo. Costs $1,000–$2,000/year.

Verify your domain's email auth

DMARC Dashboard checks SPF, DKIM, DMARC, BIMI, and MTA-STS for any domain in seconds.

Check Your Domain →