How SPF, DKIM and DMARC Separate the Wannabes from the Real Stuff

Discussion in 'Mail Chat' started by roundabout, Jun 4, 2013.

  1. roundabout

    roundabout Well-Known Member

    Feb 17, 2011
    Likes Received:
    Trophy Points:
    Email Authentication: How SPF, DKIM and DMARC Separate the Wannabes from the Real Stuff

    The world of email marketing has evolved drastically in the last few years. Some deliverability practices that were considered very important no longer hold the same lofty status, while others that were nonexistent have become musts.

    In all paths of life, you’ll find “wannabes” stirring up trouble and trying to make the good things look bad — and that includes the world of email marketing. Have you ever received an email, purportedly from a bank or other financial institution, which requests that you update your information and provide account details?

    Authentication — confirming the real sender of an email — is an important email deliverability best practice and enables ISPs (and therefore the consumer) to detect and avoid phishing, spoofing and spam emails.

    In the past, this was mainly achieved by the presence of an SPF and/or DKIM records on the DNS server for your sending domains.

    Recently, a new record called DMARC has also been created and requires both the SPF and DKIM to be present in order to work.

    This shift reflects the fact that many ISPs, especially the larger ones (Yahoo, AOL, Gmail and, have recently become more demanding and stringent, looking out for the welfare of their users and raising standards to only accept what they deem are VIP communications. In other words, no wannabes allowed, only the real thing.

    Here’s a quick explanation of SPF, DKIM and DMARC:

    1) SPF (Sender Policy Framework)
    SPF allows administrators to specify which hosts are allowed to send email from a given domain by creating a specific DNS SPF record in the public DNS.

    Mail Exchanger (MX records) then uses the DNS to check that mail from a given domain is being sent by a host sanctioned by that domain's administrators.


    2) DomainKeys/DKIM (Domain Key Identified Mail)
    DKIM uses a key pair, consisting of a public key and a private key: the signing Mail Transfer Agent (MTA) generates a public key, which is published in DNS, and a private key, used to digitally sign all the sent email messages.

    The verifying MTA retrieves the public key and compares it to the digital signature of the received email. If the key pair is a match, then the email is legitimate and is accepted by the ISP.


    DKIM also plays a role when it comes to the feedback loop (FBL) at Yahoo, for instance, as it’s based on the domain and not the IP. So, if an unauthenticated domain is used to send mailings to Yahoo users, the abuse complaints will not be reported back, as DKIM will not be in place.

    Gmail recently upgraded the type of domain key it was using from 512 bits to 1,024 bits and is applying more scrutiny to those senders who haven’t similarly upgraded, with resulting deliverability issues for those senders still using 512-bit domain keys.

    3) DMARC (Domain-based Message Authentication, Reporting and Conformance)
    DMARC standardizes how email receivers perform email authentication using SPF and DKIM mechanisms. This means that senders will experience consistent authentication results for their messages at email receivers implementing DMARC.

    A DMARC policy allows a sender to indicate that its emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes — such as junk or reject the message.

    By doing so, it removes guesswork from the receiver's handling of these failed messages, limiting or eliminating the user's exposure to potentially fraudulent and harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.

    Best Practices: Don’t Be a Wannabe

    Depending on the industry in which you’re involved, you can either have all three authentication methods in place or opt for at least the SPF and DKIM together. While it’s beneficial for any marketer to use the DMARC record, financial institutions and similar business would benefit the most from adding it, as these companies are most frequently targeted by phishing scams, and implementing DMARC will show how many phishing attempts are made on your domains.

    Note that authentication itself will not compensate for weak email practices around content, permission standards, bounce handling, complaints or filter triggers.

    Today, the digital marketing world belongs to VIPs and not wannabes. In order for you to be accepted by ISPs as a responsible sender, it’s important that your authentication is in place for all sending domains, whether these are used for newsletters, transactional messages or standard marketing emails.

    If your domains are not yet authenticated, I would urge you to remedy that situation soon. SPF and DKIM are easy to set up and greatly help the delivery of your mailings globally. It’s never too late to be recognized as the real article.


Share This Page