Understanding SPF and DKIM to Improve Email Deliverability
If you’re aware of how email can play a critical role in acquiring and retaining customers, then you’ve probably heard of SPF and DKIM. You might even know that SPF and DKIM are fundamental components of email authentication and help protect email senders and recipients from spam, spoofing, and phishing.
But what do these terms actually mean and how are they related to email deliverability? If you’re looking to better understand SPF and email DKIM, let’s start with some definitions.
Sender Policy Framework (SPF) Definition:
SPF is a form of email authentication that defines a process to validate an email message that has been sent from an authorized mail server in order to detect forgery and to prevent spam. The owner of a domain can identify exactly which mail servers they are able to send from with SPF protocols.
DomainKeys Identified Mail (DKIM) Definition:
DKIM is a form of email authentication that allows an organization to claim responsibility for a message in a way that can be validated by the recipient. DKIM uses “public key cryptography” to verify that an email message was sent from an authorized mail server, in order to detect forgery and to prevent delivery of harmful email like spam.
SPF and DKIM Explained Simply
In the early days of ‘modern email’, there were limited mechanisms available to support sender verification. Nearly all spam, scams, and viruses that spread through email did so using falsified sender information – as some still do today. Verifying who email senders actually are was and still is a difficult process.
Take the example of visiting www.google.com and submitting a search. You’re generally pretty confident that Google has control over what gets sent back to you for your search and the search results are secure. This is because the Domain Name System (DNS)—a distributed network of servers that act as a phonebook—connects the domain with a variety of records, including where to find the real google.com.
Email uses a later adaptation of this same system to verify senders, which is exactly what a Sender Policy Framework (SPF) record is.
Advantages and Potential Drawbacks of SPF
SPF is adept at preventing phishing. Without it, SMTP would expose your address to those who could forge it for spamming purposes. With SPF in place, when a hacker attempts to initiate an email from your address, the receiving server’s SPF security detects it and identifies it as invalid. Using SPF shows your organization is committed to protecting against cyber threats, a sign that positively impacts your sender reputation.
When a user outside your domain forwards an email that originated from you, the delivery may not occur because of a mismatch between the IP record and the SPF record. Many mail exchange and transfer agents are now using the Sender Rewriting Scheme (SRS) to enhance the deliverability of email forwards. The SPF record also must reflect any changes in third-party email services providers to ensure they correspond for deliverability.
How SPF Works
At the most basic level, SPF email establishes a method for receiving servers to verify that incoming email from a domain was sent from a host authorized by that domain’s administrators. The following three steps outline how SPF works:
A domain administrator publishes the policy defining mail servers that are authorized to send email from that domain. This policy is called an SPF record, and it is listed as part of the domain’s overall DNS records.
When an inbound mail server receives an incoming email, it looks up the rules for the bounce (Return-Path) domain in DNS. The inbound server then compares the IP address of the mail sender with the authorized IP addresses defined in the SPF record.
The receiving mail server then uses the rules specified in the sending domain’s SPF record to decide whether to accept, reject, or otherwise flag the email message.
To take the first step of inspecting your own SPF record, you can do so with SparkPost’s free tool – the SPF Inspector.
Once you’ve identified which servers are authorized to send on behalf of a domain, you can then create an SPF record for your domain through the SPF Builder.
Creating an SPF record will move you one step closer to ensuring that legitimate email that comes from your domain is successfully delivered to customer inboxes.
When it comes to verifying that an email message was sent from an authorized mail server, that’s where DKIM comes in.
Advantages and Potential Drawbacks of DKIM Authentication
DKIM email’s primary advantage is its ability to protect against both spoofing and phishing attacks. The authentication appears within the message itself to prevent forgery and safeguard users from replying to illegitimate emails with sensitive personal data. Both spoofing and phishing have the potential to harm your sending reputation and future deliverability, so protection against the two is beneficial.
Creating an email with DKIM has the same potential disadvantage as SPF when it comes to forwarding messages. For example, an email that automatically routes from an office computer to a user’s mobile may appear as illegitimate to the receiving server. Many popular email services have resolved this issue. One other challenge that may present itself is a DKIM that is too short in length. With more support for longer keys, shorter ones may not pass authentication.
How DKIM Works
Simply put, DKIM works by adding a digital signature to the headers of an email message. This signature can then be validated against a public cryptographic key that is located in the organization’s DNS record.
The domain owner publishes a cryptographic key. This is specifically formatted as a TXT record in the domain’s overall DNS record.
After a message is sent by an outbound mail server, the server generates and attaches the unique DKIM signature to the header of the message.
The DKIM key is then used by inbound mail servers to detect and decrypt the message’s signature and compare it against a fresh version. If the values match, the message can be proved authentic, and unaltered in transit, and therefore, not forged or altered.
You can validate your email with the DKIM Validator.
The Importance of Authentication Alignment
Using the benefits of a third-party email service provider (ESP) is a wise investment that can still pose a challenge with domain alignment. In an aligned domain, your business appears as the sender even if your ESP is sending on your behalf. Your emails may still experience delivery even if your domain is out of alignment. An aligned domain passes through spam filters more easily to even further boost your inbox placement opportunities.
The Value of SPF and DKIM
If you are a business that sends commercial or transactional emails, it’s critical to use both SPF and DKIM. Not only will these protocols protect your business from phishing and spoofing attacks, but SPF and DKIM ultimately help protect your customer relationships and brand reputation. Bear in mind that these are just a few of the many steps you can take to ensure business-critical emails reach your customers’ inboxes on time and don’t end up in spam folders.
In a nutshell, SPF allows email senders to define which IP addresses are allowed to send mail for a particular domain. DKIM on the other hand, provides an encryption key and digital signature that verifies that an email message was not forged or altered.
Authentication itself is not a testimonial on the value of your content. Use proper email etiquette and best practices for inbox placement — spammy content will still generate complaints and unsubscribes even if authenticated.
When these email authentication methods are properly implemented, you will be one step closer to improving your email deliverability and sending secure emails that drive revenue for your business.