Reference

Related records: BIMI, MTA-STS and TLSRPT

A brief tour of the email records that sit alongside DMARC — BIMI for your brand logo, and MTA-STS plus TLSRPT for enforcing and reporting on TLS encryption.

3 min readLast updated 14 June 2026

Jump to section

BIMI — your brand logo in the inbox
MTA-STS — enforcing TLS for inbound mail
TLSRPT — reporting on TLS delivery
How they fit together
Where to find them in the app

DMARC, SPF and DKIM are the core of email authentication, but a few related DNS records sit alongside them and build on the foundation you've laid. Blankitt DMARC surfaces all of these on the Domain detail page under live DNS records, so you can see them at a glance.

BIMI — your brand logo in the inbox

BIMI (Brand Indicators for Message Identification) lets your verified logo appear next to your messages in supporting mail clients. It's published as a DNS TXT record at default._bimi.yourdomain.com and points to a specially-formatted SVG of your logo (and, for some providers, a Verified Mark Certificate).

default._bimi.yourdomain.com.  TXT  "v=BIMI1; l=https://yourdomain.com/logo.svg;"

The key dependency: BIMI requires an enforced DMARC policy. Receivers will only display your logo if your DMARC record is at p=quarantine or p=reject — p=none is not enough. So BIMI is best thought of as a reward for completing your DMARC journey: get to enforcement first, then add BIMI for the brand benefit.

MTA-STS — enforcing TLS for inbound mail

MTA-STS (SMTP MTA Strict Transport Security) lets you require that other mail servers use TLS encryption when delivering mail to your domain, and that they verify your certificate. It protects against downgrade and interception attacks on mail in transit.

It has two parts:

A DNS TXT record at _mta-sts.yourdomain.com advertising that a policy exists and its current version (id).
A policy file served over HTTPS at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt, listing your mail servers and the enforcement mode (testing or enforce).

_mta-sts.yourdomain.com.  TXT  "v=STSv1; id=20260101000000Z;"

Unlike DMARC, MTA-STS protects mail coming in to you. Start in testing mode and move to enforce once you're confident your servers and certificates are correctly configured.

TLSRPT — reporting on TLS delivery

TLSRPT (SMTP TLS Reporting) is the reporting companion to MTA-STS. It's a DNS TXT record at _smtp._tls.yourdomain.com that asks sending servers to report back on whether they were able to establish a secure TLS connection to you.

_smtp._tls.yourdomain.com.  TXT  "v=TLSRPTv1; rua=mailto:tls-reports@yourdomain.com;"

These reports tell you if mail is failing to be delivered securely — for example because of an expired certificate or a misconfigured server — giving you the visibility to fix TLS problems before they cause delivery issues. TLSRPT is to MTA-STS what rua= reporting is to DMARC: the feedback loop that turns a policy into something you can actually monitor.

How they fit together

Record	Protects	Direction	Depends on
DMARC	Against spoofing of your `From:` domain	Outbound (your sent mail)	SPF + DKIM
BIMI	Brand display (logo)	Outbound	Enforced DMARC (`quarantine`/`reject`)
MTA-STS	TLS encryption of mail sent to you	Inbound	Valid TLS certificate + HTTPS policy host
TLSRPT	Visibility into TLS delivery	Inbound (reporting)	Pairs with MTA-STS

Where to find them in the app

The Domain detail page shows the live status of your DMARC, SPF, DKIM, BIMI, MTA-STS and TLSRPT records together. The natural order is to get DMARC to enforcement first, then layer on BIMI for branding and MTA-STS + TLSRPT for transport security — each one builds on the trust the previous records establish.