TIME TO READ: 5 MINUTES
Email Campaigns Need Authentication for Maximum Deliverability.
Take a look at the “From” box for this newsletter. It says, “Robert Douglas, email@example.com.”
The email address, firstname.lastname@example.org, is one of ours. However, we used an email service provider (ESP) to send the newsletter out.
The ESP didn’t create that email address. We did. So how was the ESP able to use it?
The answer: We allowed it to.
We used an email authentication method between the ESP and our company domain (planetmagpie.com). If we didn’t do so, the odds of you receiving this newsletter would drop. You still cloud, but your email account might also think it’s spam
and reject it.
That’s why email authentication exists, and why it makes sense to use it.
Three elements go into email authentication: DMARC, SPF, and DKIM. In this WOOF you’ll learn what these are, how to choose & implement the best options for you, and how to make sure it helps your email deliverability.
What is DMARC? Is it the Same as SPF or DKIM?
DMARC, SPF, and SKIM are all what we call “protocols.” They run in the background, authenticating communications between your ESP and your domain.
(They also help keep spam & phishing attempts from propagating.)
DMARC stands for “Domain-based Message Authentication Reporting and Conformance.” It judges whether or not an email should go to its intended recipient.
SPF stands for “Sender Policy Framework.” It acts like a list of authorized guests for your company domain. “Are you on the list? Okay, you can use the domain for your emails.”
DKIM stands for “Domain Keys Identified Email.” It checks an email’s header for a certain numerical key. If the email’s key matches the key DKIM has stored, it provides a stamp of approval.
You can use these in a few combinations:
- DMARC alone
- DMARC and SPF
- SPF alone
- SPF and DKIM
- DKIM alone
- DMARC, SPF, and DKIM
Of these, we find D, the “SPF and DKIM” combination works best.
Together, they create a pair of DNS records that run behind your company domain. Once they’re in place, they don’t stop authenticating emails until you remove them. (More on that in the Tech Tip below.)
Here’s an example of SPF and DKIM records.
- (SPF) v=spf1 include:emailprovider.com -all
- (DKIM) emailserver._domainkey.emailprovider.com
Do you need both SPF and DKIM? You can get by with just one of them, but we recommend using both.
- SPF can stop phishing attacks, but doesn’t keep spam out very well
- DKIM can stop all sorts of spam, but it’s not great at stopping phishing attacks
SIDE NOTE: You can implement all three protocols, but most ESPs don’t require this.
How to Implement SPF/DKIM
In order to implement SPF and DKIM records, you’ll need access to two things:
- Your company domain’s DNS
- SPF & DKIM records (your ESP will have these)
If you’re not sure where to find SPF/DKIM records, check your ESP’s support center. Search for “SPF,” “DKIM,” or “email authentication.”
For reference, here are support pages from ESPs we manage for customers:
(Since this involves DNS changes, it’s best done by an IT professional.)
The process is pretty simple. Here’s how we do it for a customer:
- First, we log into the customer’s ESP. Within the account’s settings, we locate & obtain the SPF/DKIM records.
- Next, in a separate browser tab, we log into the customer’s DNS account. It could be their domain registrar (like Network Solutions or GoDaddy), their website host, or a private DNS registry.
- Next, add the SPF and DKIM records as separate DNS records. DKIM usually uses a CNAME record; SPF uses a TXT record.
- Note: These don’t interfere with any other DNS records.
- Save the update, and wait a few hours. The records need time to populate, but once they do, they’re up and running.
How to Confirm Your SPF/DKIM Records Are in Place
Okay, you’ve added the records to your domain. How do you know they’re doing their authentication job?
Run a check! Several options exist to check your domain’s DMARC and SPF/DKIM status.
MICROSOFT 365: M365 tenants will check DMARC, SPF, and DKIM for emails within their system. Ask your M365 administrator to check.
MXTOOLBOX: The MXToolbox website provides an SPF checker, a DKIM check, and a DMARC checker.
MAIL-TESTER: Mail-Tester.com examines emails for quality. It also checks SPF and DKIM records.
DMARCANALYZER: The DMARCAnalyzer website offers an
SPF checker and a DKIM checker.
Is That All? No—Keep Watch Over Your Email
No technology works 100% of the time. That includes DMARC and SPF/DKIM.
It’s possible for cybercriminals to bypass the authentication. It happened last year in fact. Someone impersonated LinkedIn to send out a phishing
attack. The attackers used a valid domain to send the email, enabling it to bypass email security, like DMARC and SPF/DKIM.
We’re ending on this note so you’re aware. DMARC and SPF/DKIM help you deliver more emails, and keep spam & phishing at bay...just make sure you have strong cybersecurity in place too.
Emails not reaching their targets? Contact PlanetMagpie's IT consultants at email@example.com.