As an email marketer, you’ve probably come across these terms on many occasions. DKIM, SPF and DMARC, and you wonder what they mean or what they actually do. The main function of these three technologies is email security (i.e., they help prevent spoofing, phishing, and spam). You might also wonder what spoofing, phishing, and spam mean. In this post you’ll learn everything you need to know about DKIM, SPF, and DMARC .
To better understand these technologies, you should know what spoofing, phishing, and spam are…
Note: These technologies(DKIM, SPF & DMARC) are only for domain owners (i.e., business emails like email@example.com). Not for free email addresses like firstname.lastname@example.org. So if you want to use them, then you have to buy a domain. You can get a cheap domain on namecheap, bluehost, godaddy and many more.
Email spoofing is when the content of an email is altered so that the message appear from someone or somewhere other than the actual source. A third party can change your email, deceive the recipients by sending them to different sites. Because of the common fraudulent use of spoofed emails, some email servers require DKIM to prevent email spoofing.
Email phishing is a form of fraud in which an attacker disguises himself as a trusted entity or person in an email or other form of communication. Also phishing is a form of social engineering in which attackers send fraudulent messages designed to trick human victims into disclosing confidential information to attackers or distributing malicious software, such as ransomware, to the victim’s infrastructure.
Email sent through phishing or spoofing is a email spam. Although spam might also be other apart from these two. In summary,email spam is an unsolicited email message.
Now that you understand what spoofing, phishing, and spam are, you can now understand the technologies put in place to curb them next.
Domain Keys Identified Mail (DKIM)
DKIM is a technology that can guarantee the messages that your organization sends by email. Using DKIM, email servers prevent email spoofing. A technical way to verify the sender’s domain using an encrypted signature. You generate DKIM domain key from your email service provider like gmail, getresponse, etc. Then you go to your domain provider dashboard and find the page for updating the domain’s DNS records. It also can be called DNS Management, Record Server Management or Advanced Settings, etc. I’ll show you how to add DKIM to your DNS record on namecheap . It is almost the same with other domain providers.
How Does DKIM Work
DKIM works by adding a digital signature to the header of your email message. The following three steps outline how DKIM works:
- The email service provider generates a public (DKIM) key. The public key is given to you to be added to your domain’s full DNS record and it is formatted as a TXT record.
- After the message is sent by the outgoing mail server or the email service provider. The server generates a unique DKIM signature and attaches it to the header of the message.
- The recipients email server key detects DKIM signature in the header and decrypts the signature using the public key in your domain DNS records. The result of the decryption is compared it with the email message.
- If the values match, the message is not falsified or tampered with because it does not change during transmission.
Will DKIM increase the deliverability of emails?
It depends on the receiving server that validate the email. When you sign your emails with DKIM, the recipient will look at the credentials of the company that signed the message, validate the message, and will then decide what to do with the email. Messages from companies with a good reputation will undergo a less thorough filtering on the recipient’s end. If receiving server can’t validate your message, it might be sent to spam folder. So it helps deliverability.
How to setup DKIM
To show how to setup DKIM, you’ll need an email service provider and a domain provider. I’ll use SendPulse as the email sender to show you how to setup DKIM. This might be different if you are using other email service provider
Step 1: Sign in to your SendPulse or your email sender platform and navigate to the service settings under the email tab.
Step 2: On the “Domain authentication (SPF and DKIM records)”. Click on activate to enter your business domain and generate DKIM domain keys. Copy the keys.
Step 3: After copying the DKIM keys, login to your domain provider dashboard. Find the page for updating the DNS records of your domain. It also can be called Advanced DNS, DNS Management, Record Server Management or Advanced Settings, etc.
When you located the DNS management. Click on “Add” to another TXT record ,you can then copy the key you generated from your email service provide to the TXT Value, the email service provider will also give you what to enter in the Host. Note that this process can take up to 3 days to propagate.
Sender Policy Framework (SPF)
(Sender Policy Framework SPF) is an email authentication method that helps verify that the sending IP allows sending on behalf of the sender domain. SPF technology is one means of identifying the sender of an email and provides an additional means of filtering email to determine whether spam exists. To illustrate, let’s say you are a domain(business) owner and you’re using Getresponse or SendPulse to send emails to your customer or subscribers. SPF tells your subscribers (recipients) email server that Getresponse or SendPulse is allowed to send emails on behalf of your domain.
How to setup SPF
To setup SPF for your domain. It is the same as shown above for DKIM. Just follow the steps for DKIM setup to step 3. The host and TXT value is different for SPF configuration. You get the values from email service provider and paste in. That’s all.
How Does SPF Work
SPF establishes a way to receive mail servers to ensure that mail received from a domain is sent from a host authorized by the administrator of that domain. In three simple steps you can understand how SPF works.
- Domain administrators publish policies that define which mail servers are allowed to send email for that domain as i had shown in the previous section. This policy is called an SPF record and appears as part of your domain’s overall DNS records.
- When the incoming(recipients) mail server receives your emails. It looks up the “Return-Path” header of the email, ensuring the sender domain’s public DNS lists this specific sending IP. The receiving server then compares the IP address of the sender of the mail with the allowed IP address defined in the SPF record.
- The incoming mail server then decides whether to approve, reject, or flag the email message using the rules specified in the SPF record for the sending domain.
Will SPF increase email deliverability?
SPF helps to prevent spam communications from being sent from your domain.If your domain doesn’t employ SPF, receiving mail servers can’t verify that messages that appear to be from your domain are actually from you. Receiving servers may send valid messages to spam folders or reject valid messages if you don’t use SPF. Although it still depends on receiving server but overall SPF increases deliverability.
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
DMARC is an email authentication, policy, and reporting protocol. It is based on SPF and DKIM protocols. DMARC is used to improve and monitor the domain’s protection of fraudulent emails, and publish policies for handling failed email recipients. It also allows domain owners to request reports from recipient email servers about messages that appear to be sent from their domain but are not properly verified.
These reports contain data that can assist you in identifying potential authentication issues and malicious behavior for messages received from your domain. DMARC is not an email authentication mechanism in and of itself, rather it is based on the key authentication standards SPF and DKIM. Because SMTP does not offer any means for creating or specifying policies for email authentication, it supplements SMTP, the core protocol used to deliver email, with them.
How Does DMARC Work
For email authentication, DMARC uses SPF and DKIM standards. It also makes use of the Domain Name System (DNS). In general, the DMARC validation procedure goes like this:
- Domain administrator publishes a policy. The policy defines the domain email authentication practices and how receiving mail servers should handle mail that violates this policy. This DMARC policy is listed as part of the domain’s overall DNS records.
- When a receiving mail server receives an incoming email, it uses DNS to look up the DMARC policy for the domain contained in the message’s header. The receiving server then checks the message for DKIM and SPF authentication.
- After evaluation of the message. The server is ready to apply the sending DMARC policy to decide whether to accept, reject, or otherwise flag the email message.
- The receiving mail server will report the result to the sending domain owner after using DMARC policy to determine the message disposition.
To sum of everything in this post. DKIM and SPF are essential to prevent spoofing, phishing, and spam. They also play an important role in determining the deliverability of emails. Businesses that send emails every time must put these technologies in place to protect and build good reputation to avoid spam folders. Both SPF and DKIM must be configured properly before DMARC is to be configured. Implementing DMARC without SPF and DKIM working properly will result in messages landing in spam or being rejected. For brand or domain protection, DMARC is a fantastic addition.