DMARC, DANE, MTA-STS, TLS, and DKIM Explained in 3 Minutes

Rui Serra By Rui Serra • July 14, 2022

Confused by the different email security mechanisms? Here’s a 3-minute breakdown of the methods commonly used to secure emails from abuse and malicious attacks.

Our Email Security Service, as well as other systems, is focused on these authentication and authorization protocols / methods as a very important layer of security. Some attacks can't keep up with these standards, but some legitimate email senders (and poorly configured) don't use this as well.  The secret for proper filtering is understanding its usage and what missing them really means, therefore adjusting filtering and control options for success.

DMARC stands for Domain-based Message Authentication, Reporting & Conformance and is a technical standard that helps protect against phishing, spoofing, and spam. It’s an email authentication protocol that uses SPF and DKIM to determine the email message’s authenticity. With a DMARC policy in place, you can check if the SPF and DKIM align with the address domain indicated on the “Header from” and specify what the receiving server should do in the event that SPF and DKIM fail.


DNS-based Authentication of Named Entities (DANE) for SMTP provides a secure method for mail transport by enabling the domain owner to certify the keys used by its clients or servers and generate a certificate. The mechanism is meant to be published in the MX domain. DANE verification can still be supported by a different domain’s mail server by asking the administrator and setting up TLSA records. Domain Name System Security Extensions (DNSSEC) is a requirement for DANE. For the security model to work, the DNS record must be signed with DNSSEC.


Google aims to make Gmail more secure with Mail Transfer Agent/Strict Transport Security (MTA-STS). The mechanism instructs the SMTP server to ensure that the other SMTP server must be encrypted and the domain name on the certificate should match the domain. When MTA-STS has been turned on for your domain, you request that external mail servers only send messages to your domain when the SMTP connection is both encrypted with TLS 1.2 or higher and authenticated with a valid public certificate. MTA-STS protects against Man-in-the-Middle (MITM) attacks and downgrade attacks and solves SMTP security problems such as expired TLS certificates. 


TLS stands for Transport Layer Security. The cryptographic protocol provides end-to-end security of data and is typically implemented to encrypt Application Layer protocols like SMTP, HTTP, FTP, and IMAP. The mechanism is enforced by working with MTA-STS and DANE. The protocol allows a domain to report email delivery issues when the email lacks TLS encryption. Through MTA-STS support, it guarantees emails sent to the domain get TLS encryption and are delivered securely.  


The technical standard Domain Keys Identified Mail (DKIM) is a form of an email authentication process. It allows an organization to add a digital signature to their email messages, so recipients have a way to validate the email by matching its public cryptographic key with DNS records. The DKIM signing process has three main steps, starting with the sender identifying which fields to include in their DKIM record signature. The sender’s email platform then creates a hash of the text fields, which includes the DKIM signature. In the final step, the email gateway will validate the DKIM signature by matching the public key with the private key.

Free Trial Mail Protection System