FAQ

SPF (Sender Policy Framework) is an email authentication method that allows a domain owner to specify which mail servers are permitted to send emails on behalf of their domain.  It's a DNS record that lists authorized sending IP addresses or hostnames.  Receiving mail servers can then check this record to verify if an email claiming to be from that domain is actually coming from an authorized source.

DKIM (DomainKeys Identified Mail) adds a digital signature to email messages. This signature is verified by the receiving mail server using a public key published in the DNS.  DKIM ensures that the email content hasn't been tampered with during transit and confirms the message originated from the claimed sender.

DMARC (Domain-based Message Authentication, Reporting & Conformance) builds upon SPF and DKIM.  It allows a domain owner to specify what should happen to emails that fail SPF and/or DKIM checks (e.g., quarantine or reject).  DMARC also provides reporting, so domain owners can see how their email authentication is performing and identify potential issues.

BIMI (Brand Indicators for Message Identification) is a specification that enables email clients to display a brand's logo next to their emails in the inbox.  It's a visual cue that helps recipients quickly and confidently identify legitimate emails from a specific organization, increasing trust and reducing the risk of phishing attacks.  BIMI relies on DMARC authentication; the sending domain must have a DMARC policy in place (at least "p=quarantine") before their logo can be displayed.  Essentially, BIMI provides a standardized way for brands to showcase their logo, enhancing brand recognition and improving the email experience.

MTA-STS (Mail Transfer Agent Strict Transport Security) is a mechanism that enforces encrypted connections between mail servers. It prevents attackers from downgrading the connection to plain text and eavesdropping on email communication.  It requires a policy to be published by the sending domain that the receiving server checks.

DMARC is crucial for protecting your domain's reputation and preventing email spoofing.  Without DMARC, attackers can more easily impersonate your domain, sending phishing emails or other malicious messages that appear to come from you. DMARC helps ensure that only legitimate emails from your domain reach recipients' inboxes.

 DNS abuse refers to malicious activities that exploit the DNS (Domain Name System). This can include things like DNS spoofing (redirecting users to fake websites), DNS hijacking (taking control of a domain's DNS records), and using DNS for malware distribution or DDoS attacks.

everal strategies can help protect against DNS abuse:

• Use a reputable DNS provider: Choose a provider with robust security measures.
• Enable DNSSEC (DNS Security Extensions): DNSSEC adds authentication to DNS responses, making it harder for attackers to tamper with them.
• Monitor your DNS records: Regularly check your DNS records for any unauthorized changes.
• Implement rate limiting: Limit the number of DNS queries to prevent abuse.
• Use a firewall: Protect your DNS servers with a firewall.

No. If your company uses free email services like yahoo.com, you are not in control of the domain.  You are subject to Yahoo's security policies. While they likely have strong security, you don't manage the SPF, DKIM, or DMARC records for yahoo.com.  You should use a domain that you control.

Similar to Yahoo, you are not in control of the gmail.com domain. You inherit Google's security, which is generally very good. However, you should use a domain that you control to manage your email authentication.

Again, you don't control the outlook.com domain and are subject to Microsoft's security measures.  While they are likely strong, you should use a domain that you control to manage your email authentication.  It is best practice to use a custom domain for business emails.