schedule 4-min read

DMARC, BIMI, MTA-STS, and TLS-RPT: The Modern Email Security Stack

The 2026 email security stack is DMARC, BIMI, MTA-STS, and TLS-RPT. Here’s how each fits and why the combination is the new baseline.

01

Introduction

Email security in 2026 isn't one control — it's a stack. DMARC addresses identity. BIMI makes the authentication visible. MTA-STS protects the transport. TLS-RPT provides the transport feedback. Together they cover sender authentication, brand trust, in-transit confidentiality, and observability.

This article maps the stack and the order of deployment.

02

Why this topic matters

A complete email security posture isn't a single record published. It's four layered controls that interlock. Understanding what each contributes — and what's missing if you skip one — is what guides the deployment.

03

The four layers

Layer 1: DMARC

Purpose: Stops exact-domain spoofing. Publishes the authentication policy. Mechanism: TXT record at _dmarc.<domain>. Builds on SPF and DKIM. Outcome at full deployment: Mail failing alignment is rejected at SMTP. Brand can't be exactly impersonated.

The foundation. Without DMARC, nothing else is meaningful.

Layer 2: BIMI

Purpose: Visible brand-trust signal in supported inboxes. Mechanism: TXT record at default._bimi.<domain>, SVG logo at HTTPS, VMC. Outcome at full deployment: Brand logo renders next to your messages in Gmail, Yahoo, Apple Mail, others.

Depends on DMARC at enforcement. The marketing-facing payoff of authentication work.

Layer 3: MTA-STS

Purpose: Enforces TLS on inbound SMTP. Prevents downgrade attacks. Mechanism: HTTPS-hosted policy + DNS record. Outcome at full deployment: Senders that support MTA-STS won't deliver mail to you without TLS.

Addresses transport security — distinct from DMARC's identity focus.

Layer 4: TLS-RPT

Purpose: Visibility into TLS failures. Mechanism: TXT record at _smtp._tls.<domain> with rua= destination. Outcome at full deployment: Daily JSON reports of TLS issues from supporting senders.

Pairs with MTA-STS. Without it, MTA-STS enforcement is opaque.

04

Why each layer matters

Removing any one creates a gap:

  • No DMARC: spoofing remains trivial.
  • No BIMI: authentication is invisible to users.
  • No MTA-STS: mail can be intercepted in transit.
  • No TLS-RPT: transport issues go undetected.

Each closes a specific gap the others can't address.

05

Step-by-step approach to deploying the stack

A sensible order:

  1. DMARC at p=none — start the rollout. Months 1-3.
  2. DMARC to p=quarantine then p=reject — completing the rollout. Months 3-4.
  3. MTA-STS in testing then enforce, with TLS-RPT — transport hardening. Month 5.
  4. BIMI — visible payoff. Months 5-7 (long lead on VMC).

Total greenfield deployment: 6-8 months at a comfortable pace.

06

Best practices

  • Build the stack in order. Each layer depends on the ones below it.
  • Use a single platform for monitoring. DMARC reports, TLS-RPT reports, BIMI status all consolidate.
  • Document the deployment. Future engineers need the map.
  • Audit quarterly. Sender estate changes; configurations drift.
  • Treat the stack as steady-state infrastructure. Not a one-time project.
07

What's NOT in the stack

A few things deliberately excluded:

  • DANE — niche, overlapping with MTA-STS, requires DNSSEC.
  • PGP/S/MIME — end-to-end encryption layer; separate problem.
  • Inbound spam filtering — separate operational concern.
  • DLP — outbound content control; different category.

The four-layer stack covers the standard internet-side authentication and transport. Internal controls (DLP, content filtering) are additional.

08

Check your current state for each of the four layers. For each missing layer, identify the deployment owner and the timeline. The whole stack should be reachable in two quarters for a focused team.

09

FAQ

Can I deploy in a different order?

You can, but DMARC enables BIMI, and MTA-STS pairs with TLS-RPT. The natural order respects those dependencies.

Is this stack mandatory?

Increasingly, yes. Provider sender requirements, cyber-insurance underwriting, and compliance frameworks all reference parts of the stack. The trend is toward all four being baseline.

What's the minimum subset?

DMARC at p=reject, SPF, DKIM. That's the minimum defensible posture. The other layers add specific value but aren't strictly required.

How does this stack pair with secure email gateways?

Gateways operate at a different layer — they're inbound filtering. The four-layer stack covers outbound authentication and transport. Both can coexist.

Will the stack change in the next few years?

Likely additions: better DNSSEC adoption, possibly new visibility standards. The core four are stable.

10

Final thoughts

The modern email security stack is four layers that interlock to produce a coherent posture. Each addresses a distinct problem; none replaces the others.

Deploy all four and your domain has the strongest defensible email security posture currently available. Deploy fewer and you have known gaps.

Ready to Implement?

Get authenticated mail moving in minutes — start free, book a guided demo, or talk to the team about your stack.

Start free arrow_forward event Book demo mail Contact us