SPF, DKIM and DMARC email verification

SPF, DKIM and DMARC email verification

Email has been around since the 1970s, and the fundamentals of it haven’t really changed since then. What has changed, however, is its ubiquity. Everyone has an email address, and as global email usage has increased, so has the amount of spam flying around. Ever-more strict guards against spam have been developed, so how do you make sure the email you send to clients, customers and suppliers isn’t incorrectly marked as spam?

Modern email systems check three particular values – SPF, DKIM and DMARC – to decide whether a message is being sent by an authorised sender, and from a verified domain. If the message fails one or all of these checks, then it becomes more likely the message will end up in the recipient’s junk folder, or not arrive at all.

How does SPF, DKIM and DMARC prevent my email from being marked as spam?

The records for your email system’s SPF, DKIM and DMARC reside in your domain’s DNS (this is a lot of capital letters, isn’t it? Don’t worry, I’ll spell it out in a bit). Your domain is the bit after the @ sign in your email address, and it may also be the address for your website – for example Plan IT Support’s domain is planits.co.uk.

DNS (domain name system) is a whole can of worms in itself, and should really only be accessed by someone that knows what they’re doing – you can bring your entire website and email system crashing down if you prod the wrong thing. For the sake of this article, we’ll assume your domain’s DNS is handled by your web or domain host, or an IT managed service provider like Plan IT Support. Don’t try this at home.

But what does SPF do? How does DKIM prevent spam? And what on Earth is DMARC? Let’s take a look.

What is SPF? Are we talking about sun cream?

SPF stands for Sender Policy Framework, and it is an email authentication method that helps prevent unauthorised senders from using your domain name (spoofing) to send emails.

Think of it as a publicly available employee directory. Just as an employee directory lists the names of all employees for an organisation, SPF records list all the servers that are allowed to send emails from your domain. This will usually be just your mail server or service (like Google or Microsoft 365), but you may use third-party CRM or sales tools that also send email using your domain. This list of authorised mail senders prevents spammers from impersonating the domain and sending fake emails from an unauthorised server.

When a recipient receives an email from you, their email server can check the SPF record for your domain and verify that the email came from an authorised source.

Decoding DKIM.

Domain-Keys Identified Mail enables the email sender to sign their email using a private, cryptographic key, adding a unique signature to the email’s header. This signature is not visible in the message itself, and as such is not read by the sender (you) or the receiver. However, the recipient’s email server can detect and verify this signature by looking up the sender’s domain key via their public DNS records (that again, yes).

Google and Yahoo recently announced that they will no longer process email sent from a server without DKIM enabled, and more email service providers are likely to follow suit.

The process of DKIM helps to ensure the email’s authenticity and integrity. The signature proves that the email has not been tampered with during transit, and that it originates from an IP address associated with the verified sender of the email.

It’s sort of like those wax seals that barons and kings used on their important scrolls in the olden days. The wax itself, if intact, proved that the scroll had not been tampered with, whereas the unique seal pressed into the wax proved the sender was indeed his Lordship or Royal Majesty. They had no idea about DKIM back then, but I bet they’d have used it if they could.

DMARC, as easy as ABC.

Domain-based Message Authentication, Reporting & Conformance (say it five times drunk, etc.) builds on top of SPF and DKIM, and is more of an instruction for what to do if an email fails these first two checks. It allows you, as a domain owner, to publish a policy that advises the recipient’s email server on how to handle email that falls foul of this verification. It can also request reports on email activity using your domain.

To go back to our lordly wax-sealed message from earlier, DMARC is like including instructions on the scroll about what to do if the seal is broken, or if the return address is not valid. It helps email providers to handle unauthenticated emails in a way that aligns with the your preferences, as a domain owner, for security.

To employ DMARC, you must have SPF and DKIM already configured for your domain. These are important prerequisites, as SPF and DKIM provide the basic authentication mechanisms for your emails.

What are the benefits of SPF, DKIM and DMARC?

Implementing SPF, DKIM, and DMARC on a business email system provides crucial benefits around enhancing email security, maintaining brand reputation, and improving overall communication reliability.

By using these email verification systems, an organisation can significantly reduce the risk of phishing attacks. These authentication methods help ensure that recipients can trust the authenticity of emails claiming to be from your business, reducing your and their likelihood of falling victim to phishing scams.

They’re also a safeguard for the business’s brand reputation. It prevents malicious actors from using your business domain to send fraudulent or spam emails. SPF, DKIM, and DMARC, together, build trust among recipients that emails bearing your business’s name are legitimate. They will also have a positive impact on email deliverability by increasing the chances of your emails reaching your customers’ and clients’ inboxes rather than being marked as spam.

If you’ve read this far, then it’s likely you’re concerned about your business email security – let’s face it; nobody reads about email verification for fun. You may already have one or all of these verification methods configured and enabled. If you’re not sure, we can check for you. And if you don’t, we can work with your business email systems to get them set up.