Email is still the backbone of business communication, but it was never designed with modern security in mind. The result? A mess of spoofing, phishing, and deliverability headaches that most organisations only notice when something breaks.

The good news: there’s now a mature stack of standards that, when implemented properly, dramatically improve both security and deliverability.

In this guide, I’ll walk through the core pieces:

• SPF

• DKIM

• DMARC

• MTA-STS

• BIMI

…and then show you how we manage all of this for clients so they don’t have to live in DNS records and XML reports.

Want to check your domain straight away? Then try our domain scanner

SPF: The Guest List For Your Mail Servers

SPF (Sender Policy Framework) is where email authentication starts.

Think of SPF as the guest list for your domain’s mail servers. In your DNS, you publish an SPF record that says:

“These are the servers that are allowed to send email for my domain.”

When a receiving mail server gets an email claiming to be from you, it checks:

• What IP/server sent this email?

• Is that IP on the SPF record for this domain?

If yes, SPF passes. If not, it fails, and the receiving server can:

• Reject the email outright

• Quarantine it (often “spam”)

• Or deliver it but mark it as suspicious

Why it matters:

• It’s your first line of defence against basic spoofing

• Without SPF, anyone can trivially send email “from” your domain

• It protects your brand reputation and reduces successful phishing

But SPF has two big limitations:

1. It only checks the “envelope from” (MAIL FROM), not the visible From address users see.

2. It breaks when emails are forwarded, because the sending IP changes.

So SPF is necessary, but not sufficient.

DKIM: Proving The Message Hasn’t Been Tampered With

DKIM (DomainKeys Identified Mail) takes a cryptographic approach.

When your mail server sends an email, it:

• Creates a digital signature of selected headers and content using a private key

• Adds that signature to the email headers

• Publishes the corresponding public key in your DNS

The receiving server then:

• Fetches your public key from DNS

• Verifies the signature against the email it received

If it matches, DKIM passes. If the content has been altered or the signature is invalid, DKIM fails.

Why DKIM is important:

• It proves the email really came from a server authorised by your domain

• It proves the message hasn’t been tampered with in transit

• It survives forwarding, unlike SPF

• It contributes to your domain’s long-term reputation with mailbox providers

This is especially critical for:

• Transactional emails

• Receipts and invoices

• Anything where tampering could cause real-world damage

Again, necessary, but still not the full story.

DMARC: Policy, Alignment, And Real Control

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is where SPF and DKIM come together.

DMARC does two key things:

1. Alignment
   It checks whether the domain in the visible From header matches the domain authenticated by SPF or DKIM.
   In other words:

   “Is this email really from the domain it claims to be from, as far as the user can see?”

2. Policy & Reporting
   You publish a DMARC policy in DNS that tells receivers what to do when checks fail:

   • p=none – monitor only

   • p=quarantine – treat failures as suspicious

   • p=reject – block failures entirely

   DMARC also sends you daily XML reports showing:

   • Who is sending email using your domain

   • Whether they’re passing or failing SPF/DKIM

   • What actions receiving servers are taking

Why DMARC is essential:

• It closes the gap that SPF and DKIM leave open

• It stops attackers passing SPF with their own domain while spoofing yours in the visible From

• It gives you visibility into your entire email ecosystem

• It provides a clear path to enforcement (quarantine/reject)

Major mailbox providers (Google, Microsoft, Yahoo, etc.) now effectively expect DMARC for bulk senders, and many organisations simply won’t trust domains without it.

MTA-STS: Encrypting Email In Transit, Properly

Email was invented in a world where encryption wasn’t a priority. TLS for email is now common, but usually opportunistic:

• “We’ll use TLS if we can. If not, we’ll just send it unencrypted.”

That’s a gift to anyone trying downgrade or man-in-the-middle attacks.

MTA-STS (Mail Transfer Agent Strict Transport Security) fixes this by letting you publish a policy that says:

“If you’re sending email to my domain, you must use TLS, and here’s what a valid certificate looks like.”

