Omni-Channel Marketing Campaign

Demystifying SPF, DKIM and DMARC authentication protocols

I am certainly not the only one who regularly gets suspicious emails in my inbox. People with bad intentions pretend to be a trusted company in order to scam people by using fraudulent links. This is what we call phishing. Of course, these practices are harmful to everyone who gets scammed. But we don’t realize enough that it also impacts legitimate businesses that try to communicate with their customers. Email service providers like Outlook, Gmail, Yahoo, etc. are becoming more and more suspicious of any email that comes through them. Unfortunately, without action on your part, you are at risk of your email being blocked before it even reaches the recipient. How to avoid this? It’s relatively simple. In this article, you will learn what the main email authentication protocols are, what they are used for and how to configure them with Dialog Insight.

 

 

What is the purpose of email authentication protocols?

In most cases, recipients rely on the sender’s name and address to know who the email is from. However, it is easy for a spammer, through basic manipulations, to alter the sender’s name and address. This reality allows these scammers to use a trusted sender address to get unsuspecting consumers to open their emails. This poses a great threat to businesses who see their trusted and reputable brand name hijacked for malicious purposes.

Authentication protocols are configurations that will prove to email providers that your email is legitimate and that you are the owner of the domain you are sending from. It is therefore one of the most effective ways to prevent scammers from impersonating you by using your domain name. Authentication protocols are now considered a standard in email marketing and messages sent without at least an SPF and/or DKIM signature are immediately seen as suspicious by email analysis tools.

Another undeniable benefit of proper authentication is that it improves your deliverability. By being identified as a legitimate sender, you are much more likely to have your email reach the inbox rather than the junk folder. Beware though, email authentication is not the silver bullet that will solve your deliverability problems. It is ONE of many actions to take.

 

 

The main authentication protocols

SPF (Sender Policy Framework)

This registration authorizes certain servers to send emails using a specified domain name. Email providers are then able to verify that the incoming email comes from an authorized sender. The result of the verification is then recorded in the email header and is used to determine if the email is accepted in the recipient’s inbox.

However, the SPF protocol has some limitations. For example, forwarded emails may fail an authorization check even when the original email is legitimate because the forwarded emails originate from the IP address used by the forwarder, not the IP address of the original sender.

 

SPF authentication protocol

 

DKIM (DomainKeys Identified Mail)

DKIM adds an encrypted signature (public and private key) to the header of all outgoing messages. Obviously, this code is hidden and does not appear in the final visual of your email.  Email servers that receive signed messages use DKIM to decrypt the message header and verify the authenticity of the signature.

By using DKIM signing in addition to SPF, you take the security and protection of your identity to a much higher level.

 

DKIM authentication protocol

 

Note that as a sender, configuring a DKIM signature will not prevent you from being considered a spammer by email providers if you do not apply good emailing practices. You should therefore make sure to respect these good practices when designing the content of your emails.

 

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC is a complementary authentication layer to SPF and DKIM that ensures that the sender identity presented to the recipient of an email is the same sender identity displayed to the receiving server. It allows the sender to certify that they are protected by SPF and DKIM. Although SPF and DKIM signatures help prove that an email is legitimate, their absence or failure does not prove the opposite. This technology, therefore, also allows the domain owner to specify how suspicious emails that fail SPF and DKIM checks are handled. They can either be placed in the spam folder or rejected.

DMARC also provides the ability to receive reports detailing which messages have passed or failed the verifications and, if applicable, where in the authentication protocol these failures occurred. This information is extremely valuable as it can help identify attacks and infrastructure vulnerabilities.

 

DMARC authentication protocol

 

 

Configuring SPF, DKIM and DMARC authentication protocols with Dialog Insight

Unfortunately, just because you’re dealing with a trusted email provider doesn’t mean you’re automatically exempt from doing your own configurations. Some actions can only be done by you. To configure your domain’s SPF, DKIM, and DMARC authentication settings, you will need to access your server’s DNS records.

 

SPF

Note that if you are a Dialog Insight customer, configuring SPF is optional since Dialog Insight supports SPF by default if your mailings are sent from our shared addresses. If you are using a dedicated IP address for your emails, you will need to configure it and a procedure will then be provided.

 

DKIM

Here are the steps to set up DKIM signatures for your domains:

  1. List all domains that will be used as the sender address in your emails (for example: “yourcompany.com” and “service.yourcompany.com”) as well as your subdomains used for link tracking or landing pages.
  2. Go to Account Management under Domain Management/Validated Domains to add your domain and validate it. You will then need to create the DNS entries on your server that were provided at validation.

    DKIM configuration Dialog Insight step 2

  3. Once the domain is validated, you will have two options:

A) If it’s a domain for sending email, add your domain to the list under Sender Domains.

B) If it’s a custom domain (subdomain) that will be used for link tracking or landing pages, go to Custom Domains and add the domain that was validated in the previous step and then click on DNS Entry. You will then need to create the DNS entries provided on your serve

 

DKIM configuration Dialog Insight step 3B

 

When step 3B is complete, specify the domains to be used for tracking links and landing pages in the Dialog Insight platform under Custom  trackers.

 

DKIM configuration Dialog Insight step 3B-2

 

If you are not comfortable with the above steps, you can also send a DKIM signature request to our support team, indicating the list of domains that you need.

You will then only have to create the DNS entries that will be provided by our team in the domains and notify technical support when they are done.

We will then validate the entries and activate the DKIM signatures for these domains in your account.

 

DMARC

There is no action that has to be taken by Dialog Insight to set up a DMARC policy. This is fully supported on the client-side. The https://dmarc.org website contains all the resources necessary for your team to fully understand DMARC, prepare an appropriate policy and test it.

 

 

Key takeaway

There are several email authentication protocols. It’s important to get the configurations right to protect your brand from spammers, who are unfortunately becoming more numerous and smarter. By combining SPF, DKIM and DMARC, your protection will be greatly enhanced. Don’t hesitate to call your email service provider for assistance if necessary.

And if you want to improve your email communications in general, take the opportunity to review best practices and optimize your templates for anti-spam filters.

Whitepaper_dialog insight

 

 

Would you like to know more about email deliverability?

Download our white paper to get all the details!

Download