Understanding Email SPF, DKIM & DMARC
Disclaimer: This post may contain affiliate links to products or services that I recommend. I may receive a commission should you sign up through my link (but at no additional cost to you). I only suggest products and services that I wholeheartedly support and believe in and have either used myself or have used on behalf of a private client.
Email SPF, DKIM and DMARC can be confusing at the best of times, so I want to start with a story to help you understand what these important pieces of the email-delivery-puzzle actually are, why they are critical to get right, and (in the following post) how to set up each one so that your emails get delivered properly and work their magic – aka engage and convert your reader.
A Simplified Guide to Understanding Email Authentication – The Story of the Courier, the Parcel, and the Gatekeeper
In a bustling city, overrun with mobsters and con-artists who prey on unsuspecting citizens with spammy messages and trickery, a busy courier named Charlie was on a mission to deliver a very important parcel.
Charlie represents an email sender (like ConvertKit), and the parcel is the email itself. His destination? A grand apartment building, known as The Steeple, with a vigilant concierge named Felicity Danvers, who symbolises the recipient’s email provider – she is the gatekeeper and the hero of this story. She protects the people of The Steeple from potential threats and unwanted deliveries.
SPF: The Approved Senders List
Felicity Danvers is meticulous and organised. She maintains a list of approved parcel senders—let’s call it the SPF list. This list is kept in a sleek black book on her desk. Every time a courier like Charlie arrives with a parcel, Felicity Danvers first checks her list to see if the courier is authorised to deliver to The Steeple.
As Charlie arrives at the building, he smiles and greets Felicity Danvers, holding out the parcel. Felicity Danvers opens her black book and searches for Charlie’s name.
“Ah, yes, Charlie. You’re on the list,” she says. Charlie has passed the first test. This step is akin to SPF (Sender Policy Framework) in email authentication, where the recipient’s email provider checks if the sending server is authorised to send emails on behalf of the domain.
DKIM: Verifying the Courier's ID
Next, Felicity Danvers asks Charlie for his ID to verify he is who he claims to be. Charlie pulls out his identification badge, which contains a special holographic signature unique to his courier company. Felicity Danvers examines the badge carefully, matching it against the records provided by the courier company.
“Everything looks in order,” she nods approvingly. This process is similar to DKIM (DomainKeys Identified Mail), where the recipient’s email provider checks the digital signature attached to the email to confirm its authenticity and integrity.
DMARC: The Rules to Follow
Felicity Danvers has one more task before she accepts the parcel: consulting a set of protocols pinned on the wall behind her desk. These protocols, known as DMARC (Domain-based Message Authentication, Reporting & Conformance), tell her what to do based on the outcomes of the previous checks.
The protocols outline three scenarios:
If the courier is on the approved list and the ID checks out (SPF and DKIM pass): Accept the parcel and deliver it to the recipient’s apartment.
If the courier is not on the approved list but has a valid ID (SPF fails but DKIM passes): Quarantine the parcel for further inspection.
If the courier is neither on the list nor has a valid ID (both SPF and DKIM fail): Reject the parcel and send it back with a polite but firm refusal.
Charlie, being on the approved list and having a valid ID, is given the green light. Felicity Danvers thanks him and ensures the parcel is delivered promptly to the recipient’s apartment.
Making sense of Email SPF, DKIM and DMARC.
Through this story, we can see how SPF, DKIM, and DMARC work together to ensure the security and authenticity of emails. Felicity Danvers, the diligent concierge, represents the recipient’s email provider, meticulously checking the approved senders list (SPF), verifying the courier’s ID (DKIM), and following the established protocols (DMARC) to handle the parcel appropriately.
In the world of email, these authentication protocols are crucial. They prevent unauthorised senders from delivering malicious emails, protect the integrity of communications, and ensure that only legitimate emails reach their intended recipients. Just like Felicity Danvers ensures that only authorised parcels make it into The Steeple, SPF, DKIM, and DMARC work together to keep our inboxes safe and secure.
That, in a nutshell, is how these email security protocols work.
So, let's recap each of these records/ protocols (SPF, DKIM and DMARC) in more technical terms to see how they can affect your email deliverability.
Why are Email SPF, DKIM and DMARC Important?
Email is a crucial part of our daily communication, whether for personal or professional purposes. However, the convenience of email also makes it a target for various malicious activities such as phishing, spoofing, and spam. To protect our inboxes and ensure the authenticity of email messages, three key authentication protocols have been developed: SPF, DKIM, and DMARC.
What is SPF?
Sender Policy Framework (SPF) is a method that helps to detect and block email spoofing. It allows the owner of a domain to specify which mail servers are permitted to send emails on behalf of their domain. This is achieved by adding a DNS (Domain Name System) record to the domain’s settings.
How SPF Works:
DNS Record: The domain owner (you) publishes an SPF record in the DNS. This record lists the IP addresses and domains that are authorised to send email on behalf of the domain.
Verification: When an email is sent, the recipient’s mail server checks the SPF record of the sending domain to verify if the email originates from an authorised server.
Decision: If the sending server’s IP address matches the list in the SPF record, the email passes the SPF check. If not, it fails, and the recipient’s server can take appropriate action, such as flagging the email as suspicious or rejecting it outright.
What is DKIM?
DomainKeys Identified Mail (DKIM) is an authentication protocol that allows the sender to attach a digital signature to an email. This signature is linked to the sending domain and helps verify that the email was indeed sent by the owner of that domain and that its contents haven't been altered in transit.
How DKIM Works:
Signature Creation: When an email is sent, the sending server generates a DKIM signature. This signature is a cryptographic hash of the email’s contents, created using a private key.
DNS Record: The public key corresponding to the private key used to generate the signature is published in the DNS as a TXT record.
Verification: The recipient’s mail server retrieves the public key from the DNS and uses it to verify the DKIM signature. If the signature matches, it confirms that the email is legitimate and hasn't been tampered with.
What is DMARC?
Domain-based Message Authentication, Reporting & Conformance (DMARC) is a policy framework that builds on SPF and DKIM. It provides a way for domain owners to specify how unauthenticated emails should be handled and generates reports to monitor and improve email authentication.
How DMARC Works:
Policy Publication: The domain owner publishes a DMARC policy in the DNS. This policy specifies how emails that fail SPF or DKIM checks should be treated (e.g., rejected, quarantined, or delivered with a warning).
Alignment Check: DMARC ensures that the “From” address in the email header aligns with the domain verified by SPF and/or DKIM.
Reporting: DMARC provides mechanisms for receiving reports about email authentication activity. These reports help domain owners understand who is sending emails on their behalf and identify any unauthorised use.
Why Email Authentication is Necessary
Preventing Phishing and Spoofing: Email authentication protocols like SPF, DKIM, and DMARC help prevent phishing and spoofing attacks. By verifying the sender’s identity, recipients can trust that the emails they receive are from legitimate sources.
Protecting Brand Reputation: Unauthorised use of a domain can damage a brand’s reputation. Email authentication helps ensure that only authorised parties can send emails using a particular domain, protecting the brand’s integrity.
Improving Email Deliverability: Emails that pass authentication checks are more likely to reach the recipient’s inbox rather than being flagged as spam. This improves overall email deliverability and ensures that important communications are not missed.
Enhancing Security: By reducing the risk of email-based attacks, authentication protocols contribute to the overall security of email communications. This is crucial for both individuals and organisations to protect sensitive information.
Now, if you’re ready to get your email SPF, DKIM & DMARC set up so that they get the greenlight on the receiving end, then make sure to check out the next post: