Guides13 min read

Business Email Security Glossary: 40 Terms Every Admin Should Know (2026)

40 email security terms in plain English — from phishing to DMARC.

By JustEmails Platform Team

I got an email from "our CEO" asking me to wire $47,000 to a new vendor. The email came from the exact domain. Same signature block. Passed SPF.

It was spoofed. The attacker exploited a gap between SPF and DKIM alignment that I — someone who'd been running email infrastructure for a decade — didn't fully understand. We caught it because the CFO called to confirm. Barely.

That near-miss is why I keep a glossary. Not a Wikipedia dump of RFC definitions — I've read those, and they're written for people who already know. This is the 40 terms that actually matter when you're running email for a real business. The context that textbook definitions leave out. The stuff I wish someone had explained before I almost wired $47k to a scammer.

Authentication & DNS

1. SPF (Sender Policy Framework)

A DNS TXT record listing which IP addresses and mail servers can send email for your domain. Receivers check the envelope sender (Return-Path) against your SPF record. If the sending IP isn't listed, SPF fails. Limitation: SPF doesn't survive forwarding, and it authenticates the envelope, not the visible From header.

2. DKIM (DomainKeys Identified Mail)

A cryptographic signature added to email headers. The sending server signs the message with a private key; the receiver looks up the public key via DNS and verifies the signature. Unlike SPF, DKIM survives forwarding because the signature travels with the message. The d= tag in the signature tells you which domain signed it.

3. DMARC (Domain-based Message Authentication, Reporting & Conformance)

The policy layer that ties SPF and DKIM together. DMARC checks whether SPF or DKIM passes and aligns with the visible From domain. Three policy levels: p=none (monitor only — you're collecting data but not blocking anything), p=quarantine (send failures to spam), p=reject (bounce failures outright).

Here's my strong opinion: most people sit at p=none forever because they're scared. Don't be. Without DMARC enforcement, attackers can spoof your domain even if SPF and DKIM are configured perfectly. See our DMARC ramp guide for the deployment path.

4. DMARC Alignment

The requirement that the domain in SPF or DKIM matches (or is a subdomain of) the visible From address. "Relaxed" alignment allows subdomains to match the parent. "Strict" requires an exact match. Most setups use relaxed. If your transactional sender signs with mail.yourdomain.com but sends From yourdomain.com, relaxed alignment passes; strict fails.

5. MTA-STS (Mail Transfer Agent Strict Transport Security)

A policy that tells sending mail servers to only deliver over encrypted TLS connections — and to fail delivery if TLS can't be established. Prevents downgrade attacks where a man-in-the-middle strips encryption. Requires a policy file hosted at https://mta-sts.yourdomain.com/.well-known/mta-sts.txt plus a DNS TXT record. Still not universally supported, but Gmail and Microsoft honor it.

6. TLS-RPT (TLS Reporting)

A DNS record that tells senders where to send reports when TLS connections to your domain fail. Pairs with MTA-STS. The reports show which senders had trouble establishing encrypted connections — useful for diagnosing certificate problems.

7. DANE (DNS-based Authentication of Named Entities)

Uses DNSSEC to publish TLS certificate fingerprints in DNS. When a sending server connects, it can verify the certificate matches what's published. Stronger than MTA-STS in theory, but requires DNSSEC (which most domains don't have) and receiver support (which is patchy). Postfix supports it; Microsoft doesn't.

I spent a weekend trying to set up DANE once. Got it working, broke my email for three hours, rolled it back. MTA-STS is the pragmatic choice.

8. DNSSEC

A set of extensions that add cryptographic signatures to DNS responses, preventing attackers from poisoning DNS lookups. DANE requires DNSSEC. Most registrars support enabling it, but propagation issues and operational complexity mean adoption is still low outside government and financial sectors.

9. BIMI (Brand Indicators for Message Identification)

Displays your logo next to emails in supporting inboxes (Gmail, Yahoo, Apple Mail as of 2024). Requires DMARC at p=quarantine or p=reject, plus a Verified Mark Certificate (VMC) from DigiCert or Entrust. VMCs cost $1,000-1,500/year and require a trademarked logo. Nice-to-have for brand recognition, not a security control. Need digital business cards that match your brand identity? VeloCards handles professional card design.

10. ARC (Authenticated Received Chain)

A set of headers that preserve authentication results across forwarding hops. When a mailing list or forwarding service breaks SPF, ARC lets the final receiver see that the original message passed authentication before the break. Gmail and Microsoft use ARC signals; support elsewhere is inconsistent.

Threat Types

11. Phishing

Fraudulent emails impersonating legitimate entities to steal credentials, payment info, or access. Mass-market phishing uses generic templates ("Your account has been suspended"). Click-through rates are low, but volume makes it profitable.

