Red Sift’s email protocol configuration guide

In a pre-DMARC era, SPF records commonly used the "-all" mechanism to strictly enforce sender policies. However, current industry guidance in 2026 favours "~all" to balance security and deliverability, avoiding unnecessary rejection of valid emails that might fail SPF but pass DKIM and DMARC.

This is because "~all" when implemented in combination with DMARC (at p=reject) will still reject unauthenticated mail if SPF and DKIM fail, but does not block legitimate mail, thus enhancing overall email deliverability.

The DMARC specification (RFC 7489) states that a "-" prefix on a sender's SPF mechanism, such as "-all", could cause rejection to go into effect early in handling, causing message rejection before any DMARC processing takes place. Use "-all" for inactive, non-email sending domains only (domains that send no emails at all). DMARC ignores the nuances of soft fail and hard fail in SPF configuration, treating them as SPF failures.

DMARC does not only require SPF or DKIM to PASS but it also requires at least one of the domains used by SPF or DKIM to align with the domain found in the From header. Proper alignment is critical for email deliverability in 2026, as major inbox providers enforce these requirements.

In the case of SPF, identifier alignment means that the MAIL FROM/Return-PATH check has to PASS and also the domain portion of the MAIL FROM/Return-PATH has to align with the domain found in the From address. In strict alignment, the domains have to match exactly, whereas in relaxed alignment subdomains are also allowed as long as they come from the same organisational domain.

For example, if MAIL-FROM/RETURN-PATH is @ondmarc.com and From header is @knowledge.ondmarc.com, in strict alignment they are not aligned. However, in relaxed alignment mode, DMARC would pass.

A DMARC aggregate report contains information about the authentication status of messages sent on behalf of a domain. It is an XML feedback report designed to provide visibility into emails that passed or failed SPF and DKIM. The report provides domain owners with precise insight into which sources are sending on your behalf and the disposition of those emails (the policy that was applied by the receiver).

Recipients will look at the 'rua' tag of your DMARC record and send reports there. You can specify the aggregate reporting interval by using the ri tag in your DMARC record (by default, this is set to 86400 seconds which equates to 24 hours). Forensic reports contain more detailed information about individual authentication failures. Any personally identifiable information (PII) is removed, but information that will help in troubleshooting the DMARC failure is included, such as SPF and DKIM header failure information, the entire From address, and the Subject of the email.

The address to receive Forensic DMARC reports is specified by the 'ruf' tag in your DMARC record. Not all receiving systems support sending forensic reports. Red Sift OnDMARC is one of the only DMARC applications on the market that receives forensic reports thanks to its partnership with Yahoo.

An SPF macro refers to a mechanism used in SPF records to define reusable sets of IP addresses. SPF macros enhance the flexibility and maintainability of SPF records by allowing you to define complex sets of IP addresses in a single mechanism, which can then be referenced within multiple SPF records. For example, instead of listing individual IP addresses for each authorised email server, you can define a macro like "%{i}" which calls the sender IP of the email. Managing SPF this way allows you to control a large list of IPs without hitting the SPF lookup limit, and also obscures which IPs you approve for public querying.

However, depending on how the SPF record with macros is structured, the lack of macro expansion could result in SPF failures or 'Neutral' results (denoted by the ?all mechanism). If SPF macros play a critical role in authorising legitimate sending servers, emails might be more likely to fail SPF checks or be marked as suspicious by email receivers that rely on SPF for authentication.

Mail Transfer Agent Strict Transport Security (MTA-STS) is a standard that enables the encryption of messages being sent between two mail servers. It specifies to sending servers that emails can only be sent over a Transport Layer Security (TLS) encrypted connection which prevents emails from being intercepted by cybercriminals.

MTA-STS adoption has grown significantly, with organisations in 2026 recognising transport layer security as essential for protecting email in transit. For receiving domains to enable MTA-STS, they must announce that they support MTA-STS in their DNS and publish a policy configuration file on their website.

Activating MTA-STS must be done carefully to mitigate blocking emails from being delivered. MTA-STS should first be deployed in testing mode, allowing time for TLS reports to provide insight into any errors that need fixing before progressing to the final enforce stage. This phased approach will likely become standard practice in 2026 for organisations implementing transport security.

SMTP TLS Reporting (or TLS-RPT for short) enables reporting of TLS connectivity problems experienced by the sending MTAs and is defined in RFC8460. Much like DMARC, TLS-RPT relies on emailed reports to notify domain owners when delivery fails due to TLS issues. These reports include detected MTA-STS policies, traffic statistics, unsuccessful connections, and failure reasons.

With Red Sift OnDMARC's MTA-STS feature, you don't need to worry about complex deployment. Simply add the MTA-STS Smart Records OnDMARC provides to your DNS and Red Sift does all the hard work such as hosting the MTA-STS policy file, maintaining the SSL certificate, and flagging any policy violation through the TLS report. Modern DMARC platforms in 2026 increasingly include hosted MTA-STS as a standard feature, simplifying transport security deployment.

Published under RFC 7671, DANE (DNS-based Authentication of Named Entities) introduces a new Internet standard for setting up TLS communication between a client and a server, without having to rely on trusted Certificate Authorities (CAs).

The traditional CA model TLS has depended on allows any CA to issue a certificate for any domain. DANE does things differently by relying on the DNSSEC infrastructure (Domain Name System Security Extensions) to bind a domain name to a certificate. DANE makes use of the already existing DNSSEC protocol to make sure the data it receives is authentic and has not been tampered with.

DANE also introduces a new DNS RR type called TLSA which helps to signal to the client that a server supports TLS. The recommendation is to implement both MTA-STS and DANE. DANE is a requirement from many governments, so public agencies in the EU are often required to implement it.

DANE and MTA-STS help only if the sender supports it, however, many senders only support one or the other so implementing both improves security overall. Organisations in 2026 often deploy MTA-STS first for broader compatibility, then add DANE for enhanced security where required.

The subdomain policy allows domain administrators to protect different domains and subdomains based on how far they are along the DMARC journey. For example, if all your email-sending services sending emails on behalf of your top-level domain are fully configured with SPF and DKIM, that means that you can protect your top-level domain with a DMARC policy of p=reject whilst keeping the subdomains in p=none, and vice versa.

Also, if you have an email-sending service that is non-DMARC compliant (does not support SPF or DKIM), you may decide to assign a subdomain to it and have that subdomain in a different DMARC policy, without preventing you from protecting your other domains. This allows you to split the traffic across different subdomains and protect each one separately.