Valimail Master Glossary

Use this glossary to get clear, plain definitions of email authentication, deliverability, and brand protection terms. It is written for IT managers, email infrastructure teams, and CISOs.

This resource covers SPF, DKIM, DMARC, BIMI, ARC, MTA STS, TLS reporting, and related practices. Scan for quick answers and share with colleagues who want a practical reference.

5321.MailFrom: The SMTP envelope sender used for SPF checks. Often not visible to end users. Also called the return path or bounce address. Align it with your 5322.From domain for DMARC.

5322.From: The human visible From domain used for DMARC alignment. DMARC evaluates whether SPF or DKIM align with this domain.

Account Takeover Email Tactic: Messages sent from compromised accounts that appear legitimate. DMARC helps limit spoofing of your domains. Continuous enforcement combined with identity controls reduces risk.

Address Alignment: See Authentication Alignment.

Adkim: DMARC tag that sets DKIM alignment mode, either relaxed or strict.

Aspf: DMARC tag that sets SPF alignment mode, either relaxed or strict.

ARC, Authenticated Received Chain: Protocol that preserves authentication results when email is forwarded through intermediaries such as mailing lists or gateways. ARC helps deliver legitimate forwarded mail that would otherwise fail DMARC.

ARC Chain: The linked set of ARC signatures added by each hop. Includes ARC Seals and ARC Authentication Results.

ARC Authentication Results: An ARC header that records the authentication status seen by an intermediate system.

ARC Message Signature: An ARC header that signs the message content and headers as seen by an intermediate system.

ARC Seal: An ARC header that signs the ARC set itself, creating the chain of custody.

Authentication Alignment: A DMARC requirement where the 5322.From domain matches or aligns with the domains evaluated by SPF and DKIM. Valimail automation maintains alignment for every authorized sender so you can reach and sustain enforcement.

Authentication Failure, fail softfail neutral: Outcomes of SPF or DKIM checks. Fail means the sender is not authorized, softfail indicates probable unauthorized use, neutral indicates no explicit policy.

Authentication Lifecycle Management: Continuous monitoring, validation, and updates to DNS and sender authorizations to keep domains at enforcement over time. Central to Valimail’s approach.

BIMI, Brand Indicators for Message Identification: Standard that allows verified brand logos to display in inboxes when DMARC is at enforcement and other requirements are met. Valimail Amplify streamlines the entire BIMI process including certificates and logo configuration.

BIMI Common Mark Certificate, CMC: Optional certificate that attests logo ownership for providers that support CMC. Managed by Amplify where applicable.

BIMI Selector: Label that allows multiple BIMI logos per domain, useful for different brands or campaigns.

BIMI Verified Mark Certificate, VMC: Certificate required by many mailbox providers to display logos under BIMI. Amplify helps procure and manage VMCs at scale.

Blocklist: List of IPs or domains associated with abuse. Poor authentication or compromised services can land senders on blocklists and harm deliverability.

Bounce Code: SMTP status code returned on delivery failure. Common examples include 550 for rejection and 421 for temporary issues.

Brand Abuse: Use of your brand in fraudulent email, including exact domain spoofing and cousin domain lookalikes. Achieving DMARC enforcement with Valimail Enforce stops exact domain spoofing and reduces downstream abuse.

Brand Protection, Domain Protection: Preventing unauthorized use of domains in phishing or spoofing. Valimail Enforce automates discovery, authorization, and policy to protect brand reputation and inbox placement.

Certificate Authority, CA: Organization that issues VMC or CMC for BIMI. Amplify coordinates with CAs and validates logo ownership.

CNAME: DNS record that points a name to another domain. Often used to delegate DKIM selectors or host BIMI and MTA STS policy files.

Compliance, Google and Yahoo Sender Requirements: Modern mailbox provider rules that require authentication, low complaint rates, and consistent alignment. Valimail Align accelerates compliance readiness and validates settings continuously.

Cousin Domain Spoofing: Attacks that use lookalike domains, for example substituting characters or adding words. Monitoring related domains and registering high risk lookalikes reduces exposure.