You:

• Host an MTA-STS policy file on your web server

• Publish a DNS record pointing to it

• Set an enforcement mode

Compliant senders then:

• Fetch and cache your policy

• Refuse to deliver email to your domain over an unencrypted or invalid TLS connection

Why this matters:

• It prevents attackers silently downgrading or intercepting email in transit

• It’s particularly important for sectors like healthcare, finance, and legal

• It demonstrates a serious commitment to security

Adoption is still growing, but it’s becoming a best practice for any organisation handling sensitive information.

BIMI: Security With A Branding Bonus

BIMI (Brand Indicators for Message Identification) is the visible reward for doing all of the above properly.

Once you have DMARC at enforcement (quarantine or reject), BIMI lets you display your brand logo next to your emails in supported inboxes.

You:

• Publish a BIMI record in DNS pointing to your logo (in a very specific SVG format)

• Optionally obtain a Verified Mark Certificate (VMC) from an authorised certificate authority

Mailbox providers that support BIMI then:

• Check your DMARC policy and authentication

• Retrieve your logo

• Display it in the inbox, sometimes with additional verification indicators if you have a VMC

Why BIMI is useful:

• Users can visually confirm that an email is genuinely from your brand

• It makes phishing harder, even for attackers who manage to pass basic checks

• It improves recognition, trust, and engagement

• From a defensive standpoint, it forces you to have strong DMARC in place

In other words: BIMI is the carrot that encourages good security hygiene.

Putting It Together: A Modern Email Security Stack

When you combine these technologies, you get a robust framework:

• SPF & DKIM – Authenticate that emails are from authorised sources and haven’t been tampered with

• DMARC – Enforce policy, require alignment, and gain visibility

• MTA-STS – Encrypt email in transit and prevent downgrade attacks

• BIMI – Reward proper implementation with brand visibility and user trust

For senders, this protects your brand, improves deliverability, and reduces successful impersonation.
For receivers, it’s a powerful filter against phishing and spoofing.

In practice, this is now the baseline expectation for any serious organisation. And major mailbox providers have moved from “nice to have” to “mandatory” for many use cases.

The Problem: Doing This Properly Is Hard

All of this sounds great in theory. In reality, most organisations run into the same issues:

• Technical complexity

  • SPF syntax is unforgiving

  • DKIM needs key management and DNS changes

  • DMARC reports arrive as machine-readable XML by the thousand

• Discovery

  • You often don’t know all the services sending email on your behalf

  • Marketing platforms, CRMs, support desks, HR tools, billing systems… they all send email

• Risk of breaking email

  • Move too fast to enforcement and you can block legitimate email

  • Move too slowly and you stay exposed

• Ongoing change

  • Your email ecosystem isn’t static; vendors and tools change constantly

• Lack of visibility

  • Without the right tooling, you’re effectively blind

That’s why we run this as a managed service, using EasyDMARC as the platform and layering our consultancy and IT expertise on top.

How We Help: Managed Email Authentication With EasyDMARC

We partner with EasyDMARC to deliver enterprise-grade email authentication without you having to live in DNS and XML.

1. Discovery & Assessment

We start by:

• Implementing DMARC in monitoring mode (p=none) via EasyDMARC

• Letting the data flow for a few weeks

This gives us a clear view of:

• Every service sending email on your behalf

• SPF/DKIM pass and fail rates

• Potential spoofing or phishing attempts

• Geographic distribution of senders

• Volume patterns and anomalies

EasyDMARC turns those raw XML reports into dashboards and charts we can actually work with. We then sit down with you to:

• Identify all legitimate sources

• Flag unauthorised senders

• Prioritise what needs fixing first

2. Implementation & Configuration

Once we understand your landscape, we handle the heavy lifting:

• SPF optimisation

  • Build and maintain your SPF records

  • Manage the 10-DNS-lookup limit

  • Implement SPF flattening where needed

  • Handle include statements for all your services

• DKIM setup

  • Generate key pairs

  • Configure your mail servers and third-party tools

  • Publish DKIM records in DNS

  • Verify signatures and fix failures

• DMARC policy management

  • Start in monitoring mode

  • Gradually move to quarantine

  • Then to reject, with testing at each stage

• MTA-STS deployment

  • Create and host your MTA-STS policy file

  • Configure DNS records

  • Monitor for enforcement issues

• BIMI preparation (where appropriate)

  • Prepare logo files to spec

  • Coordinate VMC acquisition if needed

  • Publish BIMI records and test

EasyDMARC’s workflows reduce the risk of human error and give us a structured way to move you safely to full enforcement.

