Email Authentication

Domain and Email Security - Using DKIM/DMAC/SPF for Email Authentication is a necessity today in order to protect a domain used for email assure deliverability.

Understanding DMARC and SPF to Improve Email Deliverability

With 3.8 billion global users, the impact of email marketing remains unmatched. However, 78% of companies reported they had faced email deliverability issues in the last 12 months. It’s been also reported that 21% of all opt-in emails never make it to the inbox.

Email deliverability, which refers to the email placement in the inbox, is deeply interconnected with DMARC and SPF. DMARC and SPF are fundamental components of email authentication that help protect email senders and recipients from spam, phishing, and spoofing.

But what do these terms mean, and how do they influence email deliverability? Let’s get into the details.

What is SPF?

SPF (Sender Policy Framework) is an email authentication form that allows an organization to claim responsibility for an email so that the recipient can validate it. A domain owner can specify the mail servers they can use to send the emails with SPF protocols.

To briefly describe the operation of SPF, the receiving domain compares the sender’s IP address to a list of authorized IP addresses in the sending domain’s DNS records. If the results come back positive, the email goes into the inbox. If not, the spam filter blocks it. SPF does not provide any reporting functionality.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an additional layer of authentication built on SPF and DKIM to block fraudulent emails. DMARC adds further authentication parameters such as reporting, policy definition, and identity alignment.

The sending email server or servers uses DMARC records to communicate with the receiving email servers. It allows the receiving email server to confidently reject or quarantine unauthenticated emails without impacting the efficacy of the email program.

Benefits of DMARC and SPF

The DMRC record and SPF record work together to improve email security. Some of the major benefits of DMARC and SPF are –

  • They stop spoofing, and phishing emails from your domain
  • They provide information about the emails that you send, which can be helpful to get all legitimate emails properly authenticated
  • They improve sender reputation and email deliverability

How does DMARC and SPF Influence Email Deliverability?

When a domain produces a DMARC and SPF record, it reduces spam email because spam filters are more likely to catch spoofed messages. It is a way to improve your brand reputation. A clean, improved reputation means your messages are more likely to reach your target inbox. Additionally, it demonstrates to the ISPs and receiving mail servers that you contribute to a positive email environment. In addition to preventing damage to your reputation, it improves the brand reputation and email deliverability.

As mentioned before, DMARC is an added layer authentication that comes into play after an email fails SPF and DKIM authentication. With the DMARC policy in place, the sender gives instructions to the recipient on what to do when a message doesn’t pass either of the authentication methods. It automates the spam detection process on the receiving end. It increases the receiver’s trust in the sending domain and increases the ISP’s willingness to place their emails in the inbox. As a consequence, it improves email deliverability.

The DMARC results also improve the authentication results by confirming the sources and IPs that send messages on behalf of the domain. It provides additional results of the SPF and DKIM verification. Based on these results, the domain owner can improve the SPF and DKIM verification to improve email deliverability.

Do You Need Both DMARC and SPF?

Major email providers such as Google and Microsoft require DMARC authentication on top of SPF and DIMK for all emails. Meaning you will need to add both DMARC records and SPF records to your domain to improve email deliverability to major email hosting providers.

Another reason you need to add DMARC to your domain is, it ignores the nuances of soft fail and hard fail in your SPF configuration. Additionally, as DMARC provides reporting functionality, it alerts the sending domain if its domain is being misused. The DMARC policy that defines the handling of unauthorized emails allows the receiver to enforce policies decided by the sender. In contrast, only SPF does not provide these functionalities. So, you need both DMARC and SPF to improve email deliverability substantially.

Spam emails are a rising concern in email deliverability. The exposed email addresses on the web are a steering reason behind the increasing number of spam emails. To reduce the number of spam emails you receive and ensure every important message reaches your inbox, you need to check your email address visibility.

Business Email Compromise (BEC) phishing scams, which include wire fraud transfers, IRS W-2 scams and other forms of highly targeted impostors, is on the rise at astounding rates. Estimated costs of BEC phishing scams are at $3.1B and rising according to recent FBI data.

With these scams, savvy cyber-criminals are taking the time to harvest personal information to target carefully selected employees with a spear phishing email designed to get access to confidential business information or transfer money into an unknown account.

