Email Authentication Methods Compared: SPF, DKIM, DMARC, BIMI & MTA-STS
Email authentication has evolved far beyond SPF and DKIM. Today, there are six major protocols that work together to verify senders, protect message integrity, enforce policies, display brand logos, and encrypt email in transit. Here is how they compare.
The Six Email Authentication Protocols
1. SPF (Sender Policy Framework)
SPF is the foundation of email authentication. It publishes a list of authorized sending servers as a DNS TXT record. When a receiving server gets an email, it checks if the sending IP is on the approved list. SPF is simple to implement but has limitations — it only validates the envelope sender, not the visible From header, and it breaks during email forwarding.
Difficulty: Easy | Required: Yes | Check your SPF record
2. DKIM (DomainKeys Identified Mail)
DKIM uses public-key cryptography to sign outgoing emails. The sending server signs the message with a private key, and the corresponding public key is published in DNS. Receivers verify the signature to confirm the message was not altered in transit. Unlike SPF, DKIM survives forwarding because the signature is part of the email header.
Difficulty: Medium | Required: Yes | Check your DKIM record
3. DMARC (Domain-based Message Authentication, Reporting & Conformance)
DMARC builds on SPF and DKIM by adding alignment checking and policy enforcement. It ensures the domain in the From header matches the domain verified by SPF or DKIM, and it tells receivers whether to deliver, quarantine, or reject failing messages. DMARC also enables aggregate and forensic reporting, giving domain owners visibility into email authentication results.
Difficulty: Medium | Required: Yes (for bulk senders) | Check your DMARC record
4. BIMI (Brand Indicators for Message Identification)
BIMI is the newest addition to the email authentication family. It allows organizations to display their brand logo next to authenticated emails in supported inbox providers like Gmail, Apple Mail, and Yahoo. BIMI requires DMARC with a policy of p=quarantine or p=reject. For Gmail, you also need a Verified Mark Certificate (VMC) from a certificate authority, which requires a registered trademark.
Difficulty: Medium-Hard | Required: No (recommended for brands)
5. MTA-STS (Mail Transfer Agent Strict Transport Security)
MTA-STS ensures that emails sent to your domain are always encrypted in transit using TLS. Without MTA-STS, even if your mail server supports TLS, attackers can perform downgrade attacks to intercept emails in plaintext. MTA-STS works by publishing a policy file at a well-known HTTPS URL and a corresponding DNS TXT record. It is similar to HSTS for websites but applied to email.
Difficulty: Medium | Required: No (recommended)
6. DANE (DNS-based Authentication of Named Entities)
DANE uses DNSSEC to bind TLS certificates directly to DNS records (TLSA records). This eliminates the need to trust external Certificate Authorities. DANE is more secure than MTA-STS but requires DNSSEC support, which many domains do not have. It is most commonly used in European countries where DNSSEC adoption is higher.
Difficulty: Hard | Required: No (recommended if DNSSEC is available)
Comparison Overview
| Protocol | Purpose | Difficulty | Status |
|---|---|---|---|
| SPF | Authorize sending servers | Easy | Required |
| DKIM | Verify message integrity | Medium | Required |
| DMARC | Enforce policy & reporting | Medium | Required |
| BIMI | Brand logo in inbox | Medium-Hard | Optional |
| MTA-STS | Encrypt email in transit | Medium | Recommended |
| DANE | TLS cert pinning via DNSSEC | Hard | Optional |
Implementation Roadmap
For most organizations, the recommended implementation order is:
- SPF — Start here. Add a DNS TXT record listing your authorized senders.
- DKIM — Configure key signing with your email provider and publish the public key in DNS.
- DMARC — Deploy with
p=none, monitor reports, then escalate to quarantine and reject. - MTA-STS — Once the big three are in place, add transport encryption enforcement.
- BIMI — After DMARC reaches
p=quarantineor stronger, set up BIMI for brand visibility. - DANE — Only if your domain supports DNSSEC.
Frequently Asked Questions
What are the main email authentication methods?
The main email authentication methods are SPF, DKIM, DMARC, BIMI, MTA-STS, and DANE. SPF, DKIM, and DMARC are the core trio and are required for reliable email delivery. BIMI, MTA-STS, and DANE are newer additions that enhance security and brand visibility.
What is BIMI and do I need it?
BIMI displays your brand logo next to authenticated emails in supported inboxes like Gmail and Apple Mail. It requires DMARC with p=quarantine or p=reject. BIMI is optional but improves brand recognition and user trust.
What is MTA-STS and how does it differ from DANE?
Both MTA-STS and DANE encrypt email in transit between mail servers. MTA-STS uses HTTPS to publish a policy file and works with standard Certificate Authorities. DANE uses DNSSEC and TLSA records to pin certificates directly in DNS. MTA-STS is easier to deploy while DANE is more secure but requires DNSSEC.
Which email authentication methods are required vs optional?
SPF, DKIM, and DMARC are effectively required — Google and Yahoo mandate them for bulk senders. BIMI, MTA-STS, and DANE are optional but recommended for organizations that want maximum security and brand visibility.
In what order should I implement email authentication?
Start with SPF, then DKIM, then DMARC (beginning with p=none). Once DMARC is at quarantine or reject, consider adding BIMI for brand visibility and MTA-STS or DANE for transport encryption.