Email authentication protocols pictured as a bowl of alphabet soup

Email Authentication Protocols: Your Guide to SPF, DKIM, DMARC, and BIMI

0

Email fraud is a big problem for brands, businesses, and consumers alike. Spammers, spoofers, and scammers who sneak their way into an inbox can cause a lot of damage. But smart, responsible email marketers can take steps to prevent disasters.

That’s where email authentication protocols come to the rescue and provide a sense of security for both senders and recipients.

If someone gives you permission to reach them via email, you’re entering a relationship that should be built on trust and respect. When a subscriber sees an email from you, they shouldn’t be afraid to open it. But there are plenty of unsavory characters out there who may try to impersonate your brand using phishing emails.

Access to someone’s email inbox is power and as Spider-Man knows very well:

“With great power comes great responsibility.”

~ Uncle Ben Parker

And even Spider-Man deals with imposters who try to impersonate his web-slinging ways.

Spiderman points at imposter

Jump to a section in this guide:

Email authentication protocols are unsung heroes working behind the scenes to verify that senders are who they claim to be before emails reach inboxes. Implementing these verification methods not only shows responsibility but also improves email deliverability.

The protocols can get pretty technical, and all the acronyms might remind you of a bowl of Alpha-Bits cereal. But let’s start by exploring the basics.

What is email authentication?

Email authentication is the process of using multiple methods to ensure that messages are not faked or forged before they get delivered. Mail servers on the receiving end use email authentication protocols to verify the sender name in the “from” field and other information located in the email header.

These protocols also check to make sure emails weren’t altered in transit, and they inform mail servers what to do with messages that aren’t authenticated.

Email authentication protocols protect us from spam and phishing attempts, especially a type of phishing known as email spoofing.

What is email spoofing?

Email spoofing involves messages that appear to be from a known or reliable sender, but they are actually an attempt to acquire sensitive data such as access to a person’s finances or online accounts. Email spoofing leads to a fake website with a bogus login page where targets are asked to enter credentials or other information.

These email phishing attempts often try to forge the sender name as well as imitate the look of emails from recognizable brands including financial institutions, social media sites, or online retailers like Amazon.com.

Amazon spoofing is so common the company has its own email address for reporting potential scams and suspicious communications.

Example of an Amazon email spoof

Amazon email spoofing example

Even savvy internet users can be tricked with email spoofing. Clever scammers often prey on the fear of getting hacked to trick people. That’s why email authentication protocols are so helpful. They keep malicious messages from ever reaching the inbox.

How does email authentication work?

Email authentication involves several possible methods of validating the origin of an email and domain ownership of message transfer agents (MTAs) that were involved in transferring or modifying an email.

Put simply, emails are sent from a certain domain or subdomain. Email authentication protocols are rules located in DNS (domain name system) records for these sending domains. To authenticate an email, the sending mail server and receiving mail server talk to each other, double-checking protocols in the DNS for confirmation.

While each protocol is unique, it generally works like this:

  1. The sender/domain owner establishes rules for authenticating emails sent from or on behalf of its domains.
  2. The sender configures sending email servers and publishes the rules in the DNS records.
  3. Mail servers that receive emails authenticate messages from the sender using the published rules.
  4. Receiving email servers then follow the published rules and either deliver, quarantine, or reject the message.

In addition to verifying legit senders, email authentication protocols also help establish IP address and domain reputation so that malicious senders can be more easily identified.

The four email authentication protocols

Simple Mail Transfer Protocol (SMTP) is the standard foundation upon which email is built.  It’s what’s used to send and receive messages. However, SMTP doesn’t include a way to validate a sender’s identity, which is what makes it susceptible to spammers and phishing.

Email authentication protocols emerged in the early 2000s as a way to enhance the security of SMTP and thwart the rise of email spam. SPF and DKIM were the first widely adopted methods. DMARC soon followed as a policy to confirm and extend SPF and DKIM.

BIMI is the new kid on the block.

BIMI results in a way for recipients to visually verify the authenticity of an email with a logo displayed in the inbox. It also supports better branding and serves as the payoff for having a solid email authentication policy.

These four email authentication protocols provide a standardized way for email clients such as Gmail, Outlook, and Apple Mail to verify the identity of senders as opposed to using separate, proprietary methods to authenticate email.

