A
- Alignment
- DMARC check rule: the domain in the visible From address must match the domain that SPF verified or DKIM signed. In strict alignment it must be exact; in relaxed a subdomain is enough.
- ARC — Authenticated Received Chain
- An extension that lets forwarding servers attest to the original authentication result. Helps prevent DMARC failures on forwarded mail.
B
- BIMI — Brand Indicators for Message Identification
- Standard that displays the company logo next to the sender line in the inbox. Requirement: an active DMARC policy. Details.
D
- DKIM — DomainKeys Identified Mail
- Cryptographic signature attached to the email at send time. The recipient fetches the public key from DNS and verifies the signature. Details.
- DMARC — Domain-based Message Authentication, Reporting & Conformance
- Policy protocol that ties SPF and DKIM together and tells the recipient what should happen with non-authenticated mail. Details.
- DNSSEC — DNS Security Extensions
- Signed DNS records that prevent tampering. The basis for DANE and secure BIMI.
- DANE — DNS-based Authentication of Named Entities
- Alternative to MTA-STS: TLS certificate information is published directly via DNSSEC. Less common, but works without an HTTPS policy host.
H
- Hard-Fail
- SPF result when the sending IP is not on the list and the policy is set to
-all. Recommendation: reject.
K
- Keyserver
- Public servers where PGP keys can be stored and searched.
M
- MTA — Mail Transfer Agent
- The server service that transports email between servers. Examples: Postfix, Exim, Exchange.
- MTA-STS — MTA Strict Transport Security
- Forces sending servers to deliver only with a valid TLS certificate — protection against downgrade attacks. Details.
- MX record
- DNS record that specifies which server receives mail for a domain.
P
- PGP / OpenPGP — Pretty Good Privacy
- End-to-end encryption approach for email, based on a web of trust. Comparison with S/MIME.
- Phishing
- Attempt to deceive users with a forged email — often with a spoofed sender address. DMARC is the most important countermeasure at the domain level.
- Policy
- Rule in the DMARC record that determines how non-authenticated mail is handled:
none,quarantineorreject.
R
- rua / ruf
- DMARC parameters for report addresses:
ruafor daily aggregate reports,ruffor forensic per-message reports.
S
- Selector
- Name component before
._domainkey.in DKIM records. Allows multiple parallel keys per domain (e.g. for rotation or different services). - S/MIME — Secure / Multipurpose Internet Mail Extensions
- CA-based approach for encrypting and signing email. Comparison with PGP.
- Soft-Fail
- SPF result with
~all: the IP is not listed, but the mail is usually still delivered and only marked. - SPF — Sender Policy Framework
- List of permitted sending servers, published as a DNS TXT record. Details.
- Spoofing
- Forging the sender address of an email. Technically trivial — SPF, DKIM and DMARC are the standard defence.
T
- TLS — Transport Layer Security
- Encryption protocol for the connection between two mail servers. Not to be confused with end-to-end encryption.
- TLS-RPT
- DNS record that specifies report addresses for TLS delivery issues. Complements MTA-STS. Details.
- TXT record
- DNS record type that can store arbitrary text. The basis for SPF, DKIM, DMARC, BIMI, MTA-STS and TLS-RPT.
V
- VMC — Verified Mark Certificate
- Certificate that proves a logo belongs to a registered trademark. Prerequisite for BIMI at Gmail and Yahoo.