Comprehensive collection of Messaging Security RFCs with search and categorization
40 RFCs found
Replaces RFC 4880 as the current OpenPGP specification. Defines modern signing and encryption profiles, including the v6 packet format and AEAD modes used for end-to-end encrypted email and file protection.
Updates and consolidates DNS terminology used across the protocol suite. Replaces RFC 8499 and is the current normative reference for terms like authoritative server, resolver, zone, lame delegation, and stub resolver.
Defines the SVCB and HTTPS DNS records used to advertise transport parameters such as ALPN, ECH keys, and alternative ports. Increasingly relevant for mail-related auto-discovery and TLS-by-default.
Updates and clarifies how TLS clients verify the identity of a server against the names in the certificate. Replaces RFC 6125 and aligns with current CA/Browser Forum baseline requirements.
Defines MLS, a group key-establishment protocol that provides end-to-end confidentiality, authenticity, and forward secrecy for asynchronous messaging at scale.
Adds a relay layer to DoH that decouples client identity from the queried name, preventing the recursive resolver from linking queries to specific clients.
Updates the Certificate Transparency framework so domain owners can detect mis-issued TLS certificates by monitoring append-only logs. Used as input for TLS validation hardening.
Experimental extension that lets public-suffix operators publish DMARC policies that apply to all child domains, helping namespace owners enforce alignment without per-tenant records.
Defines the REQUIRETLS SMTP extension that allows senders to require TLS for the entire message delivery path, preventing downgrade attacks.
Defines ARC, a protocol that allows an intermediate mail handler to preserve email authentication results.
Specifies which DNSSEC algorithms must, should, or must not be implemented by DNS software, including RSASHA256, ECDSAP256SHA256, and ED25519.
Updates SPF, DKIM, DMARC, and ARC for use with internationalized email addresses and domains (SMTPUTF8/EAI). Clarifies normalization of i18n local-parts and U-labels.
Defines S/MIME version 4.0, providing encryption and digital signing capabilities for email messages.
Earlier version of ARC protocol specification.
Documents conventions for underscore-prefixed DNS names used by various protocols including DMARC (_dmarc), DKIM (_domainkey), MTA-STS (_mta-sts), and TLSRPT (_smtp._tls).
Defines a protocol for sending DNS queries and receiving responses over HTTPS, encrypting DNS traffic and making it indistinguishable from other HTTPS traffic.
Defines a reporting mechanism for domains to publish policies on how sending MTAs can report on TLS connectivity failures. The report is published via a DNS TXT record at _smtp._tls.{domain}.
Defines MTA-STS, a mechanism enabling mail service providers to declare their ability to receive TLS-secured connections and to specify whether sending MTAs should refuse to deliver to MX hosts that do not offer TLS with a trusted certificate. Published as _mta-sts.{domain} TXT record.
Adds Ed25519 as a signing algorithm for DKIM (k=ed25519-sha256), providing a modern alternative to RSA with smaller keys and faster verification.
Deprecates the use of cleartext protocols for email submission and access, recommending TLS instead.
Defines how to use DANE with SMTP to authenticate mail servers and prevent man-in-the-middle attacks.
Defines DNS over TLS, providing confidentiality for DNS queries between stub resolvers and recursive resolvers on TCP port 853.
Provides updates and operational guidance for DANE, including best practices for TLSA record management and interaction with certificate authorities.
Defines DMARC, a mechanism for email authentication that builds on SPF and DKIM to provide domain-level authentication and reporting.
Defines the SPF protocol for email authentication, allowing domain owners to specify which mail servers are authorized to send email on their behalf.
Provides guidance on DNSSEC operational practices including key management, key rollover procedures, and algorithm selection.
Defines the TLSA DNS record type for storing TLS certificate information in DNS, enabling domain owners to specify which TLS certificates should be used for their services.
Defines DKIM, a method for associating a domain name with an email message, allowing verification of the message's origin.
Describes how to use STARTTLS with DANE (DNS-Based Authentication of Named Entities) for SMTP security.
Provides an overview of the Internet mail architecture, including components, protocols, and security considerations.
Defines the SMTP protocol for sending and receiving email messages over the Internet.
Defines the format of Internet messages, including headers, body, and MIME structure.
Defines the profile for X.509 certificates used in Internet applications, including email security.
Defines NSEC3, an alternative to NSEC for authenticated denial of existence in DNSSEC that prevents zone enumeration by hashing domain names.
Specifies the use of AES-GCM authenticated encryption algorithms in CMS for S/MIME, providing better security than traditional encryption methods.
Introduces DNSSEC and specifies requirements for DNS data origin authentication and data integrity verification using public key cryptography.
Defines DNS resource record types for DNSSEC: DNSKEY, RRSIG, NSEC, and DS records used for DNS data authentication.
Specifies protocol changes for DNS resolvers and servers to support DNSSEC, including chain-of-trust validation from root to leaf zone.
Defines STARTTLS extension for SMTP, allowing clients to upgrade a plaintext connection to TLS.
Defines the syntax for certification requests used in certificate signing requests (CSR).
Try adjusting your search or filter criteria