Email is still the main conduit for these threats we all face daily. Simply because it's difficult to tell if an email is real or fake, thousands of computers and networks are infected every day, even with anti-virus software installed. Click IT pays special attention to the safety of our customer's I-T, with constant monitoring and combat tools, where we work daily to thwart attacks, and stop cyber-criminals in their tracks, before they strike. One of the weapons in our arsenal incorporates the newest in email safety technology, called domain or email authentication, or DKIM/DMAC.

Email Authentication is a necessity today in order to help protect a domain used for delivering email, as well as to assure that any email recipients and senders are protected from forged (spoofed) and phishing email that might be targeting your domain. Email Authentication also helps gain control over where the domain is being used, and from what servers email is being sent from.

The short video below presents an overview of DMARC -- the technology of Domain-based Message Authentication, Reporting, and Conformance.

DMARC brings new features of safety to the world of email, and is aimed squarely at solving a problem that has plagued email from the very beginning:

There isn’t a reliable way to tell if an email is real or just a really good fake.

This problem gets email into all sorts of trouble: spam, phishing, the spread of viruses and malware. Email is used to perpetuate a lot of fraud simply because it's difficult to tell if a piece of email is real. On the flip side, legitimate senders have to navigate some pretty complicated anti-spam filters -- filters that are designed to block unwanted email -- just to get their emails delivered. Doing this is a big enough problem that an entire “email deliverability” industry exists to help organizations keep their email flowing into inboxes.

Internet mail hasn't changed much over the years simply because the basic question of “is it real?” hasn’t been easy to answer.

To solve this very real problem, DMARC's new features make email easy to identify. It does so by creating a link between a domain and a piece of email. All of DMARC's features are aimed at making this link possible for all email domains on the Internet, regardless of whether or not the domain belongs to a fortune 500 company or an individual citizen.

The underlying technologies that associate a domain with a piece of email have been around for a long time, and people have tried their best in many different contexts to make the technologies useful. SPF -- which is a way of publishing a list of servers that are authorized to send email on behalf of a domain -- has been around since 2003. DKIM -- which is a method of adding a tamper-proof domain seal to a piece of email -- has roots going back to 2005.

Instead of relying on a single technology, DMARC brings consistency to how these existing technologies are configured so that when a piece of email is received, a simple check can be performed to see if the email really does come from the domain it says it comes from.

The goal is to make email easy to identify, but this isn't very useful unless all of a domain’s email can be identified. If it’s easy to identify only some of a domain’s email, then people still have to go to great lengths to figure out if the remaining parts are real or if they just look real but are in fact phishing emails that end up causing a lot of grief.

To make it so that all of a domain’s email can be made easily identifiable, DMARC gives domain owners visibility into how their Domains are being used on the Internet. This visibility comes in the form of feedback reports that are generated by organizations that process incoming mail. The reports are sent to domain owners when they ask for them. By analyzing these reports, domain owners can identify all of their sources of email, which makes it possible to deploy the underlying technologies across all legitimate email streams. Without these reports, a domain owner would have to somehow audit their organization to figure out who all is sending email -- a task that is time-consuming and almost guaranteed to be incomplete. With these reports, a domain owner can get the work done quickly and accurately.

To tie this all together, when a Domain owner is confident that they've made all of their legitimate email easy to identify, they can tell the world to block the fake stuff. Today, DMARC is used to block a lot of fake emails, which is a very good thing.

However, even though blocking fake email is great, the visibility that DMARC provides to Domain owners is useful in itself. People use DMARC to see if their domains are being abused on the Internet. Organizations use DMARC to understand how they and their partners are sending email using their domains, and also if everyone is sending email correctly. Doing this turns DMARC into a compliance tool that organizations use to make sure they're doing everything they can to reduce the risk of fraud to themselves and their customers and also to make sure that any liability in terms of adhering to best practices to protect users and assets is reduced.

Arguably the best thing that DMARC is doing for email is to change email from a "let's keep the bad stuff out" model to a "let's build on our ability to identify real email". Receivers of email are radically simplifying how they process email, even to the point of requiring DMARC compliant email if you're trying to deliver a lot of emails.. and this is a pretty big deal to any organization that relies on email for its day to day business.

News, resources, additional reading can be found at