SPF • DKIM • DMARC • BIMI • MTA-STS/TLS-RPT • DANE — With Evidence
Email Authentication stops spoofing and brand abuse by proving who can send for your domains and how receivers should treat failures.
SolveForce builds email-auth as a system: SPF & DKIM alignment → DMARC enforcement → BIMI trust marks → MTA-STS/TLS-RPT (and DANE where viable) — wired to SIEM/SOAR so you can measure and prove protection.
Related pages:
🔐 Email Security → /email-security • 👤 IAM → /iam • 📊 Evidence/Automation → /siem-soar
🎯 Outcomes (Why this matters)
- Spoofing blocked — receivers can quarantine/reject unauth mail for your domains.
- Brand trust up — BIMI/DMARC alignment improves inbox presence and reduces phishing.
- Deliverability stable — clear auth + TLS reduces false positives and transport failures.
- Audit-grade proof — DMARC, TLS-RPT, and SIEM dashboards show alignment, failures, and enforcement.
🧭 Scope (What we build & operate)
- SPF — curated
include:chains, flattening where needed, parked domains with-all. - DKIM — per-sender selectors, 2048-bit keys (where supported), rotation cadence.
- DMARC — enforcement roadmap (monitor → quarantine → reject), strict alignment (as policy allows), aggregate/forensic reporting.
- BIMI — SVG logo + VMC issuance, DNS records, and alignment checks.
- Transport auth — MTA-STS policy & TLS-RPT mailbox; optional DANE (TLSA) where DNSSEC is deployed.
- ARC/Forwarding — ARC handling for forwarders/lists to retain DMARC benefits.
- Evidence & alerts — DMARC XML pipeline → human-readable analytics → SIEM/SOAR alerts. → /siem-soar
🧱 Building Blocks (Spelled Out)
SPF (Sender Policy Framework)
- Keep < 10 DNS lookups (RFC limit); collapse vendors via managed includes or flattening.
- Use per-subdomain SPF when vendors send only for specific subs (e.g.,
news.example.com). - Parked domains: publish
v=spf1 -all,A/MXremoved or locked down.
DKIM (DomainKeys Identified Mail)
- Sign from each sending platform with distinct selectors (e.g.,
mktg2025,svc2025). - Prefer rsa2048 keys; rotate 90–180 days; never reuse selectors across vendors.
- Ensure aligned From: domain (or subdomain as policy).
DMARC
- Start:
p=none; rua=mailto:dmarc@…; ruf=…; fo=1(monitor). - Enforce: phase to
p=quarantine→p=rejectwithpct=ramp and per-subdomain records. - Tighten alignment:
adkim=s; aspf=s(strict) where feasible. - Subdomain policy:
sp=rejectto cover all child domains. - Evidence: DMARC XML → analytics → SIEM (failures by source, alignment score). → /siem-soar
BIMI (Brand Indicators for Message Identification)
- Publish BIMI TXT with SVG Tiny PS logo + Verified Mark Certificate (VMC) (per mailbox provider rules).
- Requires DMARC enforcement (
quarantine/reject) and high alignment.
MTA-STS / TLS-RPT (and DANE)
- Enforce TLS for SMTP with MTA-STS policy (
mta-sts.example.com+_mta-sts TXT). - Collect TLS-RPT at
tlsrpt@…to spot downgrade attacks/misconfig. - If DNSSEC is deployed, consider DANE (TLSA) for SMTP servers.
ARC (Authenticated Received Chain)
- Sign ARC headers on outbound (if you operate relays) and validate on inbound to preserve DMARC through forwarding lists.
🧰 Deployment Patterns (Choose Your Fit)
A) Core corporate domain + parked domains
- SPF curated + DKIM per sender → DMARC monitor → reject; parked domains
-all,sp=reject, wildcard MX null.
B) Multi-vendor marketing & billing
- Dedicated subdomains (
news.,billing.) each with own SPF/DKIM; parent DMARCsp=reject; BIMI on primary only.
