Email Authentication: Decoding SPF, DKIM, and DMARC Records

Email Authentication - SPF, DKIM, DMARC

Are your emails being delivered to the recipients’ inboxes or do they end up in their SPAM folder?

Are you, like every other amateur marketer, concerned about your email authenticity and deliverability? 

If you are a new kid on the block and are facing these challenges, you need not worry because you have landed on the right spot and we’ve got you covered, buddy!

Email as a means of communication is extremely popular in both the business and personal communication landscapes.

But there are certain issues related to email authenticity and deliverability which can be a threat to the reputation of the legitimate senders. 

That one important B2B lead generation campaign that you thought would get you qualified replies, might just bounce back or rest in the spam folder of the recipient forever. Spammers can be a headache too.

They pretend to be you and phish your clients for their private information. There have been cases where hackers use your domain to send emails on your behalf and damage your reputation.

Does it hurt enough?

But, hey! We gotcha! You can prevent all this from happening to you.

Email Deliverability: Role Played by SPF, DKIM and DMARC

Yes, you heard it right!

Email Authentication Protocols, this is it!

They provide a security mechanism to email servers to verify email messages before they reach the intended recipient. It is a slightly daunting subject but we pledge to simplify things for you. Here, we talk about three biggies, namely, SPF, DKIM, and DMARC.

What is SPF?

Sender Policy Framework is an email validation protocol designed to detect and block email spoofing. It protects senders’ authenticity and enhances email deliverability. 

These definitions sound too cool but too complicated to understand. Let’s decode this difficult terminology.

Let’s say you are some XYZ company. You run your business and deal with clients online. Like every other business, you need to send certain emails to your existing and potential clients. Now, here comes the problem.

~ Let’s understand the problem from your perspective (sender). How do you know that the email you just sent has reached the receiver’s inbox and does not end up in the spam folder?

~ Problem at the receiver’s end. How does he/she know that the email has been sent by you (legitimate sender) and not by some fraud who might be using your domain?

SPF applies the first level of security here and helps fight these problems. 

Here’s how SPF works

SPF allows communication between the DNS servers of both the sender and receiver. It allows the owner of a domain to provide a list of mail servers that are allowed to send emails using his/her domain. 

Let’s say your domain is and you send all your emails using this domain. The mail server that you use to send emails to your clients is listed in your DNS records.

Whenever you send an email, the receiving mail server connects with your mail server and examines your SPF records published in your DNS. It looks at all the mail servers that have been listed by you in your DNS records.

If the receiving mail server is able to locate the exact IP address from which the receiver has received the email, the email is transferred to the inbox. If not, the receiving mail server considers it spam and treats it accordingly.

How SPF Works

How to create SPF records?

The motive behind maintaining SPF records is establishing the credibility of your emails. The trick is that all applications that send emails using your domain should be included in your SPF. So, the foremost thing is to identify the servers which you want to be authorized to send emails from your domain.

Now, it is time to understand the syntax.

Structure: “v=spf1 mx a:<additional mail servers> include:<3rd party domain> ip4:<IP address/range>~all”

Let’s breakdown each part of the syntax

  1. v=spf1 is the SPF version that you are using.
  2. mx is the mail server or mail exchanger for the domain to be allowed as an authorized sender
  3. a: allows you to list an additional mail server as an authorized sender
  4. include: allows you to authorize external domains mail servers as authorized senders 
  5. ip4 allows you to list an IP address as an authorized sender 
  6. -all: this means that all those servers which are listed in the record are authorized, others unauthorized
  7. ~all: this is called soft fail, all servers listed in the record are authorized, the receiving email server may accept the email but it is likely to be sent to the spam folder. 
  8. +all: This means any host can send the email for the domain. This is really harmful to your business, bud!

This was all about SPF.

What is DKIM?

DomainKeys Identified Mail is an additional security mechanism for the receiving mail server to know about the authenticity of the mail it has received.

It helps ensure that the message has not been altered from the moment it left the sender and reached the receiver. So, in a way, by setting a DKIM record you are vouching for the authenticity of your message. 

Now, how do you make something appear authentic? Probably by putting a stamp or a signature on it. 

This is exactly how DKIM works. It uses digital signatures to make your email appear authentic. DKIM uses a pair of keys called a private key and a public key. 

The private key is available exclusively to you and is used to sign outbound emails. The public key is the one which you list in your DNS record of your domain using DKIM. Whenever you send an email, the receiving mail server decrypts your hidden signature using this public key.

Here’s everything that happens behind the scenes while DKIM authenticates:

  1. While sending out the email, the sending server generates a hash of the message and encrypts that hash using the private key. Once encrypted, this hash is now converted into what we call as the ‘cryptographic signature’.
  2. This cryptographic signature is now put in the message header of the email and the email is sent out.
  3. On receiving the email, the receiving mail server uses the public key (found in the DNS records) to decrypt the cryptographic signature (found in the message header) into the hash again. If it’s successful in this, the public and private keys are a match. This still does not mean that the message has been authenticated.
  4. The receiving mail server now computes the hash of the incoming message (email content of the received message) and compares this newly created hash with hash generated by decrypting the signature in the previous step. If they both match, it means that the email has been unaltered and the message is authenticated. If they don’t match DKIM fails.
How DKIM Authenticates

This is how DKIM authenticates the incoming messages and helps ensure that the email is transferred unaltered from the sender to the recipient. 

What is DMARC?

Domain-based Message Authentication Reporting and Conformance is a protocol that prevents phishing attacks.

DMARC ensures that messages sent by spammers using your domain will not negatively impact your domain’s overall reputation. Such spam emails will be blocked and your brand will be protected.

DMARC combines the results of SPF and DKIM. It accurately identifies whether the emails are from the authorized sender or fraud and therefore block phishing attacks.

Using DMARC, you can instruct the receiving mail server on how to deal with emails that use your domain and have tried to impersonate you. 

You can set up your DMARC policy in your DNS record. So, when you send an email, the receiving mail server looks up your domain’s DNS entry for a DMARC policy and takes the action as specified in your domain’s DNS record. 

DMARC has an action policy specified in the record. This policy includes three modes:

  1. Report only mode: It is specified as p=none. It means that the email is accepted irrespective of whether or not the policy matches and a report is sent to the sender.
  2. Quarantine mode: It is specified as p=quarantine. It means that the email gets quarantined and is sent to the spam folder. 
  3. Reject mode: It is specified as p=reject. In this case, the connection will be aborted and the email will not reach the end-user. 

For all the three modes, if you have an email address published in the DMARC policy, a feedback email is sent back to you. The feedback will reach you on the email address provided by you.

What does a DMARC DNS record look like?

The syntax is quite similar to the SPF record. 

Structure: “v=DMARC1 p=reject rua=mailto:report

Again, v=DMARC1 specifies the DMARC version, 
p=reject specifies the DMARC policy, here, reject mode and rua specifies the email address to which the feedback is sent.

Final Remark

This was all about the three important security protocols. Marketers all over the world want their email marketing channels to achieve their full potential but issues with email deliverability are holding them back.

Or rather, there’s a multitude of things holding them back. SPF, DKIM, and DMARC are some of the useful security mechanisms which are helping them deal with these issues. I rest my case here. Hoping the blog did make some sense to all the newbies out there. 

Drop-in your valuable comments and keep the learning game on!

Share and Enjoy !

0 0

Leave a Reply

Your email address will not be published. Required fields are marked *