Deliverability: The rate at which legitimate email reaches inboxes. Proper SPF, DKIM, and DMARC, plus stable enforcement, are major drivers of deliverability.

Deliverability Health Score: Composite indicator of authentication success, spam complaints, and inbox placement. Use it to track the impact of DMARC work over time.

Disposition, DMARC: The action a receiver applies to non authenticating messages, for example none, quarantine, or reject.

Display Name Spoofing: Fraud tactic that sets a familiar display name with a fraudulent address. DMARC and user awareness together reduce risk.

DKIM, DomainKeys Identified Mail: Uses cryptographic signatures in email headers to verify that an authorized system sent the message and that it was not altered. Valimail helps configure and rotate DKIM keys safely.

DKIM Canonicalization: The method that defines how message headers and body are normalized before signing, for example relaxed or simple.

DKIM Key Rotation: Regularly replacing DKIM keys to maintain security. Valimail helps schedule and automate safe rotation.

DKIM Selector: A label in DNS that allows multiple DKIM keys per domain. Often formatted as selector._domainkey.example.com.

DMARC, Domain based Message Authentication Reporting and Conformance: Policy layer that builds on SPF and DKIM. Domain owners publish a DMARC record that tells receivers how to handle non authenticating messages and where to send reports. Valimail Enforce gets organizations to enforcement quickly and keeps them there with automation.

DMARC Aggregate Report, RUA: Machine readable XML reports that summarize authentication results by source. Valimail analyzes these reports to identify legitimate and unauthorized senders automatically.

DMARC Forensic Report, RUF: Message specific failure reports sent by some providers when authentication fails. Useful for investigation and triage.

DMARC Policy: The p tag in a DMARC record that instructs receivers to take none, quarantine, or reject action for messages that fail alignment.

DMARC Policy Alignment Mode: Relaxed or strict alignment settings for SPF and DKIM. Relaxed allows subdomain matches, strict requires exact matches. Valimail helps tune alignment to balance protection and flexibility.

DMARC Reporting Tags: RUA and RUF addresses, report format and interval tags such as rf and ri, failure options with fo, and subdomain policy sp.

DMARC Tags, adkim aspf pct p sp rua ruf fo ri rf: Key tags used to configure a DMARC record. Valimail surfaces and validates these settings in product so changes are safe and auditable.

DNS, Domain Name System: The system that stores authentication records such as SPF, DKIM, DMARC, BIMI, and MTA STS. Valimail’s platform publishes and validates required records without error prone manual edits.

DNS Propagation: The time it takes for DNS changes to spread globally. Valimail verifies propagation and guards against configuration drift.

DNS TXT Record: Record type used to publish SPF, DMARC, DKIM selectors, BIMI, and other policy information.

DANE for SMTP: DNS based Authentication of Named Entities that can protect TLS for SMTP using DNSSEC. Complements MTA STS.

Domain Checker: Valimail free tool that reports current DMARC status and authentication posture for a domain. Useful for initial assessments.

Domain Visibility: The ability to see all domains and subdomains sending as your brand, including third party SaaS and cloud services. Valimail provides a global view of all senders and their authentication status.

EFOS, Exact From Domain Spoofing: Attacks that forge your exact 5322.From domain. DMARC at reject blocks this tactic for participating receivers.

Email Authentication: The process of verifying that an email message genuinely comes from the domain it claims. Authentication relies on SPF, DKIM, and DMARC. Valimail automates these controls at scale.

Email Ecosystem: The network of sending platforms, DNS records, and policies that make up your outbound email infrastructure. Visibility and control across this ecosystem are essential for enforcement.

Email Fraud, Phishing, Brand Abuse: Attempts to impersonate trusted senders in order to steal data or money. Valimail Enforce eliminates exact domain spoofing and reduces account compromise fallout by raising trust in your domain.

Email Service Provider, ESP: Third party platforms that send email on your behalf, for example marketing automation, CRM, ticketing, or HR systems. ESPs must be authorized under SPF and DKIM.

