Email authenticationSPF, DKIM & DMARC (and TLS)
SPF and DKIM are authentication protocols that should be considered a must-have requirement in any modern email marketing infrastructure.
- The lack of SPF and DKIM authentication will damage deliverability and affects reputation and inbox placement. Both SPF and DKIM protocols are used for DMARC, which is increasing rapidly in its importance, particularly for financial institutions.
Sender Policy Framework (SPF) allows the authoritative owner of a given domain to specify to a receiver which networks or IPs are authorized to send mail using that domain as a ‘from’ address.
- The Sender Policy Framework is defined in RFC 7208.
- Single IPs, IP ranges, or hostnames can be used.
- An SPF TXT record should be as exclusive as possible for greatest security.
- This TXT record lives in the DNS zone file for the sending domain.
- Email should not be sent without verified SPF authentication.
DomainKeys Identified Mail (DKIM) allows the cryptographic signature of a designated portion of the email header so the receiver can verify the authority of the sending domain.
- It makes use of both public and private keys.
- It has become a crucial part of deliverability and email should never be sent without it.
- Failure to include a valid DKIM signature will affect deliverability and inbox placement at many ISPs.
Domain-based Message Authentication, Reporting and Conformance (DMARC) is an authentication policy that allows senders to specify to receivers how to respond when email fails SPF or DKIM checks.
- It is published by means of a short entry in DNS.
- It allows senders to request aggregated and anonymized reports from recipients regarding unauthenticated email that claims to be from their domains.
- It creates a way for ISPs to supply that data in a standardized format.
- These reports allow domain owners to monitor possible spoofing of their domains. This is especially useful for commonly abused businesses such as banks, online payment systems, various social media, etc.
- DMARC does not allow senders to bypass spam filters.
Some ISPs take DMARC alignment into consideration in their filtering decisions.
- In DMARC alignment: a message must pass ‘SPF authentication’ and ‘SPF alignment’ and/or ‘DKIM authentication’ and ‘DKIM alignment.’
- DKIM alignment: ‘d=’ must match FRIENDLY FROM
- SPF alignment: RETURN-PATH must match the FRIENDLY FROM domain
Transport Layer Security (TLS) is an encryption method used to encrypt the communication channel between two computers.
- It is the successor to SSL, and the two terms are often used interchangeably.
- SSL/TLS are widely used to encrypt connections over the internet. For example: whenever a lock appears in the browser bar, the browser is encrypting communication between you and the website that has been connected to.
TLS can be used to encrypt email during the transmission stages. Some recipients require it and will refuse mail that is not TLS encrypted, but that is not very common yet. Many MTAs have the option to request TLS if it available, and will fail over to an unencrypted connection if it is not.