A comprehensive, cross-referenced glossary of the terminology used across SPF, DKIM, DMARC, MTA-STS, DANE, ARC, BIMI, DNSSEC and the wider email security landscape. Bookmark this page — most other articles on the UK help centre link back to the definitions here.
Adkim / aspf (DMARC tags). Control the alignment mode DMARC uses. r (relaxed, the default) accepts matches on the organisational domain; s (strict) requires an exact match. Strict alignment is the stronger posture and is published by domains, including epost.plus, that have fully controlled sender landscapes.
ARC (Authenticated Received Chain). RFC 8617. An extension that lets intermediate forwarders — mailing lists, corporate gateways — record the authentication results they observed before they modified the message, so that the final receiver can trust the original DMARC result even after forwarding breaks SPF or DKIM. Adds three headers: ARC-Authentication-Results, ARC-Message-Signature, ARC-Seal.
Alignment. The DMARC check that the domain authenticated by SPF or DKIM matches the From: header that the user actually sees. Without alignment, SPF and DKIM can pass while the message still spoofs a totally different visible sender.
Authentication-Results header. RFC 8601. A header added to received messages by the receiving server listing the outcome of every authentication check (SPF, DKIM, DMARC, ARC, DNSSEC, TLS). Reading this header is the quickest way to diagnose why a message passed or failed.
Aggregate report (RUA). Daily XML report sent by DMARC-aware receivers summarising every message they saw claiming to come from a given domain — source IPs, message counts, SPF and DKIM results, DMARC disposition. Delivered to the address in the rua= tag.
BEC (Business Email Compromise). A category of fraud in which the attacker impersonates an executive or a trusted supplier to request a wire transfer, invoice payment change, or release of sensitive data. Action Fraud records BEC as the most financially damaging category of cybercrime reported by UK businesses. SPF, DKIM and DMARC close the commonest technical route for BEC.
BIMI (Brand Indicators for Message Identification). A standard that lets a domain with passing DMARC publish an SVG logo that supporting mail clients display next to authenticated messages. Requires DMARC at p=quarantine or p=reject. Gmail and Yahoo additionally require a VMC (Verified Mark Certificate).
Blocklist (DNSBL, RBL). A DNS-based list of IP addresses or domains associated with spam or abuse. Spamhaus, Barracuda and SpamCop operate the most widely consulted UK blocklists. A listing on a major RBL can cause large-scale delivery failures until remediated.
Bounce. A message returned by a receiving mail server indicating that delivery could not be completed. A hard bounce is permanent (non-existent mailbox, refused domain, authentication rejection); a soft bounce is temporary (mailbox full, server unavailable).
Body hash (bh= in DKIM). The SHA-256 (or other) hash of the canonicalised message body, computed at signing time and carried inside the DKIM signature. Verification recomputes the hash and compares; if the body was modified, verification fails.
Canonicalisation (DKIM). The process of normalising headers and body before hashing and signing. Two modes exist: simple (preserve the content as-is) and relaxed (normalise whitespace, lower-case header names, allow header re-folding). The c= tag of DKIM-Signature specifies the header and body canonicalisation algorithms.
Certificate Transparency (CT). Public append-only logs of every TLS certificate issued by participating certificate authorities. Useful for detecting unauthorised certificates for your domain, which is a common precursor to lookalike-domain attacks. CT logs can be searched through crt.sh and similar services.
CNAME. A DNS record type that aliases one name to another. DKIM selectors are commonly deployed as CNAMEs pointing at a hosted provider's key, which lets the provider rotate keys without the customer touching DNS.
Co-signing. Publishing multiple DKIM signatures on a single message (for example one by the mail platform, one by a mailing list, one by an email service provider). Only one needs to align with the From: header for DMARC to pass.
DANE (DNS-based Authentication of Named Entities). RFC 6698. Uses DNSSEC-signed TLSA records to publish a cryptographic fingerprint of the recipient mail server's certificate, public key or issuing CA. Prevents TLS downgrade attacks and certificate substitution by network-positioned attackers.
DKIM (DomainKeys Identified Mail). RFC 6376. The protocol that cryptographically signs outbound messages. The signing domain is declared in the d= tag of the DKIM-Signature header and the public key is published as a DNS TXT record under the selector name.