Enforce, Valimail Enforce: Valimail flagship automation platform that discovers senders, authorizes them, publishes DNS records safely, and brings domains to continuous DMARC enforcement without risky manual DNS changes.

Enforcement Policy, p tag: The setting in a DMARC record that tells receivers what to do with messages that fail authentication. Reject blocks delivery, quarantine places messages in spam folders.

Exact Domain Spoofing: See EFOS.

Feedback Loop, FBL: Reports from mailbox providers when users mark messages as spam. Use FBLs to diagnose reputation issues.

Flattening, SPF Flattening: Practice of expanding includes into literal IPs in SPF to reduce lookups. Risky, brittle, and unnecessary when using Valimail Instant SPF which removes lookup limits and stays current automatically.

Forwarding: Mail that is resent to another address after initial receipt. Forwarding often breaks SPF. DKIM or ARC help preserve authentication.

HELO or EHLO Identity: The SMTP client identity presented during connection. See also SPF HELO checks.

Hosted DKIM: Publishing and managing DKIM keys through a provider rather than directly in your DNS. Valimail hosts selector keys and automates rotation.

Hosted DMARC: Managing the DMARC record through a provider that validates syntax and safely updates policy and reporting. Valimail hosts and manages DMARC to reduce risk.

Hosted SPF: Managing SPF records through a provider that returns dynamic responses to stay under protocol limits. Valimail Instant SPF provides targeted SPF responses per sender in real time.

ISP or Mailbox Provider Requirements: Rules from providers like Google and Yahoo that require authentication, low complaint rates, and valid list management behaviors. Valimail Align ensures your settings are correct and monitored.

Instant SPF: Valimail patented SPF technology that removes the 10 lookup limit and serves per sender responses in real time, without manual flattening or risky edits.

Listserv or Mailing List: A system that redistributes messages to subscribers. Mailing lists often modify messages in ways that break DKIM or SPF, which ARC helps address.

Managed Service vs Automation: Manual DMARC services rely on analysis and hand edited DNS. Valimail replaces these steps with automation that is faster and less error prone.

MTA, Mail Transfer Agent: Software that transports email between servers, for example Postfix or Exchange Online Protection.

MTA STS: SMTP MTA Strict Transport Security. A policy that requires TLS encryption for SMTP and provides a way to publish policy via DNS and HTTPS. Complements DMARC by protecting mail in transit.

Neutral, DMARC: A non authoritative authentication result indicating no policy was applied.

Percent Tag, pct: DMARC tag that applies policy to a percentage of messages. Useful for phased rollouts.

Precision Sender Intelligence: Valimail capability that identifies sending services by name and maps millions of IPs to known platforms. One click authorization simplifies onboarding and lifecycle changes.

PTR or rDNS: Reverse DNS pointer records. Some receivers check for valid PTR as a signal of legitimacy.

Quarantine: DMARC disposition that delivers non authenticating messages to spam or junk folders.

Reject: DMARC disposition that rejects non authenticating messages at SMTP time.

Reporting and Analytics Dashboard: Valimail real time interface that visualizes DMARC report data, authentication rates, failures, and newly discovered services so teams can make quick decisions.

Return Path: See 5321.MailFrom.

RUA: See DMARC Aggregate Report.

RUF: See DMARC Forensic Report.

Sender Rewriting Scheme, SRS: Method used by forwarders to rewrite 5321.MailFrom so SPF can pass after forwarding.

Sender Score or Reputation: Aggregate measurement used by mailbox providers and filtering systems. Authentication success and low complaints improve reputation.

Sender Verification: See Email Authentication.

Service Library, Sender Intelligence: Valimail database that maps known sending services and IP ranges, enabling fast classification of legitimate and suspicious sources.

Service Wide Authentication Policy: A unified policy governing all domains, subdomains, and senders in an organization. Valimail centralizes visibility and control to enforce policy consistently.

Shadow IT Email Streams: Unauthorized or unmanaged services that send using a company domain. Valimail detects and classifies these automatically so they can be removed or authorized.

Side channel Spoofing: Use of display name or reply to tricks that do not rely on domain spoofing. Security education and vigilant review help mitigate this.

