What are DMARC, DKIM, and SPF?
What Are DMARC, DKIM, and SPF?
Are you an email marketer struggling to understand the purpose and importance of authentication in email deliverability? You’re not alone.
In today’s world, all types of transactions require authentication. Whether you’re a patient needing treatment, a driver needing a license, a customer paying with a credit card, or a passenger boarding an airplane – in order to proceed, you must prove that you are who you say you are. You provide a passport, proof of health insurance, a Social Security card, or some other form of tangible identification to prove that the name on the appointment, credit card, or airline ticket, actually belongs to you.
The world of deliverability works just the same. In order to get through the tight gates of ISP filters, you must prove that you are a legitimate sender. You must prove that you are not sending on behalf of someone else and that your identity has not been compromised. How do you prove this? By utilizing SPF, DKIM, and DMARC.
SPF, DKIM, and DMARC are acronyms for text records that specifically prove and protect a sender’s authentication. Let’s break them down, shall we?
What is SPF?
SPF, or Sender Policy Framework, is an email validation protocol designed to detect and block email spoofing that allows mail exchangers to verify that incoming mail from a domain comes from an IP Address authorized by that domain’s administrators. An SPF record is a TXT record found in the DNS (Domain Name System) record that specifies which IP addresses and/or servers are allowed to send mail “from” that domain. It is akin to a return address on a postcard: most people are much more likely to open a letter if the letter has a reliable and recognizable return address from which it was sent.
After a message is sent, ISPs will check the message’s Return-Path domain. They will then compare the IP address that sent the email to the IP address listed in the Return-Path domain’s SPF record to see if it is aligned. If so, SPF authentication has been confirmed and the message will be delivered.
Why is SPF important?
SPF is a “proposed standard” that helps protect you from potential spammers. Email spam and phishing often use forged “from” addresses and domains, so publishing and checking SPF records can be considered one of the most reliable and simple-to-use anti-spam techniques. If you have a good sending reputation, a spammer might attempt to send emails from your domain to piggyback off your good standing with ISPs. But proper SPF authentication will reveal to the receiving ISP that though the domain may be yours, the sending server has not been authorized to send mail from your domain.
An SPF record in a top domain (ie: collegedata.com), will automatically authenticate any subdomains (mail.collegedata.com) under it that may not contain their own SPF record.
For more information on how to create an SPF record, click here.
What is DKIM?
DKIM, or DomainKeys Identified Mail, lets an organization (or handler of the message) take responsibility for a message that is in transit. According to DKIM.org, DKIM attaches a new domain name identifier to a message and uses cryptographic techniques to validate authorization for its presence. The identifier is independent of any other identifier in the message, such in the author’s From: field. DKIM is also a TXT record signature that builds trust between the sender and the receiver.
Why is DKIM important?
DKIM proves three things:
- That the contents of an email have not been tampered with.
- That the headers in the email have not changed since the original sender sent, that there is no new “from” domain.
- That the sender of the email owns the DKIM domain, or is authorized by the owner of that domain.
DKIM uses an encryption algorithm that creates a pair of electronic keys – a public key and a private key. Your ESP should create these keys for you.
The private key remains on the computer it was created on. The first key’s encryption can only be decrypted by the other key. A sender will post the “public” key in the DNS record and list its location in the DKIM signature with the “d=” domain and the “s=” selector. The private key is kept secret by the owner of the DNS and stored in the sending email server. If the information in the decrypted signature matches the information it received in the unencrypted header, it knows the header has not been tampered with during transmission and reception.
In other words, DKIM is a way to ‘sign’ an email with a digitally-encrypted signature. This signature is a header that is included in an email message. Here is an example of a DKIM signature:
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1476054397;
s=m1; d=e.rentpath.com; firstname.lastname@example.org;
bh=Rm+zVdTj9mQiUHxMpu+O9d9OuV3cOTuaNWHONtEXYo0=; b=oGVqGJKcS8KZ+YR8+AKzGKg2t1qpwKFXpg6jO3eU/MvQnl9hRpn9NYSR1vV20MSYvJP9ZBiG7hftTHxYUwrP/Ur4Gt4a6bzt6Q6KETOiUrksD1Jnvwt7YG/cwGqGfjfmuYU +/fk3oboohCsnvOI79hHrR8q/a0eCLnkL5BC7L1g=
To understand the inner workings of DKIM would require strong knowledge on modern cryptography. For our purposes, DKIM is a technical practice that builds trust between a sending and a receiving email server.
For more information on DKIM, click here.
What is DMARC?
DMARC, or Domain-Based Message Authentication Reporting and Conformance, is an added authentication method that uses both SPF and DKIM to verify whether or not an email was actually sent by the owner of the “Friendly-From” domain that the user sees. In order for DMARC to pass, both SPF and DKIM must pass, and at least one of them must be aligned.
- Both authentications passing indicates that the email is coming from an authorized server and that the header information has not been tampered with to falsify alignment.
- At least one authentication aligning proves that the sender owns the DNS space of the “Friendly-From” and is therefore who they say that they are.
For SPF to align, the message’s From domain and its Return-Path domain must match. For DKIM to align, the message’s From domain and its DKIM d= domain must match.
Why is DMARC important?
Any message that does not align is treated as phishing and is not delivered. Phishing is the fraudulent practice of sending malicious emails pretending to be someone else in an attempt to steal a user’s credit card information or other personal information. Therefore, with DMARC, you are protecting yourself. In March 2017, the Federal Trade Commission published a study on DMARC usage by businesses. The study found that about 10% of 569 businesses with a significant online presence publish strict DMARC policies.
When implementing a DMARC record, you have 3 policies to choose from. These policies inform the recipient server how to treat mail sent from you that is not DMARC compliant. (Please note: the recipient server is not required to treat mail as requested.)
Treat all mail sent from your domain as it would be without any DMARC validation
The recipient server may accept the mail, but should place it somewhere other than the recipient’s inbox (usually, the spam folder)
Completely reject the message.
A successful DMARC implementation would slowly ramp up from different percentages of quarantine to ultimately fully reject. A successful practice also requires the sender to regularly monitor DMARC reports. These reports would inform you of any phishing attempts to your domain, if your own mail is being rejected for failing DKIM or SPF.
Is DMARC necessary? Let’s just say that Google recommends the use of DMARC for bulk email senders and we highly suggest it as well. It proves to ISPs that you are a serious sender and are willing to take precautionary measures to protect your identity and reputation. Plus, Gmail and Microsoft are quickly adopting DMARC into their filtering methods.
As with every authentication method mentioned: better safe than sorry!
You can also download the DMARC presentation, “The Email is Coming from Outside the House” which was presented at the 2018 Future of Email event.