12. Spear Phishing

Targeted phishing aimed at a specific person or organization. The attacker researches the target — job title, recent projects, colleagues' names — and crafts a believable message. Much higher success rate than generic phishing.

13. BEC (Business Email Compromise)

Attackers impersonate executives, vendors, or partners to request wire transfers, change payment details, or extract sensitive data. Often no malware involved — just social engineering. The FBI's IC3 reported $2.9 billion in BEC losses in 2023. If you're tracking marketing spend, ClickzProtect monitors for fraudulent clicks — same vigilance mindset, different attack surface.

This is the one that gets me angry. No exploit, no zero-day, no technical sophistication. Just a well-crafted email and a busy employee who didn't call to verify. BEC is the single most expensive email threat category, and it's entirely preventable with process.

14. Whaling

BEC targeting C-suite executives specifically. "Whale" = high-value target. The CEO asking the CFO to wire money. The CFO asking accounting to change vendor bank details. Same playbook as BEC, higher stakes.

15. Spoofing

Forging the From address to make an email appear to come from a different sender. Without DMARC enforcement, any mail server can send email claiming to be from your domain. Spoofing is the attack vector; phishing, BEC, and brand impersonation are the goals.

16. Domain Impersonation

Registering a lookalike domain (yourcompany.co, your-company.com, yourconpany.com) to send emails that pass authentication but deceive recipients visually. DMARC can't stop this — the attacker controls the lookalike domain and configures valid authentication for it.

17. Typosquatting

A subset of domain impersonation using common typos: gooogle.com, microsft.com, amazom.com. Victims don't notice the misspelling in a busy inbox.

18. Credential Harvesting

Phishing emails that direct victims to fake login pages mimicking real services (Microsoft 365 login, Google sign-in, bank portals). The attacker captures credentials in real time, sometimes relaying them to the real service for session hijacking. For teams browsing untrusted links, JustBrowser provides isolated browsing to contain potential threats.

19. Account Takeover (ATO)

Using stolen credentials to access a legitimate email account. Once inside, attackers read email history, set up forwarding rules, and send emails from the real account — bypassing all domain authentication because the mail is legitimate.

20. Malware Delivery

Phishing emails carrying malicious attachments (infected Office docs, PDFs, executables) or links to drive-by download sites. The email is the delivery mechanism; the payload does the damage.

21. Ransomware

Malware that encrypts files and demands payment for decryption keys. Often delivered via phishing attachments or links. Business email is the #1 initial access vector for ransomware attacks.

22. Man-in-the-Middle (MITM)

Intercepting communication between two parties — in email context, typically intercepting SMTP connections between mail servers to read or modify messages in transit. MTA-STS and DANE exist specifically to prevent MITM on email delivery.

Filtering & Detection

23. Spam Filter

Automated systems that classify incoming email as legitimate or junk based on sender reputation, content analysis, header inspection, and authentication results. JustEmails uses Rspamd for spam scoring.

24. Rspamd

Open-source spam filtering system using rules, statistical analysis, and machine learning. Processes mail at high speed with low resource usage. Powers spam filtering for many managed email hosts including JustEmails.

25. ClamAV

Open-source antivirus engine commonly integrated with mail servers to scan attachments for known malware signatures. Not a replacement for endpoint protection, but catches obvious payloads before they reach inboxes.

26. Bayesian Filtering

Statistical classification that learns from examples of spam and legitimate mail. The more you train it (marking spam, marking false positives), the more accurate it gets for your specific mail patterns.

27. Greylisting

Temporarily rejecting mail from unknown senders with a "try again later" response. Legitimate mail servers retry; many spam bots don't. Adds delivery delay (typically 5-15 minutes) for first-time senders.

28. Blocklist / Blacklist

Third-party databases of IP addresses and domains known for sending spam or malware. Mail servers query these lists and reject or flag mail from listed senders. Getting on a blocklist tanks deliverability; getting off requires investigation and remediation.

29. Sender Reputation

A score (not always visible) that mailbox providers assign based on sending history — spam complaints, bounce rates, engagement, authentication. High reputation = inbox. Low reputation = spam folder or outright rejection. JustAnalytics can help track engagement metrics that feed into reputation — open rates, click patterns, and user behavior.

30. Quarantine

Holding suspected spam or malicious mail in a separate folder for review rather than delivering to inbox or rejecting outright. Users can release false positives; admins can analyze patterns.

Encryption & Privacy

31. TLS (Transport Layer Security)

Encryption for data in transit. When two mail servers negotiate TLS, the connection between them is encrypted. Doesn't encrypt the message itself — just the pipe. Opportunistic TLS tries encryption but falls back to plaintext if it fails; MTA-STS prevents that fallback.

32. S/MIME

A standard for end-to-end email encryption using PKI certificates. The sender encrypts with the recipient's public key; only the recipient's private key can decrypt. Also enables digital signatures proving sender identity. Requires certificate management, which limits adoption.