SMTP: Simple Mail Transfer Protocol, the standard for sending email. SPF and DKIM operate in the SMTP ecosystem.

SPF, Sender Policy Framework: DNS based protocol that lets domain owners publish authorized sending hosts. Receivers check the client IP against the domain’s SPF policy. Valimail Instant SPF removes protocol limits and automates maintenance.

SPF 10 Lookup Limit: SPF evaluation stops after 10 DNS mechanisms or modifiers that require lookups. Instant SPF eliminates this constraint by serving targeted responses.

SPF Include Mechanism: A directive in SPF that imports another domain’s SPF policy. Overuse can hit lookup limits.

SPF Macros: Advanced SPF feature used by Valimail to return per sender responses that stay within protocol limits while hiding internal details.

SPF Mechanisms and Qualifiers: Common mechanisms include ip4, ip6, a, mx, ptr, include, exists. Qualifiers include plus for pass, minus for fail, tilde for softfail, question for neutral.

Spoof Detection Alerts: Notifications generated when unauthorized sources attempt to use a domain. Valimail visualizes these threats for rapid response.

TLS Reporting, TLS RPT: A reporting standard that provides feedback on email transport security, often deployed with MTA STS.

Trust Center: Central location for Valimail certifications and security posture including SOC 2 and FedRAMP.

Unlimited SPF Lookups: See Instant SPF. Describes Valimail ability to support any number of authorized senders without hitting SPF limits.

Valimail Align: Product that prepares and maintains compliance with mailbox provider authentication requirements and accelerates readiness for enforcement.

Valimail Amplify: Product that delivers end to end BIMI, including certificate management and single click logo configuration across domains.

Valimail Enforce: Product that automates discovery, authorization, DNS updates, and policy application to achieve and maintain DMARC enforcement.

Valimail Monitor: Free visibility product that uncovers all email sources, unauthorized senders, and authentication failures across domains.

VMC, Verified Mark Certificate: See BIMI Verified Mark Certificate.

Zero Trust Email Security: Security model that assumes no message is inherently trustworthy. Authentication and alignment gates are applied to every message, inbound and outbound. Valimail operationalizes a zero trust approach for email authentication.

Auto Discovery of Senders: Automated detection of all services sending for a domain, including unknown or shadow IT sources. Valimail identifies these platforms and classifies them so you can authorize or block them quickly.

Continuous DMARC Enforcement: Sustaining p=reject or p=quarantine without slipping back to monitoring only. Valimail automation keeps domains at enforcement as senders change over time.

DMARC Reports: The collective term for RUA aggregate and RUF forensic reports that provide authentication telemetry. Valimail ingests and analyzes both to drive safe authorization and rapid triage.

DNS Record Management: Creating and updating SPF, DKIM, DMARC, BIMI, and related DNS records with correct syntax and hosting. Valimail validates and publishes records safely to avoid outages.

Email Deliverability: The measure of how many legitimate messages reach recipients’ inboxes. Strong authentication and stable enforcement improve deliverability and reputation. See also Deliverability.

FedRAMP Authorization: The U.S. Federal Risk and Authorization Management Program standard for cloud security. Valimail’s compliance reflects audited controls suitable for government environments.

Onboarding and Migration: The process of moving from manual management or another vendor to Valimail’s automated platform. Typical steps include data import, sender authorization, and policy automation with minimal disruption.

Subdomain Policy, sp: A DMARC tag that sets enforcement for subdomains separately from the organizational domain. Useful during phased rollouts.

Third Party Sending Services: External platforms such as Salesforce, Zendesk, Mailchimp, or HubSpot that send using your domain. These services must be authorized via SPF and DKIM to maintain alignment and compliance.

Appendix, Common DMARC Tags and Examples

Example tags you will see in a DMARC record:

p=reject, sp=quarantine, pct=100, adkim=s, aspf=r, rua=mailto:dmarc@example.com, ruf=mailto:forensic@example.com, fo=1, ri=86400, rf=afrf.

Use Valimail to publish, validate, and roll out changes safely while maintaining alignment and sender continuity.