DKIM-Signature header. The per-message header added by the signing server. Contains the algorithm, canonicalisation, signing domain, selector, signed header list, body hash and actual signature bytes.
DMARC. RFC 7489. The policy, alignment and reporting layer that ties SPF and DKIM together and instructs receivers what to do with messages that fail alignment. Policies are p=none, p=quarantine and p=reject.
DNSSEC (DNS Security Extensions). RFC 4033-4035. Adds cryptographic signatures to DNS responses so that a resolver can verify the records have not been tampered with in transit. The foundation of DANE and a hardening layer for SPF, DKIM, DMARC, MTA-STS and BIMI records.
DS (Delegation Signer) record. The DNSSEC record published at the parent zone linking the child domain's DNSSEC keys to the signed chain. For UK domains, DS records are published at the registry level through your registrar.
Ed25519. A modern elliptic-curve signing algorithm specified in RFC 8032. Used for DKIM via RFC 8463. Produces shorter keys and signatures than RSA while delivering equivalent cryptographic strength.
Envelope sender / Return-Path. The address used in the SMTP MAIL FROM command. Distinct from the From: header the user sees. SPF validates the envelope sender; DMARC alignment checks whether the envelope sender's organisational domain matches the From: domain.
epost.plus. The UK email platform operated by Smartx Technologies Ltd. Used throughout this glossary as a reference example of a fully configured authentication stack, because its live DNS publishes every record discussed here.
Error codes (SMTP). Three-digit response codes returned during SMTP. 2xx indicates success, 4xx a temporary failure (retry), 5xx a permanent failure (do not retry). Authentication-related rejections are typically 550.5.7.1 (SPF hard fail), 550.5.7.9 (DMARC fail) or 554.5.7.23 (DMARC policy reject).
FCrDNS (Forward-Confirmed Reverse DNS). A consistency check in which the receiver queries the PTR record for the sending IP and then queries the A record for the resulting hostname; both must point at the original IP. UK-based mail servers that do not pass FCrDNS are treated with heavy suspicion by receivers.
Feedback loop (FBL). A mechanism by which receivers report abuse complaints back to senders, so the sender can suppress the complaining recipient from future mailings. Major receivers (Yahoo via JMRP, Microsoft via SNDS, Google via spamreport.google.com) operate their own feedback programmes.
Forensic report (RUF). Per-message DMARC failure report containing message headers and sometimes body excerpts. Most large providers no longer send RUF reports due to privacy concerns; aggregate (RUA) reports are sufficient for most deployments.
Forwarding. The process by which a receiver relays a message onwards — to another mailbox, a mailing list, or an archive. Forwarding breaks SPF (the IP changes) and may break DKIM (if the content is modified). ARC was developed to preserve the original authentication results across forwarding hops.
Gateway / relay. A mail server that processes messages on behalf of another — for example a UK organisation's on-premise Exchange gateway that relays through an outbound filter before reaching the public internet. Gateways must be included in SPF, must sign with DKIM where feasible, and must support ARC if they modify messages.
Google / Yahoo sender requirements (February 2024). Joint bulk-sender rules requiring SPF, DKIM and a DMARC record for any domain sending more than 5,000 messages per day to Gmail or Yahoo users. The landmark change that moved DMARC from a best practice to a business requirement.
GOV.UK mail policy. The Cabinet Office policy requiring central-government domains to publish DMARC p=reject and to use TLS in transit. Implemented and monitored through the NCSC Mail Check service.
h= (DKIM header list). The list of headers included in the DKIM signature. At minimum the From: header must be signed (RFC 6376 Section 5.4). Typical modern configurations sign ten or more headers.
Hard fail vs soft fail. The distinction between SPF -all (explicit not authorised, receivers should reject) and ~all (probably not authorised, receivers may mark as suspicious). In 2026, -all combined with DMARC enforcement is the expected posture for production domains.
Header From. The From: header in the message body — the address displayed to the recipient. The whole point of DMARC is that SPF or DKIM aligns with this header, not with the envelope sender.
