Email Authentication Decoded: What it is and why you need it
Email Authentication Decoded: What it is and why you need it
TLDR:
DMARC, SPF, DKIM and BIMI are four methods that are interdependent and form a robust defense against email impersonation.
Beginning in February 2024, Gmail and Yahoo will require that senders use security protocols like DKIM, SPF, and DMARC.
Without email authentication, emails could appear dubious to recipients and email services, potentially leading to them being classified as spam.
By implementing SPF, DKIM, and DMARC, domain owners can enhance their email security, protect their brand, and provide a safer email environment for their users.
BIMI is an added layer of security- an added bonus if you can cover the cost, but not essential.
Understanding Email Authentication
Beginning February 2024, Yahoo and Gmail will no longer accept messages from senders lacking a DMARC policy on their domain.
But that’s not all! Proper SPF and DKIM authentication will also be a requirement. This means email authentication is no longer a choice, but a necessity when it comes to email delivery. Before we delve into the ways you can implement it, let’s first understand what email authentication is.
Email authentication is a technical solution designed to verify the identity of the sender and ensure the integrity of the message. It’s the digital equivalent of checking a sender’s ID before letting them into your house.
It helps email providers determine whether a message comes from a trustworthy source or if it’s a wolf in sheep’s clothing - a spammer, scammer, or spoofer pretending to be someone they’re not.
Implementing email authentication protocols can protect your brand from cyberattacks and your subscribers from impersonators. NPR recently reported “according to new research from the cybersecurity firm Proofpoint, 52% of the top 50 U.S. retailers ranked by the National Retail Federation are not fully compliant with [email security] protocol.” That is a surprisingly high number.
Email Authentication Methods
The three most commonly used email authentication methods to protect domain owners from impersonation are SPF, DKIM, and DMARC. Don’t worry, we’ll get into what these mean shortly! If a message can be authenticated with at least one of these methods, it’s like having a VIP pass to the inbox. However, if authentication is missing or improperly set up, it’s like setting off a security alarm, which can lead to the message being banished to the spam folder—or not being delivered at all.
A fourth newer authentication method is BIMI, which we will also get into in this blog post.
1. SPF (Sender Policy Framework) SPF is a method that helps protect email senders and recipients from spam, spoofing, and phishing. An SPF record allows domain owners to specify which mail servers are permitted to send emails on their behalf. This is done by creating an SPF record in the domain’s DNS or Domain Name System settings. When an SPF-enabled server receives an email, it verifies the SPF record of the sending server. If the server is not listed in the SPF record, the email could be marked as spam or rejected.
2. DKIM (DomainKeys Identified Mail)
DKIM is a method of email authentication that employs a digital signature to assure the recipient that the email was indeed sent and authorized by the domain owner.
Once the recipient verifies that an email is endorsed with a valid DKIM signature, it can be affirmed that the content of the email remains unaltered. Typically, DKIM signatures are not apparent to end-users as the validation process occurs at the server level. When used in conjunction with DMARC or SPF, DKIM can safeguard your domain against harmful emails dispatched from domains masquerading as your brand.
3. DMARC (Domain-based Message Authentication, Reporting & Conformance)
DMARC builds upon SPF and DKIM. It allows domain owners to instruct email providers on how to handle emails that fail SPF or DKIM checks. These instructions are published in the domain’s DNS records. Essentially, DMARC uses SPF and DKIM to help administrators catch emails sent by cyber attackers that impersonate their organization. These cyber attackers use a from address that may appear identical to the legitimate organization’s domain. DMARC also provides a way for email receivers to report back to the sender about emails that pass and/or fail DMARC evaluation, providing visibility into the email ecosystem.
4. BIMI (Brand Indicators for Message Identification)
BIMI is a newer standard that allows organizations to display their logo or sender ID image in the recipient’s email client, provided the email passes DMARC authentication. The logo’s URL is published in the domain’s DNS records. BIMI helps increase brand recognition and trust among email recipients.
You’ve definitely seen a sender ID image used before in your inbox. Here is an example below from New Balance:
Technically, you only need DMARC to implement BIMI. However, since DMARC depends on SPF and DKIM, it is essential that you have the first three to implement BIMI.
We highly recommended to have the first three methods, SPF, DKIM, and DMARC to deter scammers and maintain your email sending reputation. While BIMI is nice to have, it comes with a cost, which isn’t ideal for many small businesses. Fortunately, there are free workarounds that allow you to add a Sender ID image (which we will get into in a later blog post).
How to check if DMARC, SPF, and DKIM are set up correctly
You can use an analysis tool or service to verify this, or if you’re savvy, you can send a test email and check the email header to see if these methods pass. The code you find in the header of your email if your code passed might look like this:
arc=pass (i=1 spf=pass spfdomain=example.com dkim=pass dkdomain=example.com dmarc=pass fromdomain=example.com);
(source: https://www.cloudflare.com/learning/email-security/dmarc-dkim-spf/)
We know that all of these acronyms around authentication might seem overwhelming, which is why we at The Email Co are here to support your business and help you with your setup. In summary, with impersonators and spammers on the rise, we can’t stress enough how important it is to have several layers of email authentication. The good news is, once these are set up, you can feel confident that your message will arrive in your subscribers inbox without a hitch. Happy sending!