Email Security in 2026: SPF, DKIM, DMARC, MTA-STS, BIMI

Last updated: April 26, 2026

Email is the primary attack vector for most enterprise breaches. SPF, DKIM, DMARC, MTA-STS, and BIMI are the modern email-authentication stack. Done correctly, they prevent attackers from spoofing your domain in phishing emails sent to others (and reduce phishing in your own inbox). This article covers each control, the deployment order, and how to monitor effectiveness.

The stack

Deployment order

Step 1: SPF

List the IP ranges and services that legitimately send mail as your domain.

v=spf1 ip4:1.2.3.4 ip4:5.6.7.0/24 include:_spf.google.com include:sendgrid.net ~all

Common gotchas:

• SPF has a 10-DNS-lookup limit. Each include: is a lookup. Aggressive use of include: can break SPF entirely.
• ~all = soft fail (mail accepted but flagged). -all = hard fail. Start with ~all while monitoring; move to -all when confident.

Step 2: DKIM

Generate a key pair; publish the public key in DNS. Configure your mail server to sign outgoing mail with the private key.

# DNS record (selector "default"):
default._domainkey TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG..."

Most major mail providers (Google Workspace, Microsoft 365, SendGrid, Mailgun) handle DKIM for you — you just publish the DNS record.

Step 3: DMARC (start in monitor mode)

_dmarc TXT "v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1; pct=100"

• p=none — log only, don’t act. Use for 30-90 days while observing
• rua = aggregate report destination
• ruf = forensic report destination
• Use a service like Postmark / Valimail / dmarcian to parse the XML reports

Reports tell you which IPs are sending mail “as” your domain. Identify legitimate ones (your services), authorise them in SPF / DKIM. Identify suspicious ones — these are spoofers using your domain to phish others.

Step 4: DMARC enforce

After 30-90 days of clean reports, switch to p=quarantine (mail flagged), then p=reject (mail rejected by recipient).

This is the operational milestone: no one can spoof your domain in phishing emails — recipient mail servers reject them automatically.

Step 5: MTA-STS

# Publish:
_mta-sts.yourdomain.com TXT "v=STSv1; id=20260426"

# And HTTPS-served policy at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt:
version: STSv1
mode: enforce
mx: mx1.yourdomain.com
mx: mx2.yourdomain.com
max_age: 86400

Forces TLS for inbound mail. Without MTA-STS, attackers can intercept mail in transit at the SMTP layer.

Step 6: BIMI

Visual confirmation in supporting mail clients (Gmail, Apple Mail). Requires SVG logo and Verified Mark Certificate from authorised CA. Marketing benefit; security benefit is mostly user-trust.

Monitoring

• DMARC aggregate reports parsed and reviewed weekly
• Alert on new sources of mail “as” your domain (could be spoofers OR a forgotten internal service)
• Track the % of mail passing DMARC over time — should approach 100% as you enforce

Common deployment mistakes

• Multiple SPF records on the same domain (RFC violation; mail servers behave inconsistently)
• DMARC enforcement before DKIM is correctly configured for all senders
• Forgotten subdomains used by marketing tools without SPF / DKIM
• Subdomain DMARC inheritance confusion — publish per-subdomain DMARC where needed
• SPF DNS-lookup-limit explosion (use spfconvertit or flatten via tools)

The takeaway

SPF + DKIM + DMARC enforcement is the table-stakes email-security control. It prevents phishing using your domain. The deployment is multi-month but largely automated through providers. Once enforced, the brand-protection benefit compounds — your customers stop receiving “mail from you” that wasn’t from you. For DPDP-compliant Indian organisations, this is the minimum email hygiene.