HMRC (His Majesty's Revenue & Customs). Cited here because HMRC is one of the most-impersonated senders in UK phishing campaigns. Their own domains publish DMARC p=reject, and HMRC requires its suppliers to do the same.
ICO (Information Commissioner's Office). The UK regulator for data protection and UK GDPR. Phishing attacks that result in personal-data breaches are reportable to the ICO, and lack of email authentication may be considered a failure of appropriate technical measures.
Include (include:). An SPF mechanism that instructs the evaluator to consult another domain's SPF record. Each include: counts as a DNS lookup against the 10-lookup limit.
Inspection tools. Services used to diagnose authentication problems: MXToolbox, Hardenize, Port25 check-auth verifier, the NCSC Mail Check service (for UK accredited domains) and parsedmarc for processing RUA reports.
JMRP (Junk Mail Reporting Programme). The Yahoo / Verizon feedback loop that notifies senders when a recipient flagged one of their messages as spam. Enrolment is free and requires proof of ownership of the sending IPs.
JSON (in TLS-RPT). The format used for TLS-RPT reports. Reports list TLS connection failures with counts, policy types and failure reasons.
Key rotation. The practice of periodically replacing a DKIM key pair while retaining the old public key briefly so any in-flight messages still verify. Quarterly rotation is a modern norm.
KSK / ZSK (Key Signing Key / Zone Signing Key). The two DNSSEC key types. The KSK signs the DNSKEY RRset; the ZSK signs everything else. ZSKs rotate frequently; KSKs rotate infrequently because the DS record at the registry must be updated each time.
Lookalike domain. A domain registered with visual similarity to a legitimate target, such as firm-co-uk.com for firm.co.uk, or rnicrosoft.com for microsoft.com. Authentication does not help against lookalike-domain attacks; separate defences (registry monitoring, CT-log monitoring, DMARC on defensively registered variants) are needed.
Lookup (DNS). A single query to DNS. The SPF 10-lookup limit counts include:, a, mx, exists:, redirect= and ptr mechanisms.
Mail Hardener. A UK-accessible DMARC and TLS-RPT processing platform used across smartxhosting.uk infrastructure, including epost.plus. Ingests RUA and TLS-RPT reports, produces dashboards and alerting.
Mail Check. The NCSC service that lets UK public-sector domains monitor their SPF, DKIM, DMARC, TLS and MTA-STS posture against the required baselines. Private-sector domains can subscribe separately through commercial tools.
MTA (Mail Transfer Agent). The SMTP server software responsible for routing and delivering mail between servers. Common UK deployments include Postfix, Exim, Microsoft Exchange, and the Axigen platform that powers smartxhosting.uk email.
MTA-STS (Mail Transfer Agent Strict Transport Security). RFC 8461. A policy discovered through DNS and fetched over HTTPS that requires senders to use TLS, validate certificates and refuse to deliver if either check fails.
MX record. The DNS record type that lists mail servers responsible for receiving email for a domain. Multiple MX records with different priorities provide failover.
NCSC (National Cyber Security Centre). Part of GCHQ, the UK cybersecurity authority. Publishes the Email Security guidance that underpins the Gov.uk mail policy and the Cyber Essentials certification requirements.
NHS.net. The centrally operated email service for NHS England. Strict authentication requirements apply to any email flowing to or from NHS.net, including DMARC enforcement and TLS in transit.
Non-sending domain. A domain that does not send any email. Best-practice hardening publishes a null SPF (v=spf1 -all), a null DKIM, and DMARC p=reject so the domain cannot be spoofed.
Organisational domain. The registrable part of a domain (typically the second-level below a public suffix — for example firm.co.uk, where co.uk is the public suffix). DMARC relaxed alignment compares organisational domains rather than exact hostnames.
Opportunistic TLS. TLS negotiated via STARTTLS where the sender falls back to plaintext if negotiation fails. The underlying weakness that MTA-STS and DANE were built to remove.
p= tag. The DMARC policy. p=none (monitor), p=quarantine (send failures to junk), p=reject (reject at SMTP level). Applies to the domain itself; subdomain policy is set by the sp= tag.
pct= tag. The DMARC policy percentage. Allows a gradual rollout — p=reject; pct=25 means a quarter of failing messages are rejected and three-quarters fall through to the sp= or parent policy.