So, while email authentication might seem complicated, technical, and even a bit messy … these protocols do provide some standardization. Email marketers should be glad we don’t have to follow different protocols for every mailbox provider.

Let’s take a closer look at SPF, DKIM, DMARC, and BIMI.

1. SPF (Sender Policy Framework)

The Sender Policy Framework, or SPF, is an email authentication protocol that provides a DNS record specifying which IP addresses or hostnames are authorized to send email from a domain.

SPF is a DNS TXT entry that enables the receiving mail server to check that an email claiming to come from a certain domain is connected to an authorized IP address. The receiving server does this by looking up rules for the bounce or return-path domain in the DNS record. That is compared to the rules in the SPF record to ensure there’s a match.

Without implementing SPF, mailbox providers are much more likely to mark messages as spam.

SPF email authentication diagram
Click to view a larger image

In some cases, email service providers (ESPs) handle SPF implementation automatically. That’s because the ESP may provide the IP address and the return path. However, if you send a high volume of email, you likely want to avoid using a shared IP address. A dedicated IP helps you control sender reputation. Keep in mind that if you are on a shared IP address, your SPF record may need to be updated when you switch ESPs.

One of the downsides of SPF is that it won’t work when emails are forwarded. If your brand is one that relies heavily on email word-of-mouth (getting your audience to forward your message), there’s a decent chance of the SPF failing validation and never reaching anyone beyond your list.

2. DKIM (DomainKeys Identified Mail)

The next email authentication protocol is the result of two methods developed to prevent email forgery. In 2004, Yahoo merged its “DomainKeys” with Cisco’s “Identified Internet Mail.”

DomainKeys Identified Mail, or DKIM, uses an encrypted key known as a digital signature. This signature is added to email headers to help verify a sender and associate a message with a specific domain. DKIM also needs to be set up inside a sender’s DNS record.

You can think of DKIM like a watermark or fingerprint that is unique to an email sender. Unlike SPF, DKIM signatures continue working when an email is forwarded.

There are actually two keys that make DKIM work. Administrators generate a public key on the DNS record as well as a private key that mail servers transporting the email to the recipient use to verify authenticity. The private key is the DKIM signature in the email header.

The digital signature lets the MTA or receiving mail server know where information on the public key can be retrieved for authentication of the email. Finally, the public key is used to verify the encrypted key in the DKIM signature. This shows a connection between the email and the sending domain where the public key is located.

DKIM email authentication protocol diagram
Click to view a larger image

As secure as all of this sounds, it’s still possible for hackers to get a hold of DKIM keys and use them to impersonate a sender. For that reason, it’s recommended that DKIM keys are changed a few times per year.

According to a 2015 article on CircleID.com, some ESPs may share DKIM signatures among customers. That’s no good because a compromised digital signature could impact a bunch of companies at once. Hopefully, this issue is no longer as widespread as the article states. But, if your ESP is providing your DKIM signature, it’s a question that’s worth asking.

If you need to produce your own digital signature, there are DKIM generators that help create these email authentication records for you. You can also learn more about DKIM signatures and see an example record here on our blog.

3. DMARC (Domain-based Message Authentication, Reporting, and Conformance)

It was actually PayPal that led a group in developing DMARC technology to improve upon existing email authentication methods. PayPal was (and is) commonly impersonated by cybercriminals using fake emails. Several other big brands as well as major mailbox providers immediately adopted the method.

Technically, DMARC isn’t an email authentication protocol so much as a policy that mail servers on the receiving end refer to before delivering an email. DMARC helps determine how to handle a message when it fails authentication.

This policy, also known as Domain-based Message Authentication, Reporting, and Conformance, is yet another record that is published in the DNS. It specifies whether a sending domain is using SPF, DKIM, or both protocols for authentication. DMARC is often described as a way to get the best out of SPF and DKIM because it creates a common framework using both protocols

For many people, missing an important, legitimate email is even worse than letting spam get through to their inbox. Real emails can sometimes fail DKIM and SPF authentication for various reasons. So, mailbox providers may let emails through if they don’t pass the test but appear to come from a legit sending domain. DMARC makes it more clear what to do.