33. PGP/GPG

Another end-to-end encryption standard using a web of trust instead of certificate authorities. Popular in security and privacy communities. Poor UX and key management complexity keep it out of mainstream business use.

(Honestly, I've set up PGP for exactly two people in my career. Both stopped using it within a month. The idea is great. The execution asks too much of normal humans.)

34. Encryption at Rest

Encrypting stored email so that database access doesn't expose message content. Different from transport encryption (TLS) which only protects data in transit.

Operational Terms

35. Envelope Sender / Return-Path

The address in the SMTP envelope that receives bounces. Often different from the visible From address. SPF authenticates this, not the From.

36. Header From / Friendly From

The address displayed to recipients in their email client. This is what DMARC alignment checks against. Spoofing attacks forge this header.

37. Bounce / NDR (Non-Delivery Report)

A message returned to the sender when delivery fails — bad address, full mailbox, rejected by spam filter, DMARC policy enforcement. Analyzing bounces reveals authentication and deliverability problems.

38. Backscatter

Bounce messages sent to forged sender addresses. Spammers forge your domain as the From; when those messages bounce, the bounces flood your inbox. DMARC at p=reject reduces backscatter because spoofed mail gets rejected before generating a bounce.

39. Email Header Analysis

Reading the full headers of an email to trace its path, check authentication results, and identify the true origin. "Show original" in Gmail, "View source" in Outlook. Essential for investigating suspicious messages.

40. Postmaster Address

The standard address (postmaster@yourdomain.com) that receives administrative mail about your domain — bounce notifications, abuse complaints, authentication reports. RFC 5321 requires every domain to accept mail to postmaster. Ignoring it means missing deliverability problems.

Honorable Mentions

SMTP AUTH — authentication for submitting outbound mail, unrelated to the authentication protocols above but often confused with them. Feedback Loops (FBLs) — services from major providers that notify you when recipients mark your mail as spam. Zero-day phishing — phishing using newly registered domains with no reputation history, evading blocklists. For call-based verification to prevent BEC, VeloCalls provides trackable callback numbers for out-of-band confirmation.

Quick Verdict

If you're running business email and only have time for a few of these: get SPF, DKIM, and DMARC configured and ramp DMARC to p=reject. That's it. That single move stops domain spoofing, which is the root of most email impersonation attacks.

Everything else? Defense in depth. Valuable, sure. But authentication is the foundation, and I've seen too many admins chase shiny security tools while leaving their domain wide open to spoofing.

For a walkthrough on the ramp from p=none to p=reject, our DMARC deployment guide covers the specifics. And if you're managing email across multiple domains, JustEmails handles SPF, DKIM, DMARC, and MTA-STS setup automatically at $49/year flat — unlimited domains, unlimited mailboxes.

Frequently Asked Questions

What's the difference between phishing and spear phishing?

Phishing is mass-market — the same generic email blast goes to thousands of recipients hoping a few bite. Spear phishing targets a specific person with research-backed personalization: their name, their company, their boss's name, a project they're working on. The attacker does homework. Spear phishing conversion rates are dramatically higher because the email looks like it came from someone the recipient knows and trusts.

Do I need both SPF and DKIM if I have DMARC?

You need at least one to pass alignment, but you want both. SPF authenticates the sending server; DKIM authenticates the message content with a cryptographic signature. If a legitimate email gets forwarded (SPF fails because the forwarding server isn't in your record), DKIM can still pass. If a DKIM signature breaks during transit (rare but happens), SPF can still pass. Belt and suspenders.

What does MTA-STS actually protect against?

MTA-STS prevents downgrade attacks where an attacker intercepts the connection between mail servers and strips TLS encryption, forcing plaintext transmission. Without MTA-STS, a man-in-the-middle can tell the sending server "I don't support encryption" and read the email in transit. MTA-STS publishes a policy saying "only deliver to me over TLS" so senders know to reject downgrade attempts.

Is BIMI worth setting up for a small business?

Probably not yet. BIMI requires a Verified Mark Certificate (VMC) which costs $1,000-1,500/year from DigiCert or Entrust, plus you need a trademarked logo. For a 10-person company, that's hard to justify. The brand recognition benefit is real for consumer-facing companies sending millions of emails, but most small businesses should get DMARC to p=reject first and revisit BIMI in a few years when VMC prices drop.


Try JustEmails

Unlimited custom domain email hosting for $49/year flat — unlimited domains, unlimited mailboxes, 10 GB storage, full IMAP/SMTP. Built for agencies, freelancers, and anyone managing email across more than one domain.

Start your 7-day free trial → · How it compares

email-securityphishingdmarcbecemail-glossarybuildinpublicsaasstudioaiworkforcebuildwithclaude

Related posts