DMARC, DKIM and SPF: A Breakdown of Email Authentication Protocols in Layman’s Terms
Anyone else have ‘email authentication protocols’ listed as a turn-on in their Tinder profile? No? Cool, neither do we.
Email authentication protocols run deep, but for this blog’s purpose, we’ll be focusing on three biggies: DKIM, SPF and DMARC. While each differs from the next, their overall purpose is to protect users’ inboxes from spam or malicious content. You can find more granular breakdowns of each on our blog, which are also linked below.
SPF and DKIM can work individually, however they do complement and reinforce one another, ensuring inboxes aren’t there for a phisher’s taking.
DMARC works with both SPF and DKIM, and it’s recommended to have both protocols in place alongside DMARC. The benefit here is that DMARC gives one final pass of both protocols before adding in its own protective layer. That said, you can use DMARC with just SPF, but only if emails aren’t forwarded.
What is DomainKeys Identified Mail (DKIM)?
DKIM, otherwise known as DomainKeys Identified Mail, is an email authentication protocol that essentially allows a sender to apply a digital “signature” to outgoing emails that can be verified by the recipient’s mailbox provider through Domain Name System (DNS). Signing offers a guarantee of authenticity and some protection from tampering.
How DKIM works
The journey begins with the press of the send button.
The sender’s Mail Transfer Agent (MTA) creates a DKIM-Signature based on the email’s content, inserts the signature and sends the email. Once it’s received by the recipient’s mailbox provider, that MTA uses DNS to verify the signature against the sender’s public key. If the email has not been tampered with, it should pass verification with flying colors.
In a nutshell, DKIM vouches for an email’s authenticity so long as the “signature” matches the sender’s public key at the listed domain.
How to Verify DKIM
Very few things in life are binary, but DKIM largely is. Your email will likely pass or fail a DKIM test.
In the event your DKIM does not pass verification, consult this article for a breakdown of your DKIM signature and how to alleviate possible errors.
Here’s the rub: because DKIM is one of the most complex protocols to enact in email marketing, its limited use means that just because an email doesn’t pass a DKIM test doesn’t necessarily mean the message will get flagged as spam or blocked.
What is Sender Policy Framework (SPF)?
In an email, there are two from addresses: the “envelope from” (ex: emailonacid.com) and “header from” (ex: Email on Acid). It’s not hard for an email spammer to fake either, which is where Sender Policy Framework (SPF) comes in.
SPF is an email authentication protocol whose sole purpose in life is to prevent email spammers from using a sender’s domain for their own greasy, fraudulent purposes.
Take the below message, for instance. The email claims to be coming from Wells Fargo, however their organization is not known for reaching out to customers via LinkedIn. This phisher spoofed the sender name and sent this email unaware of LinkedIn’s automatic incorporation of follow-up buttons, such as “View Well’s LinkedIn Profile.” Not today, scammer.
SPF allows a domain owner to specify IP addresses and servers that may send an email from their domain. With that, it’s also a pinky promise to email providers that the domain owner will never try to send an email from any other IP address or server other than those it has listed.
How SPF Works
First, the owner of a domain builds an SPF record which lets mailbox providers know which origins (IP addresses and servers) they will only contact the recipient from. If an email comes from any other origin not listed in the SPF record, the recipient’s mailbox provider can potentially read it as spam and block the message.
When a mailbox provider receives an email, the SPF must be validated before the message is available in the inbox. To do this, mailbox providers check the DNS for the domain used in the “envelope from” field. If the DNS turns up an IP address or server that matches one of the pre-approved origins the domain owner listed, the SPF is authenticated and is that much more likely to reach the inbox.
What SPF Means for You
Again, SPF is one of many email authentication protocols and it’s not without its drawbacks.
For instance, SPF breaks when an email is forwarded. If your brand is one that relies heavily on email word-of-mouth (getting your audience to forward your message to friends), there’s a decent chance of the SPF failing validation, and it never reaching anyone beyond your original list.
Just because your message passes or fails an SPF check isn’t a guarantee of whether or not it lands in the inbox—this is merely one authentication protocol of several that mailbox providers use to keep inboxes safe.
What is Domain-based Message Authentication, Reporting and Conformance (DMARC)?
DMARC, aka Domain-based Message Authentication, Reporting and Conformance, (no wonder it warranted an acronym) is the best of both SPF and DKIM worlds. It verifies incoming emails against both SPF and DKIM policies, and then fires off a report of its findings to the sender’s domain.
Like SPF and DKIM, domain owners publish a DMARC policy in their DNS, which mailbox providers reference and follow when authenticating emails. Within that DMARC policy, the sender specifies how its email is authenticated and what the receiving mail server should do if any email violates that policy.
How DMARC works
Have you ever received an email from someone claiming to be your bank urgently asking for personal information? Cue the eyeroll-chuckle combo at the identity fraud amateur hour that has befallen your inbox.
DMARC is the lie detector of inboxes that can tell which emails coming from registered domains are authentic and which are fraudulent, regardless if the domain it came from is active, non-sending or defensively registered.
First, DMARC does an SPF check on the “header from” and “envelope from” domain names to ensure no funny business there.
Next, it checks the DKIM signature by comparing the domain in the “header from” field against the domain listed in the signature.
For an email to pass DMARC, it must pass both DKIM and SPF individually, and at least one of the two (DKIM and SPF) must align.
SPF aligns when the “envelope from” address and “from” domain match.
DKIM aligns when the domain listed in the signature and the “from” domain match.
Ready to Spam-Proof Your Emails?
Email on Acid’s Spam Testing feature offers SPF and DKIM testing. Toward the end of your workflow when you’re ready to run a preview test of your email, you can find them in the “Feedback Filters” column.
Spam Testing will also check four major blacklist sites for your brand’s domain so that your email will land in as many inboxes as possible. If your domain does turn up on a blacklist, each site usually has detailed instructions on how to remove yourself from it.
Author: Melissa Berdine
Venturing from her DC and NYC roots, Melissa made the trek to Denver. With just her dog and a background of copywriting and editing, she joined Email on Acid as content manager. Melissa is known to friends as an avid cook and music festival enthusiast.