A DMARC policy allows senders to create a framework that defines its email authentication methods and dictates how to handle messages that violate the policy. There are three options domain owners can choose to specify the treatment of emails that fail DMARC validation:

The three DMARC p= policies:

  1. p=none: Take no action. Treat the email as if there were no DMARC validation. This policy also helps gain an understanding of the email stream without impacting flow.
  2. p=quarantine: Accept the email but send it to a junk or spam folder instead of the main inbox. Or, isolate the suspicious message for further inspection.
  3. p=reject: Stop delivery of the email to any folder. The sender will be informed why the email is not getting delivered.

A DMARC policy that rejects unvalidated emails is the strongest, but it can mean email from a domain stops flowing if for some reason SPF and DKIM are failing.

Diagram illustrating a DMARC policy for email
Click to view a larger image

A benefit of implementing a DMARC policy is that senders get regular DMARC reports, which provide the following information:

  • Which servers and third parties are sending mail for your specified domain.
  • The percentage of emails that pass DMARC.
  • What servers or third parties are sending emails that failed DMARC.
  • What actions receiving mail servers take on unauthenticated emails.

DMARC still isn’t perfect. Like SPF, it can break during email forwarding. DMARC may also be difficult for senders to set up, and concerns over stopping the flow of legitimate emails discourage stringent policies.

However, if your organization manages to set up and implement a successful DMARC policy, you’ll have an effective way to stop most phishing emails that attempt to spoof your sending domain.

4. BIMI (Brand Indicators for Message Identification)

BIMI is the latest email authentication protocol. Unlike the other specifications, BIMI results in something your subscribers can see in their inbox. When implemented correctly, BIMI displays a brand-designated logo next to messages in the inbox.

The BIMI logo shows an email can be trusted because it means other email authentication methods are in place. It provides subscribers with a signal that an email is indeed authentic. This adds an additional level of security because, even if scammers manage to get a phishing email delivered, it won’t display a logo.

Before and after BIMI email inbox on a mobile device

In order to get mailbox providers to display a BIMI logo, you must have a fully functioning DMARC policy in place with SPF and DKIM records set up. In some ways, BIMI is the payoff for pursuing the other email authentication methods.

Like the other protocols, BIMI is a TXT record tied to a domain’s DNS. But, before you put a BIMI record in place, you need to have a properly formatted logo.

Compatible BIMI logos are SVG files in the shape of a perfect square, which can be cropped into a circle. They require a solid background and should be published via HTTPS. BIMI logo files need to be small and shouldn’t exceed 32kb. Finally, your logo must also be a registered trademark to meet standards.

Adoption of BIMI for email authentication is ongoing. So far, a limited number of mailbox providers support the display of BIMI logos. That includes Yahoo, the Australian email client Fastmail, and Verizon services such as AOL and Netscape.

Google launched a Gmail pilot program for BIMI in 2020. In July of 2021, news broke that Gmail is officially rolling out full support for BIMI. That’s big news because it’s likely that a sizeable portion of your list is using Gmail. It certainly makes the time and effort of setting up email authentication protocols seem even more worthwhile.

Implementing BIMI should ultimately increase subscriber confidence in the source of your emails. Get more advice, resources, and tools at BIMIGroup.org. You can also hear from two BIMI Group experts in our AMA on Brand Indicators for Message Identification.

Should you use all four email authentication protocols?

You know how they say, “two heads are better than one”? That’s like using both SPF and DKIM. You know how School House Rock and Blind Melon say, “three is the magic number”? That’s like adding BIMI to the email authentication mix.

And as mentioned, you’ll need DMARC to get the most out of both those protocols and to get a BIMI logo to display.

While it could certainly take time and effort, setting up strong email authentication methods is worth it, especially if you have the resources.

The good news is — marketers shouldn’t have to handle email authentication alone. You’ll most likely need to get your IT team or cybersecurity experts to help you set things up in DNS records. Your ESP may also need to get involved. Colleagues, vendors, or security consultants should be able to help you troubleshoot issues as you work to confirm that email authentication protocols are working correctly.

Who should take email spoofing seriously?

Whether or not you prioritize email authentication depends on how important security is to your brand — and more importantly — your customers.

For major online retailers, financial institutions, consumer tech companies, and others dealing with sensitive personal and business information, email spoofing can be a big problem.

Microsoft regularly tops a quarterly report from Check Point, a cybersecurity firm that lists the brands most often spoofed in phishing attempts. Other regulars on the phishing brands list include major banks like Wells Fargo and Chase. PayPal and Dropbox often make the list as do social sites like LinkedIn, Instagram, and Facebook. Email spoofing even targets kids using the online game Roblox.

