What Is ADSP? Understanding Author Domain Signing Practices in DKIM
Quick Answer
ADSP (Author Domain Signing Practices) is an extension of DKIM that lets domain owners publish whether their emails should always be DKIM-signed. Although largely replaced by DMARC, ADSP helped improve email authentication and reduce spoofing risks.
Email remains one of the most widely used communication channels for businesses and individuals alike. However, the popularity of email has also made it a prime target for spoofing, phishing, and impersonation attacks. To address these challenges, several authentication protocols have been developed over the years. One of the lesser-known mechanisms associated with email authentication is Author Domain Signing Practices (ADSP).
ADSP was created as an extension to DomainKeys Identified Mail (DKIM) and was designed to help receiving mail servers understand how a domain handles email signing. Although newer technologies such as DMARC have largely replaced it, ADSP played an important role in the evolution of email security and helped pave the way for more advanced authentication frameworks.
Understanding ADSP
Author Domain Signing Practices, commonly referred to as ADSP, is an optional extension built on top of DKIM. Its primary purpose is to allow a domain owner to publish information about whether outgoing emails from their domain should contain a valid DKIM signature.
The concept behind ADSP is straightforward. A receiving mail server may encounter an email claiming to originate from a specific domain. If the message lacks a DKIM signature, the recipient’s mail system can consult the domain’s ADSP policy to determine whether unsigned messages are expected or suspicious.
This additional layer of policy information helps mail servers make better decisions when evaluating email authenticity.
The Relationship Between ADSP and DKIM
To understand ADSP, it is important first to understand DKIM.
DKIM allows domain owners to digitally sign outgoing messages using cryptographic keys. When a recipient receives the email, their mail server can verify the signature against the public key published in DNS. Successful verification confirms that:
- The message was authorized by the sending domain.
- The message content has not been altered after being sent.
- The sender’s domain is associated with the signature.
While DKIM helps validate signed emails, it does not inherently explain how to handle messages that are not signed. ADSP was introduced to fill this gap by allowing domains to publish their signing expectations.
Key Components of ADSP
Author Address
The author address refers to the email address displayed in the “From” header of a message. This address is typically what recipients see when they receive an email.
For example:
From: support@example.com
In this case, the author domain is example.com.
ADSP focuses on the relationship between this visible sender domain and the DKIM signature associated with the message. If a domain publishes an ADSP policy, receiving servers can evaluate whether the message complies with the domain’s declared signing practices.
Author Domain Signature
An author domain signature is a DKIM signature that corresponds to the same domain appearing in the message’s From header.
When the signature aligns with the author domain, recipients gain greater confidence that the email genuinely originated from the claimed sender.
ADSP uses this information to determine whether a message adheres to the domain’s published policy.
ADSP Policy Types
ADSP allows domain owners to declare one of several signing practices. These policies communicate how email originating from the domain should be handled.
1. Unknown
The “unknown” policy indicates that the domain does not make any specific statement regarding its signing practices.
Under this setting:
- Some messages may be signed.
- Some messages may be unsigned.
- Receiving servers should not make assumptions about missing signatures.
This option provides flexibility for organizations with varied email infrastructures or multiple sending sources.
2. All
The “all” policy informs recipients that every legitimate email sent from the domain should include a valid DKIM signature.
If a message claiming to originate from the domain arrives without a valid signature, the receiving server may consider it suspicious.
This policy demonstrates a stronger commitment to email authentication and consistency.
3. Discardable
The “discardable” policy is the strictest ADSP option.
It states that:
- All legitimate emails should be DKIM-signed.
- Messages lacking a valid signature are likely unauthorized.
- Recipients may safely reject or discard such emails.
This policy offers stronger protection against spoofing attempts but requires confidence that every legitimate mail source consistently signs outgoing messages.
Publishing an ADSP Record
ADSP policies are published as DNS TXT records. By placing a policy in DNS, domain owners make their signing expectations available to receiving mail servers.
A typical ADSP record follows this structure:
_adsp._domainkey.example.com IN TXT "dkim=discardable"
In this example:
_adsp._domainkeyidentifies the ADSP policy location.example.comrepresents the sending domain.dkim=discardablespecifies the selected signing practice.
Receiving mail systems can query DNS to retrieve this information and apply the appropriate validation logic.
Benefits of ADSP
Although ADSP is no longer widely deployed, it introduced several valuable concepts to email authentication.
- Improved Sender Validation: By publishing signing expectations, domain owners could provide additional context about their email practices, helping recipients distinguish between legitimate and potentially fraudulent messages.
- Better Handling of Unsigned Emails: ADSP gave receiving servers guidance when evaluating messages that lacked DKIM signatures, reducing uncertainty during the authentication process.
- Enhanced Anti-Spoofing Protection: Strict policies such as “discardable” allowed domains to signal that unsigned messages should not be trusted, making domain impersonation more difficult.
- Greater Trust in Email Communications: Organizations that consistently signed their messages and published ADSP policies could demonstrate a stronger commitment to email security.
Challenges and Limitations of ADSP
Despite its innovative approach, ADSP faced several practical limitations that restricted widespread adoption.
Dependence on DKIM
ADSP only works when DKIM is implemented correctly. Organizations that lacked complete DKIM deployment could not fully benefit from ADSP policies.
Complexity in Multi-Source Environments
Many organizations send email through multiple services, including:
- Marketing platforms
- CRM systems
- Support tools
- Cloud email providers
Ensuring every source consistently applied DKIM signatures proved challenging.
Risk of Legitimate Email Rejection
Strict ADSP policies could cause legitimate emails to be rejected if a sending system failed to sign messages correctly.
Limited Flexibility
As email ecosystems evolved, organizations required more sophisticated policy controls than ADSP could provide.
These limitations ultimately contributed to the industry’s transition toward more advanced authentication standards.
Why DMARC Replaced ADSP
As email security requirements became more complex, DMARC emerged as a more comprehensive solution.
DMARC builds upon both SPF and DKIM while introducing additional capabilities such as:
- Domain alignment checks
- Reporting mechanisms
- Flexible policy enforcement
- Better visibility into authentication failures
Unlike ADSP, DMARC allows domain owners to receive detailed feedback about authentication results and provides clearer instructions to receiving mail servers on how to handle suspicious messages.
Because of these advantages, DMARC has become the preferred standard for modern email authentication, while ADSP has largely faded from practical use.
ADSP’s Legacy in Email Security
Although ADSP is no longer considered a mainstream authentication mechanism, it remains an important milestone in the development of email security technologies. The protocol introduced the idea of publishing domain-level signing expectations and highlighted the importance of policy-based email authentication.
Many of the lessons learned from ADSP influenced the design and adoption of DMARC, which now serves as the industry standard for protecting domains against spoofing and phishing attacks.
Final Thoughts
Author Domain Signing Practices (ADSP) was developed to complement DKIM by allowing domains to publish information about their email signing requirements. Through policies such as unknown, all, and discardable, ADSP helped receiving mail servers make informed decisions when evaluating unsigned messages.
While ADSP offered valuable improvements over standalone DKIM implementations, its limitations and lack of flexibility led to the rise of DMARC as a more robust and scalable solution. Today, organizations seeking strong email authentication and anti-spoofing protection typically focus on SPF, DKIM, and DMARC rather than ADSP. Nevertheless, understanding ADSP provides useful historical context for anyone interested in the evolution of email security and authentication standards.
General Manager
Founder and General Manager of DuoCircle. Product strategy and commercial lead for AutoSPF's 2,000+ customer base.
LinkedIn Profile →