DMARC, DKIM and SPF

DMARC, DKIM and SPF

Using email authentication has been best practice to reduce spam and phishing attacks but now Google and Yahoo are making this a mandatory requirement. Senders who fail to comply with these authentication methods will face challenges in getting their emails delivered. To begin with, this will affect bulk email senders however it is likely to be rolled out for everyday email users too.

If you want to make sure your emails keep getting through to inboxes with Google, Yahoo and other email providers, you will need to:

  • Authenticate all messages with SPF and/or DKIM
  • Send from a domain with a DMARC policy of at least p=none
  • For bulk senders:
    • Use a one-click unsubscribe header and an unsubscribe link in the footer
    • Maintain a low spam rate of < 0.3%

So what do all these acronyms mean?

DomainKeys Identified Mail (DKIM)

DKIM is an email authentication method designed to verify the authenticity of the sender’s domain and detect email spoofing. DKIM works by adding a digital signature to the header of an outgoing email message. This signature is generated using cryptographic techniques and is based on the content of the email, including the body and selected header fields.

When an email is received, the recipient’s email server can use the public key published in the sender’s DNS records to verify the DKIM signature. If the signature is valid, it confirms that the email originated from the claimed domain and has not been tampered with during transit. Conversely, if the signature is invalid or missing, the recipient’s server may treat the email with suspicion or even reject it outright.

HostAway is working on DKIM implementation for their mail cluster, however if you already send bulk emails via HostAway’s Email Marketing tool, MailChimp, Mandrill, Send Grid or any other bulk email utilities then you should already be able to generate a DKIM record to add to your DNS.

Sender Policy Framework (SPF)

SPF is another email authentication protocol aimed at preventing email spoofing and forging sender addresses. SPF works by allowing domain owners to publish a list of authorized sending mail servers in their DNS records. When an email is received, the recipient’s email server can check the SPF record of the sender’s domain to verify whether the sending mail server is authorized to send emails on behalf of that domain.

If the sending mail server is listed as authorized in the SPF record, the email is considered legitimate. However, if the sending server is not included in the SPF record or if the SPF check fails, the recipient’s server may treat the email as suspicious or reject it altogether.

SPF helps to combat email forgery by providing a mechanism for verifying the legitimacy of the sender’s domain, thus reducing the likelihood of spam, phishing, and other malicious activities.

v=spf1 include:spf.protection.outlook.com include:spf.hostaway.net.au include:sendgrid.net include:spf.mandrillapp.com -all

The above line is an example TXT record for a domain that sends emails via HostAway, Microsoft, Send Grid and Mandrill.

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

DMARC is a comprehensive email authentication protocol that builds upon the foundation of DKIM and SPF. DMARC enables domain owners to specify how their email should be authenticated and what actions should be taken if authentication fails.

With DMARC, domain owners can:

  1. Specify Authentication Policies: Domain owners can specify which authentication methods (DKIM, SPF, or both) their email messages should pass.
  2. Define Action Policies: Domain owners can instruct recipient email servers on how to handle messages that fail authentication. Actions may include delivering the message, quarantining it for review, or outright rejecting it.
  3. Receive Reports: DMARC provides domain owners with detailed reports on email authentication activity, including information on authentication pass/fail rates, sources of email traffic, and actions taken by recipient servers.

By implementing DMARC, domain owners can gain better visibility and control over their email ecosystem, improve email deliverability, and protect their domains from being used for fraudulent activities.

Don’t forget, you have to set this up for any domain or service you have that sends emails! Please don’t hesitate to contact the team at HostAway for help setting up your records.

Call Now Button