However, you don’t have to be a gigantic company to get spoofed by scammers. An article from Kelly Sheridan on Dark Reading says criminals are now using smaller brands for email spoofing.  In fact, that includes Check Point, the cybersecurity company that publishes the brand spoofing list. Sheridan writes:

“Many [smaller companies] don’t have resources to detect fraudulent websites; as a result, a spoofed site could be up for days or weeks before the brand owner takes it down … It’s incentive for attackers to avoid big brands with more sophisticated defenses.”

The Federal Trade Commission (FTC) has more info on what to do if your business is spoofed.

The benefits of email authentication

If you’re on the fence about email authentication protocols, or you need a way to convince others in your organization that it’s worth implementing, here are the key advantages:

1. Protect your customers and subscribers

It may not be your direct responsibility to stop email spoofing from fooling people, and it’s unlikely you’d be held liable for a customer who gets scammed. However, the fact that email marketers can do something means we should.

Even though a phishing scam isn’t your fault, that may not be how your customers perceive it. Certainly, customers who are scammed by email spoofing of your brand could become very hesitant to open and engage with legitimate emails from you. Which leads to the next benefit …

2. Protect your brand reputation

In a world where everyone faces cybersecurity threats daily, brands that have a reputation for being safe and secure are trusted.

Phishing emails exploit trust in your brand. If you can stop these malicious messages from reaching inboxes, you’re also stopping the erosion of trust. Email authentication protocols are tools you can use to stop phishing and protect your brand’s reputation.

Speaking of reputation, email authentication also helps you establish a strong sender reputation. That leads us to benefit number three …

3. Support email deliverability

Email authentication can have a direct impact on email deliverability rates. When mailbox providers can confirm the source of an email and the identity of the sender, it can be confidently delivered to inboxes.

On the other hand, failure to implement email authentication protocols increases the likelihood of legitimate communications landing in spam or getting rejected by mailbox providers. Email authentication is one of the most effective ways marketers can control email deliverability.

delivery truck with email envelope on the side.

Concerned about email deliverability?

Check out our email deliverability guide! Learn the ins and outs of how to stay out of spam folders make sure your campaigns make it into your subscribers’ inboxes.

More ways to manage deliverability

There are a variety of factors that impact email deliverability. The best email marketers manage the aspects that are within their control, and they monitor deliverability consistently.

Email on Acid’s deliverability features let you double-check and validate campaigns before hitting send. Check to see if your domain is on a blocklist and find out if your messages pass or fail tests for more than 20 different spam filters.

Email deliverability apps and services from Pathwire ensure you’re only accepting valid email addresses and help predict potential issues. Plus, Pathwire’s email deliverability experts assist brands in creating tailored solutions and a detailed strategy for inbox placement.

Prioritizing and investing in email deliverability is critical if you want to maximize your brand’s investment in email marketing.

Improve Deliverability to Hit More Inboxes!

Nothing ruins a polished email’s ROI potential like a trip to the spam folder. Run a Spam Test right within your Campaign Precheck workflow so you can land in more inboxes and increase email ROI. With Email on Acid, you can check your email against 23 of the most popular spam filters and your domain against the most popular blocklists before you hit “send”. Sign up for a free trial and try it out today.

Start a Free Trial

Author: Betsy Grondy

With a decade of email marketing experience, Betsy has done email strategy and execution for more than 36 countries (for local brands as well as Fortune 500 companies) all from the comfort of her North Carolina home. As Email on Acid’s Senior Email Marketing Manager, she’s enjoying being meta in email marketing and striving for email perfection in every send. When she’s not pushing the boundaries as an #emailgeek, you’ll find her scouring flea markets with her husband for cool vintage toys and mid-century modern furniture to restore.

Author: Betsy Grondy

With a decade of email marketing experience, Betsy has done email strategy and execution for more than 36 countries (for local brands as well as Fortune 500 companies) all from the comfort of her North Carolina home. As Email on Acid’s Senior Email Marketing Manager, she’s enjoying being meta in email marketing and striving for email perfection in every send. When she’s not pushing the boundaries as an #emailgeek, you’ll find her scouring flea markets with her husband for cool vintage toys and mid-century modern furniture to restore.

Leave a Reply

Your email address will not be published. Required fields are marked *