Email Authentication: SPF, DKIM, and DMARC

Email Authentication - Guide to Implement SPF, DKIM, DMARC
Alex Kachalov Alex Kachalov 13 october 2022, 11:13 101
For beginners

Email authentication technologies — what are they? Learn about SPF, DKIM, and DMARC settings for emails and find out how they work in our UniOne blog article.

How Email Authentication Works

Remember the three great whales that held the Earth on their backs? Well, SPF, DKIM and DMARC are kind of the same thing for email marketing. The basic settings of your domain for all three of them must be in place before launching any email campaign, regardless of which mailing service you choose. Without them, your email will most probably not be delivered to the client's mailbox at all.

First off, it would be easier to think of DKIM as a kind of “digital signature”. When you send emails, email providers like Gmail, Outlook, Yahoo, etc must determine whether the message is indeed sent by the domain name owner, or if it’s a malicious email sent by a spammer.

Unfortunately, you can't just knock on Gmail’s door and say, "Hi, I'm using UniOne to send emails, and by the way, the domain does actually belong to me". Instead, to notify email providers of your identity you have to add the necessary lines for SPF and DKIM to the DNS entries of your domain name. And the DMARC entry serves as an additional layer of protection.

DMARC is an algorithm for dealing with your mailings if emails are found suspicious. All three security elements are stored as TXT type DNS records, which allows you to associate additional information with a domain.

So, SPF, DMARC and DKIM require their own DNS records. The Domain Name System (DNS) is the Yellow Pages of the Internet, where the phone number is akin to the IP address and the contact name is the domain. All this information is securely stored on DNS servers. To implement email authentication, you need to configure SPF and DKIM — without them, mass emailing to your clients from the domain is impossible.

Sender Policy Framework (SPF)

So what is an SPF email record? It is a record with a list of servers and IP addresses from which you are permitted to send emails on behalf of your domain. By setting up SPF records, you make it possible for the mail services to verify that it was either you who sent the email, or someone you’ve allowed to. If an email is sent from an IP or server that is not listed in the record, the receiving server will consider it spam.

To set up SPF, add a DNS TXT record for the servers you use for emailing. Remember if you don't set up the values correctly, SPF will not work properly, which you would surely like to avoid. For example, if you use UniOne to send newsletters, you should specify the corresponding SPF values in your DNS. This is a simple TXT record, so don't panic. All the settings are made through the domain hosting management console, as described below.

Domain Keys Identified Mail (DKIM)

Domain Keys Identified Mail is yet another critical part of your email authentication. The email server that processes your email will look up your DKIM public key to verify its integrity, and then use it for future checks. Properly configured, it will increase the provider’s trust in your actions.

It’s all very similar to the way codebreakers operated during World War II. This is a two-way verification tool between a sending server and a receiving server where the process is controlled by a private and public key. A private key is a secret unique code that is stored on the email provider's server. Using it, the sending server signs each email with a digital signature, where the recipient's name and email, the time of sending and certain information about the sender are used to calculate the signature.

The public key is placed in the DNS database as a TXT field. Using it, the receiving server verifies that the related sender information has not been altered. When it detects even a minor inconsistency, it knows the email is forged.

Domain-based Message Authentication, Reporting And Conformance

Domain-based Message Authentication, Reporting and Compliance (DMARC) is a policy that sets a scenario for actions with emails that fail the verification check. You may choose any of the following three options:

  • do nothing;
  • mark as spam;
  • reject.

In order for DMARC to work, you first need to configure SPF and DKIM. When receiving a message, the mail provider checks the sender’s IP with SPF and verifies the email’s DKIM signature. If this verification fails, then your domain's DMARC policy takes effect. After verification, reports are sent to you.

Deployment Guidelines

So, to register the necessary records, you’ll need access to DNS (Domain Name System). Usually, system administrators or programmers have access to DNS for the company’s domain. For them, you must provide technical specifications, according to which they will add records to DNS. Usually the necessary settings are provided by ESP; in UniOne, you just need to copy the necessary lines from your account’s domain setup page and add them using your DNS management form.

To verify your DNS records for SPF, DKIM and DMARC, you may use the following online tools:

Conclusion

DKIM and SPF email settings confirm that the mailings indeed come from you. DMARC prescribes an algorithm for what to do with emails that have not passed verification. The settings are made on the website of the company that provided you with domain hosting. To do this, you need to create or modify your domain’s DNS TXT records. In order for everything to work smoothly, it is worth checking the settings. To do this, use the DNS record browsing services and check it via your email provider by sending an SPF test email. Proper configuration of SPF, DMARC and DKIM email records reduces the risk of ending up in spam.