MX vs SPF vs DMARC vs DKIM vs BIMICopy article link
The owner of a domain name (for example:
@gmail.com) can specify where mail should be delivered. It can also prove that it has sent an email on behalf of the domain name owner. Other mail servers need some way to look up the email configuration of any domain name. That is why this configuration is stored in DNS records.
- Which mail server email should be sent to (MX)
- Which servers are allowed to send email from a domain (SPF)
- Which public key can be used to verify the integrity of an email (DKIM)
- What should happen when an email does not conform to SPF or DKIM (DMARC)
- Which logo should be displayed in email clients (BIMI)
MX: Specifying mail servers
The MX (Mail Exchanger) record specifies which mail server handles incoming mail for a given domain. When a mail server sends an email for a domain, it will perform a DNS lookup to find the MX record for that domain. It then delivers the email to the specified mail server. This allows the owner of a domain to control where their email is delivered.
In addition to specifying the mail server, the MX record also includes a preference value. This value determines the order in which mail servers will be tried when multiple MX records exist for a domain. The mail server with the lowest preference value will be tried first, followed by the mail server with the next lowest value, and so on. This allows the owner of a domain to specify a primary mail server and one or more backup mail servers in case the primary server is unavailable.
SPF: Allowing servers to send email
The SPF (Sender Policy Framework) record specifies which servers are allowed to send email on behalf of a given domain. This is an important security measure. It helps to prevent spam and phishing by unauthorized mail servers.
When a mail server receives an email from a domain, it will perform a DNS TXT lookup to find the SPF record for the domain. If the server that sent the email is not listed in the SPF record, the email may be marked as spam, or rejected. This helps to protect both the recipient of from spam and phishing. And it protects the domain reputation of the sender's domain.
DKIM: Proving email integrity
The DKIM (DomainKeys Identified Mail) record allows a domain owner to prove the integrity of an email. This is done by attaching a digital signature to the email. Receiving mail servers can verify this signature using the DKIM record.
When an email is sent, the sending mail server will generate a digital signature for the email using a private key. It includes this signature in the email as a
The receiving mail server will perform a DNS TXT lookup to find the DKIM record for the domain. The record will include the public key that corresponds to the private key that was used to generate the signature. The receiving mail server can then use this public key to verify the integrity of the email.
If the signature is valid, it indicates that the email has not been tampered with and was sent by an authorized server. This helps to protect the sender and recipient of the email, as it ensures that no unauthorized third party can change the email. It also helps to prevent spam and phishing, as the receiving mail server can verify that the email was actually sent by the domain that it claims to be from.
DMARC: Providing policies for non-conforming emails
The DMARC (Domain-based Message Authentication, Reporting and Conformance) record specifies the policies that should be applied to emails that do not conform to the SPF or DKIM standards. This allows the owner of a domain to control how other mail servers handle email when it doesn't pass these checks.
When a mail server receives an email from a domain, it will perform a DNS TXT lookup to find the DMARC record for the domain. If the email does not conform to the SPF or DKIM standards, the receiving mail server will use the instructions in the DMARC record to determine how to handle the email. The DMARC record may specify that such emails should be rejected, or that they should be marked as spam.
In addition to specifying the policies for handling unauthenticated email, the DMARC record may also include a reporting mechanism. This allows the owner of the domain to receive reports from other mail servers about how their domain's email is being handled. This can help the domain owner to identify potential issues with their email configuration.
BIMI: Specifying a logo
The BIMI (Brand Indicators for Message Identification) record allows the owner of a domain to specify a logo that email clients should show. This can help to increase the visibility and recognition of the domain's brand. It also improves the user experience for recipients of email from the domain.
To use BIMI, the domain owner must first create a digital version of their logo, and then publish a BIMI record in the DNS. The record should include the URL of the logo. When an email is received from the domain, the email client will perform a DNS lookup to find the BIMI record. If the record is found, the email client may display the specified logo next to the sender's name in the email.
BIMI is an optional feature, and not all email clients support it. Most of those who do will only display the logo, if there is a VMC certificate for the domain name. Getting such a certificate requires a brand trademark and involves a verification process. Not to mention the $1000 yearly price tag. This is why most domain names don’t have BIMI configured.