Glossary
A reference guide to email authentication terminology used throughout Sentura and the wider industry.
A
Aggregate report (RUA) A daily XML report sent by receiving mail providers to your rua= mailbox. Contains a summary of all messages received claiming to be from your domain — who sent them, from which IP addresses, and whether they passed or failed authentication. Sentura automatically parses these reports.
Alignment The requirement that the domain authenticated by SPF or DKIM matches the domain in the visible From: header. DMARC requires alignment — passing SPF or DKIM alone isn't enough if the authenticated domain doesn't match. There are two alignment modes: relaxed (subdomains are allowed) and strict (exact match required).
~all vs -all The mechanism at the end of an SPF record that handles senders not listed in the record. ~all is a softfail — mark as suspicious but deliver. -all is a hardfail — reject. In practice, DMARC policy overrides this for DMARC-enabled domains, so ~all is generally recommended.
B
BIMI (Brand Indicators for Message Identification) An emerging standard that allows organisations to display their logo in supporting email clients (Gmail, Apple Mail, Yahoo) once they've reached p=quarantine or p=reject. Requires a Verified Mark Certificate (VMC) from a CA.
Blacklist / DNSBL A list of IP addresses or domains known to send spam. Mail from blacklisted IPs is often blocked or filtered. Sentura checks your sending IPs against major blacklists including Spamhaus ZEN and SpamCop.
C
CNAME record A DNS record type that points one hostname to another. Many email services use CNAME records for DKIM setup — you create a CNAME at selector._domainkey.yourdomain.com pointing to a record the service manages.
D
DKIM (DomainKeys Identified Mail) A method of cryptographically signing outgoing email using a private key held by the sending service. The matching public key is published in DNS. Receiving servers verify the signature to confirm the message genuinely came from the domain and wasn't modified in transit. See What is DKIM?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) The overarching framework that uses SPF and DKIM results to make a policy decision about incoming messages. Published as a TXT record at _dmarc.yourdomain.com. See What is DMARC?
DNS (Domain Name System) The system that translates domain names into IP addresses and stores records like SPF, DKIM, DMARC, and MX. Changes to DNS records propagate across the internet over minutes to hours.
DNSBL See Blacklist.
E
Enforcement The state where your DMARC policy is set to p=quarantine or p=reject, meaning failing messages are actively filtered or blocked rather than just monitored.
Envelope sender The technical MAIL FROM address used in the SMTP handshake — distinct from the visible From: address in the email client. SPF checks the envelope sender domain. DMARC alignment requires the envelope sender domain (or the DKIM signing domain) to match the From: domain.
F
Flattened SPF An SPF record where all include: directives have been replaced with the actual IP ranges they resolve to. Uses only one DNS lookup regardless of how many services are covered. Necessary when the standard SPF record exceeds the 10-lookup limit.
Forensic report (RUF) A per-message failure report sent to the ruf= address when an individual message fails DMARC. Less commonly supported by receivers than aggregate reports, and raises privacy considerations. Sentura uses aggregate (RUA) reports.
H
Header from The From: address visible to the email recipient in their mail client. DMARC alignment checks whether the authenticated domain matches the header from domain.
M
MTA-STS (Mail Transfer Agent Strict Transport Security) A standard that tells sending mail servers to always use TLS (encryption) when delivering to your domain, and to reject delivery if TLS isn't available. Prevents downgrade attacks. Published as a TXT record at _mta-sts.yourdomain.com and a policy file at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt.
MX record A DNS record that specifies which mail server accepts email for your domain. Without MX records, no one can send email to your domain.
P
pct tag An optional DMARC tag that applies your policy to only a percentage of failing messages. pct=10 means 10% of failing messages receive the policy treatment. Used for gradual rollout when moving to quarantine or reject.
permerror An SPF evaluation result meaning the SPF record is malformed or the 10-lookup limit was exceeded. Receivers typically treat permerror as a fail for DMARC purposes.
Policy The DMARC p= tag. Options: none (monitor only), quarantine (send to spam), reject (block entirely).
Provider catalog Sentura's database of known email service providers, their sending IP ranges, DKIM selectors, and SPF includes. Used for automatic sender classification.
R
Readiness score Sentura's per-domain metric indicating how prepared a domain is to move to DMARC enforcement. Calculated from pass rate, number of unclassified senders, and presence of unauthorised senders.
Relay A mail server that forwards messages from one server to another. Internal relays (printers, scanners, on-premises applications) often cause SPF failures because their IP addresses aren't in the SPF record.
rua= tag The DMARC tag specifying where aggregate reports should be sent. Format: rua=mailto:[email protected]. Sentura polls this mailbox via Microsoft Graph API.
S
Selector The identifier used to locate a DKIM public key in DNS. Published at selector._domainkey.yourdomain.com. Different services use different selectors — Microsoft 365 uses selector1 and selector2, Mailchimp uses k1.
Source IP The IP address of the server that sent a message. Each unique source IP in your DMARC reports represents a potential sender that needs to be identified and classified.
SPF (Sender Policy Framework) A DNS record that lists which IP addresses and mail servers are authorised to send email on behalf of your domain. See What is SPF?
SPF lookup limit SPF evaluations are limited to 10 DNS lookups. Each include: directive counts as one lookup, and many includes chain further. Exceeding the limit causes permerror.
T
TLS-RPT A standard for receiving reports about TLS delivery failures. Published as a TXT record at _smtp._tls.yourdomain.com. Complements MTA-STS.
TXT record The DNS record type used to publish SPF, DMARC, DKIM (sometimes), MTA-STS, and many other text-based records.
U
Unauthorised sender A source IP appearing in your DMARC reports that you have not identified as a legitimate business service. May indicate a misconfigured relay, a shadow IT tool, or active spoofing/phishing.
Unclassified sender A source IP in your DMARC reports that Sentura has not automatically matched to a known provider. Needs manual review and classification.