C) SaaS-first org
- Inventory senders via DMARC reports; enable DKIM for each SaaS; collapse SPF includes; MTA-STS on core; TLS-RPT to SIEM.
D) High-trust brand (BIMI + VMC)
- DMARC p=reject + strict alignment; SVG/VMC issuance; logo governance; TLS enforcement; ARC-friendly relays.
E) Government/regulated
- DNSSEC + DANE (where accepted), MTA-STS required, strict DMARC, forensic reporting, SIEM/SOAR alerts into IR playbooks. → /incident-response
📐 SLO Guardrails (Targets You Can Measure)
| KPI / SLO | Target (Recommended) |
|---|---|
| DMARC enforcement | p=reject within 60–90 days |
| Alignment rate (SPF or DKIM aligned) | ≥ 98–99% of outbound volume |
| SPF DNS lookups | ≤ 8 (hard limit 10) |
| DKIM key length / rotation | 2048-bit, rotate 90–180 days |
| Subdomain policy | sp=reject for parent domain |
| TLS coverage (in/out) | = 100% (MTA-STS enforced) |
| DMARC failure reduction (30d) | ≥ 90% vs baseline monitoring phase |
| BIMI readiness | DMARC enforced + VMC issued |
| Evidence delivery to SIEM | ≤ 120 s (DMARC/TLS-RPT parsed) |
SLO breaches auto-open tickets and trigger SOAR (disable sender, update SPF/DKIM, tighten DMARC pct/sp, fix TLS). → /siem-soar
📊 Observability & Evidence
- DMARC analytics — aligned vs unaligned sources, top failing IPs/vendors, forwarder/ARC paths.
- TLS-RPT — per-destination TLS success/failure, downgrade attempts, cipher posture.
- Change logs — DNS record diffs (SPF/DKIM/DMARC/MTA-STS/BIMI); DKIM rotation history.
- SIEM dashboards — alignment score, spoof attempts blocked, BIMI coverage, TLS health; exportable for audits. → /siem-soar
🛠️ Implementation Blueprint (No-Surprise Rollout)
1) Inventory senders — parse 30–45 days of DMARC reports to list all platforms; map to subdomains.
2) Harden SPF — prune/flatten; vendor-specific subdomain SPF; parked domains -all.
3) Enable DKIM everywhere — unique selectors per platform; publish keys; test signing & alignment.
4) Roll DMARC — p=none → quarantine → reject with pct= ramp; set sp=reject; tighten adkim/aspf as feasible.
5) Transport auth — publish MTA-STS; set TLS-RPT mailbox; (optional) DNSSEC + DANE.
6) BIMI — prepare SVG + VMC; publish BIMI TXT after DMARC enforcement.
7) ARC & forwarding — validate ARC; tune policies for list servers/forwarders.
8) Automate evidence — DMARC/TLS-RPT → parser → data store → SIEM; alerts & monthly reports.
9) Operate — quarterly DKIM rotation; SPF cleanup on vendor changes; review DMARC failures weekly; renew VMC annually.
✅ Pre-Engagement Checklist
- 🔤 Domains & subdomains list; DNS host (with API).
- 📨 Current senders (SaaS, marketing, billing, ticketing, CRM, relays).
- 🧾 DMARC report mailbox & parser target; TLS-RPT mailbox.
- 🔐 DNSSEC status; willingness to deploy DANE.
- 🖼️ Brand assets (SVG) and VMC CA preference for BIMI.
- 📊 SIEM endpoint & alerting channels; reporting cadence.
- 🗓️ Rotation cadences (DKIM, VMC), change window policy.
🔄 Where Email-Auth Fits (Recursive View)
1) Grammar — email flows traverse /connectivity and clients’ device posture from /mdm//mdr-xdr.
2) Syntax — identity & policy via /iam; domain trust via SPF/DKIM/DMARC/BIMI; transport via MTA-STS/TLS/DANE.
3) Semantics — /cybersecurity preserves truth; /siem-soar proves it.