Most Organisations Pass Their SPF Check and Assume They’re Covered. They’re Not

RFC 7208

SPF – Sender Policy Framework

Authorises which mail servers may send email on behalf of a domain, enabling receivers to reject unauthorised senders at the envelope level.

RFC 7489

DMARC

Domain-based Message Authentication, Reporting and Conformance – policy framework instructing receivers how to handle mail that fails SPF or DKIM alignment.

RFC 6376 & RFC 8301

DKIM – DomainKeys Identified Mail

Cryptographic email signing that lets receivers verify message integrity and origin. RFC 8301 mandates RSA-SHA256 minimum and deprecates SHA-1 and weak key sizes.

RFC 8461

MTA-STS – Mail Transfer Agent Strict Transport Security

Enforces TLS encryption on inbound SMTP connections via a published policy record, preventing downgrade attacks and opportunistic plaintext delivery.

RFC 7672

DANE – DNS-based Authentication of Named Entities

Binds TLS certificates to domain names via TLSA records in DNSSEC-signed zones, enabling certificate pinning without reliance on Certificate Authorities.

RFC 8460

SMTP TLS Reporting

Defines a structured reporting mechanism for TLS negotiation failures on SMTP connections, supporting operational visibility into transport security gaps.

RFC 5321

SMTP – Simple Mail Transfer Protocol

The foundational specification governing email submission and relay between mail servers, defining command sequences, error codes, and transfer behaviour.

RFC 7505

Null MX

Signals that a domain intentionally does not send or receive email, preventing misdelivery and reducing attack surface for non-mail domains.

RFC 8996

TLS Protocol Versions

Formally deprecates TLS 1.0 and 1.1 for all uses; mandates TLS 1.2 as the minimum acceptable version for encrypted transport connections.

RFC 8659

CAA – Certification Authority Authorization

DNS records that restrict which Certificate Authorities are permitted to issue TLS certificates for a domain, reducing the risk of misissued certificates.