Email Authentication
Email Authentication

Essential Email Authentication Protocols

Everything thing you need to know to safeguard your domain from email spoofing and phishing.

Introduction

SPF, DKIM and DMARC - they may just sound like complicated acronyms, but they are vital to protecting your domain, as well as ensuring optimal email deliverability.

What are Essential email authentication protocols?


SPF (Sender Policy Framework)

Technical definition: SPF authenticates which servers are enabled to send emails out with your domain credential.

Explanation for humans: SPF is a security guard for your emails. Imagine you have a friend who wants to send you an email. SPF helps you make sure that the email is really from your friend and not from someone pretending to be them.


DKIM (DomainKeys Identified Mail)

Technical definition: DKIM is a digital signature which enables your recipients' server to authenticate your email campaigns.

Explanation for humans: When you receive an email from a known sender (your 'friend'), you want to know the email they sent you hasn't been altered in any way after it was sent.

So your friend creates a lock that they make available to everyone and attaches a digital signature to the email, which functions a bit like a key for that lock.

When your email system receives the email, it checks to see if the digital signature fits the lock. If the email has been altered after it was sent, the signature won't fit the lock anymore. If the signature successfully opens the lock, it means the email is authentic, and its content has not been altered.


DMARC (Domain-based Message Authentication, Reporting & Conformance)

Technical definition: DMARC adds an additional layer of protection and authentication onto the two protocols above. DMARC informs recipients' servers on what to do if an email fails SPF and/or DKIM checks.

Explanation for humans: DMARC is like your friend giving you a set of rules for how they want their emails to be handled. It's as if your friend is saying, "If you get an email from me, it should have a valid signature (DKIM) or come from an approved location (SPF)."

DMARC provides instructions on what to do if an email doesn't meet these rules. It's like your friend saying, "If you get an email claiming to be from me but doesn't have my signature (DKIM) or isn't sent from an approved place (SPF), it might be suspicious. Here's what you should do with it."

Who configures what?

SPF is automatically created and managed by EcoSend.
DKIM is automatically created and managed by EcoSend.
⚠️ DMARC is not automatically created for you by EcoSend.

With the changes coming to Gmail & Yahoo in early 2024, if you are using a custom domain, or send a high-volume of emails per day, you will need to set-up a DMARC authentication.

How do I set up DMARC authentication?

  1. Define your DMARC policy

Your chosen policy level defines how your recipients' server should manage emails which fail SPF and/or DKIM. The policy options are:
- None
- Quarantine
- Reject

Selecting 'None' means no action will be taken, aside from collecting the data in a report. 'Quarantine' means unauthenticated emails will be diverted to your recipients' Spam/Junk folders. 'Reject' will block the emails.

  1. Define your policy's percentage

Your DMARC policy's percentage defines how much of your domain's email traffic will follow the DMARC policy you have set above.

As general best-practise, we recommend starting with a lower percentage, monitoring your DMARC reports, and adjusting over time.

  1. Create your DMARC record in the TXT field of your DNS settings

You can create a variation on the below, with placeholders for applying a Quarantine policy at 25%, with email reports sending as dmarc-report@exampledomain.com:

v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-report@exampledomain.com; ruf=mailto:dmarc-report@exampledomain.com

The p field refers to your chosen DMARC policy, pct refers to your set percentage, and the mailto fields refer to your email reports and domain.

Once you've entered your chosen values into the TXT field of your DNS, click save, and congratulations, you've created your DMARC record! 🎉

Continue to monitor your reports over time, and adjust your policy accordingly, to optimise your email deliverability and security.

For further information click here for Yahoo's announcement, and here for Google's regarding the changes.