PCI DSS 4.0. The current version of the Payment Card Industry Data Security Standard, which references email authentication as part of Requirement 5 for UK card-accepting businesses.
PTR record. Reverse DNS record mapping an IP back to a hostname. Used by FCrDNS and by most receivers as an input to sender reputation.
Private key. The secret half of a DKIM key pair, held on the signing server. Must never be committed to source control or published to DNS — only the public key belongs in DNS.
Quarantine (p=quarantine). The DMARC policy that sends failing mail to the recipient's spam folder. An intermediate step between none and reject.
Query (DNS). See Lookup.
Receiver / Receiving server. The server that accepts an inbound SMTP connection and runs authentication checks before accepting, quarantining or rejecting the message.
Reject (p=reject). The strongest DMARC policy. Messages that fail alignment are rejected at SMTP level.
Relaxed alignment. DMARC alignment that compares organisational domains (bounce.firm.co.uk aligns with firm.co.uk). The default when adkim= or aspf= is not specified.
Reputation. A receiver's composite assessment of a sender based on authentication, complaint rates, blocklist status, engagement signals and history. Domains with strong reputation are delivered to inboxes; domains with weak reputation are filtered.
RFC. Requests for Comments — the Internet Engineering Task Force's specification documents. Key RFCs for this glossary: 7208 (SPF), 6376 (DKIM), 7489 (DMARC), 8461 (MTA-STS), 6698 (DANE), 8617 (ARC), 8460 (TLS-RPT).
RSA-2048. The recommended DKIM key size for new deployments (alongside Ed25519). RSA-1024 is considered weak and must not be used for new keys in 2026.
rua= (DMARC). The tag that lists addresses for aggregate reports. Usually points at a DMARC processing service.
ruf= (DMARC). The tag that lists addresses for forensic reports. Rarely used in practice.
s= (DKIM selector). The selector portion of a DKIM key's DNS name. A domain may publish multiple selectors simultaneously — typical UK practice is one selector per sending platform, rotated quarterly.
Selector. A label chosen by the domain owner to distinguish multiple DKIM keys — for example 2026q2, marketing, transactional. Published at selector._domainkey.domain.
Sender Policy Framework. See SPF.
Sender reputation. See Reputation.
Shared IP. An IP address from which multiple domains send. Reputation on shared IPs is averaged; one bad neighbour can affect everyone. Dedicated IPs give more control but require more volume to establish reputation.
Signing algorithm (DKIM). The a= tag in a DKIM signature. Valid values include rsa-sha256 (RFC 6376) and ed25519-sha256 (RFC 8463).
SMTP (Simple Mail Transfer Protocol). RFC 5321 (successor to RFC 821). The protocol used to transfer mail between servers. Designed in 1982 without authentication; SPF, DKIM and DMARC retrofit that missing layer.
SMTP AUTH. The protocol extension that authenticates a client to a submission server (port 587 or 465). Unrelated to SPF/DKIM/DMARC, which authenticate the message rather than the user.
sp= (DMARC). The subdomain policy tag. Controls what DMARC policy applies to subdomains if no more specific record exists.
Spam folder. Where a receiver places messages it suspects but does not reject. Messages quarantined by DMARC typically end up here.
Spoofing. Forging the sender address of a message. The primary threat that email authentication addresses.
SPF (Sender Policy Framework). RFC 7208. The DNS-based protocol that publishes which IPs may send for a domain. Validates the envelope sender, not the visible From:.
SPKI (Subject Public Key Info). The selector used by the common 3 1 1 DANE-EE TLSA profile — the hash is taken of the server's public key bytes, which survives certificate renewals without breaking TLSA.
STARTTLS. The SMTP command that upgrades a plaintext connection to TLS. RFC 3207.
Strict alignment. DMARC alignment that requires an exact domain match. aspf=s and adkim=s.
TLS. Transport Layer Security. The encryption protocol used to protect SMTP connections. Current standard is TLS 1.3; TLS 1.2 remains widely supported; TLS 1.0 and 1.1 must be disabled.
TLS-RPT. RFC 8460. The reporting protocol for TLS connection failures. Published as a DNS TXT record at _smtp._tls.domain.