3. Ongoing Monitoring & Management

Email authentication is not a “set and forget” project.

We provide:

• Daily monitoring via EasyDMARC

• Threat detection for spoofing and unauthorised senders

• Policy updates as you add or change email services

• Compliance tracking against Google, Microsoft, Yahoo and others

• Performance optimisation to improve inbox placement and domain reputation

EasyDMARC alerts us in real time when something changes—new senders, spikes in failures, misconfigurations—and we act before it becomes a business problem.

4. Reporting & Insights

You don’t need to read XML or stare at DNS records.

We translate the technical detail into:

• Monthly security and deliverability summaries

• Clear metrics on how your emails are performing

• Compliance status versus current requirements

• Trend analysis on domain health and threat activity

You get executive-friendly reporting; we handle the technical noise underneath.

Why This Combination Works

EasyDMARC provides the platform:

• Aggregation and analysis of DMARC reports

• Intuitive dashboards and visualisations

• Automated SPF flattening and management tools

• Multi-domain support for groups and multi-brand organisations

• Integrations with major email providers

• Compliance and audit-friendly reporting

We provide the expertise and management:

• Deep understanding of your specific infrastructure and business context

• Strategic guidance on when and how to enforce policies

• Rapid response when something breaks or changes

• Integration with your wider IT and security strategy

• A single accountable partner instead of juggling multiple vendors

You get the benefits of a specialist email security team, without having to build one internally.

The Business Case

Done properly, managed email authentication delivers:

• Security

  • Protection against phishing and spoofing using your domain

  • Reduced risk of brand damage and legal exposure

• Deliverability

  • Better inbox placement

  • Fewer legitimate emails disappearing into spam

• Compliance

  • Alignment with mailbox provider requirements (now mandatory for bulk senders)

  • A solid foundation for sector-specific regulations

• Visibility

  • Clarity on who is sending email on your behalf

  • Early detection of abuse or misconfiguration

• Efficiency

  • Your internal IT team isn’t stuck debugging SPF and DMARC

  • You still get expert oversight and continuous improvement

• Brand protection

  • BIMI implementation where appropriate

  • Stronger recognition and trust in the inbox

The cost of not doing this properly—lost emails, successful phishing, reputational damage—is almost always higher than the investment in getting it right.

Typical Engagement Timeline

A typical engagement looks like this:

Month 1 – Discovery & Assessment

• DMARC monitoring implemented

• 2–4 weeks of data collection

• Full ecosystem analysis

• Recommendations and roadmap

Months 2–3 – Implementation

• SPF and DKIM configuration and optimisation

• Third-party service authentication

• Gradual DMARC enforcement (none → quarantine → reject)

• MTA-STS and BIMI (where appropriate)

• Testing and validation

Month 4 onwards – Managed Operations

• Continuous monitoring and maintenance

• Quarterly strategy reviews

• Policy adjustments as your environment evolves

• Threat response and mitigation

Pricing & Next Steps

We offer this as a managed service with clear, transparent pricing:

• Setup & Implementation – One-off project fee based on domain complexity and number of sending systems

• Ongoing Management – Monthly retainer for monitoring, maintenance, and support

• EasyDMARC Platform – We handle the subscription; it’s wrapped into your managed service

For organisations with multiple domains or more complex environments, we tailor the engagement to fit.

If you’re:

• Worried about email security

• Struggling with deliverability

• Or simply aware that Google, Microsoft, and others are tightening requirements

…it’s worth having a conversation.

We’ll:

1. Review your current email authentication status

2. Assess your risk and exposure

3. Map out a clear implementation plan

4. Outline timeline and investment

Check your domain(s) with our domain scanner.

You can get in touch here:
https://www.wickedsick.com/contact

As your IT consultancy partner, our job is to translate all of this technical complexity into predictable, reliable business outcomes—and to make sure your email does what it’s supposed to do: quietly work in the background, securely and reliably.