TLSA. The DNS record type used by DANE. Contains a certificate usage, selector, matching type and the hash or public key bytes.
TLD (Top-Level Domain). The rightmost label of a domain name. For UK domains the relevant TLDs are .uk, .co.uk, .org.uk, .gov.uk, .ac.uk, all managed by Nominet.
Transport Layer Security. See TLS.
TXT record. The DNS record type used to publish SPF, DKIM, DMARC, MTA-STS identification and TLS-RPT records. Size limit per string is 255 characters; records longer than that must be split into multiple strings.
UK GDPR. The UK-specific successor to EU GDPR, enforced by the ICO. Email authentication is considered part of the appropriate technical measures an organisation must take to protect personal data.
URI (in DMARC rua=). The schema-qualified address that reports should be sent to — typically mailto: followed by the report address. Multiple URIs may be listed separated by commas.
VMC (Verified Mark Certificate). A special-purpose X.509 certificate that attests a BIMI SVG logo has been trademark-verified. Required by Gmail and Yahoo for BIMI logo display. Issued by DigiCert and Entrust at roughly USD 1,500 per year.
Version tag. Every authentication DNS record begins with a version token (v=spf1, v=DKIM1, v=DMARC1, v=STSv1, v=TLSRPTv1, v=BIMI1). Always the first tag, always required.
Webmail. A browser-based email client. Axigen (used by smartxhosting.uk) provides its own webmail with full support for modern authentication headers — users can inspect Authentication-Results directly.
Weak algorithms. DKIM with SHA-1 or RSA-1024, TLS 1.0/1.1, DES-based ciphers. All should be disabled in 2026.
X.509. The certificate format used by TLS, DANE (via certificate usage 0 and 1) and VMC. Issued by certificate authorities and verified through a chain of trust.
Zone. A delegated portion of DNS for which a given set of name servers is authoritative. DNSSEC signing operates at the zone level.
Zone Signing Key (ZSK). See KSK / ZSK.
Q: Do I need to understand every term here to run an authenticated UK domain?
A: No. For a typical small business, the essential terms are SPF, DKIM, DMARC, envelope sender, header From, alignment, aggregate report and selector. The rest are important for deep deployment, reporting analysis and advanced hardening.
Q: What should I read next after this glossary?
A: Read How Email Authentication Works for the conceptual overview, then The Email Authentication Stack for how all the protocols layer together.
Q: Are the RFC numbers in this glossary current?
A: Yes as of 2026 — RFC 7208 for SPF, RFC 6376 for DKIM, RFC 7489 for DMARC (a successor is in preparation through DMARCbis), RFC 8461 for MTA-STS, RFC 6698 and 7671 for DANE, RFC 8617 for ARC, RFC 8460 for TLS-RPT. Always check the RFC Editor for the latest status.
Q: Why is "epost.plus" in the glossary as an example?
A: Because its DNS publishes a complete, verifiable, live implementation of every record discussed here — SPF, DKIM, DMARC p=reject with strict alignment, MTA-STS enforce, DANE-EE/SPKI/SHA-256, DNSSEC (Algorithm 13), BIMI, TLS-RPT. Looking at a working example accelerates learning far more than any abstract description.
Q: Where do the UK-specific terms — NCSC, ICO, NHS.net — fit in this glossary?
A: They are cited because UK regulatory guidance shapes the baseline every UK domain is expected to meet. The technical protocols are international standards; the enforcement and audit expectations vary by jurisdiction.
Q: Do I need a VMC to display my logo in UK inboxes?
A: For Gmail and Yahoo, yes. For Fastmail and a growing number of European receivers, a BIMI record without a VMC is now accepted. Many UK SMEs publish BIMI without a VMC and see their logo in half their recipients' inboxes — a pragmatic halfway house.
Q: What is the single biggest misunderstanding in this topic?
A: That SPF alone protects the visible From: header. It does not — and that single misunderstanding is responsible for most "we thought we were protected" conversations after a successful BEC attack.
Q: Is DMARC going to be replaced?
A: DMARCbis is the IETF's draft revision clarifying edge cases and deprecating a few rarely used tags. The core protocol is not being replaced. Domains deployed today will continue to work unchanged.