How to Properly Authenticate Your Emails

What is email authentication?

Simply speaking, you confirm your identity as a sender when you authenticate your emails. Email authentication is a collection of techniques that provide verifiable information about the received email. It verifies the domain ownership of the message transfer agent which participated in the transfer of an email message.

Without authentication, spoofers and spammers have a far easier possibility to impersonate you and cause harm to your reputation. Your reputation? Yes, email authentication also benefits your email reputation. You improve email deliverability by authenticating your emails. With that, you reassure the email servers of your identity and get your emails delivered to primary inboxes without an issue. If you wish to improve email deliverability, we recommend reading that article for comprehensive guidance.

How does email authentication work?

While the entire email authentication process occurs behind the scenes, the authentication policies are set by the senders. Those authentication policies define the regulations by which an email can be authenticated. The sender configures the email server and technical infrastructure to conform to those policies.

Once an email server receives an email it conducts the email authentication process by investigating the details of the received email and comparing them to the defined rules of the domain owner. Afterwards, the email is either delivered to the primary inbox, sent to the spam section or sometimes even flagged or rejected.

Without any authentication, the delivered email messages are highly likely to be considered spam and get rejected. That directly affects the email reputation, which grants us more insight into the question mentioned in the section above - how does email authentication affect email reputation?

The set policies for email authentication are separated into standards, and there are three prominent email authentication standards. And once you have set all three email authentication protocols - you will be able to send emails freely and confidently.

What are email authentication standards?

In email authentication, there are three standards used prominently, also called email authentication protocols or methods. Those standards are SPF, DKIM, DMARC. These standards are supplementary to the basic email transfer protocol, SMTP, as it does not include any authentication mechanisms.

SPF and DKIM are used most commonly and they serve different purposes. SPF validates if the email was sent from an authorized IP address. DKIM verifies if the content was not changed by any interfering server during the transfer. 

And even though SPF and DKIM are the most common, DMARC is the most sophisticated one. DMARC conducts both SPF and DKIM verification processes and performs an additional procedure. We shall speak of that procedure further down the article.

We suggest reading this article for a more extensive guide on email authentication. For now, let us discuss some details on the available email authentication protocols, also called methods and standards. 

Sender Policy Framework (SPF)

SPF is a simple TXT file included in the DNS records of the domain. When creating an SPF record, domain owners specify the IP addresses authorized to send emails on behalf of that domain. 

The server receiving an email runs a DNS verification of the return-path address. After locating the SPF record within the DNS it scans the list of authorized addresses. The result of this process is positive if the address is present within the SPF record in the DNS of the server. In an opposite situation the email triggers a soft fail alert. The email is then marked with an authentication failure. A server still accepts the email but has a reason to discard it.

SPF is a widely adopted email verification method and is considered essential for any email sender SPF increases the chances of valid email delivery.

SPF record example

If you were to search the domain and locate the DNS records, an SPF record should look so: v=spf1 include:_spf.google.com include:mailtrap.io include:_spf.reply.io ~all

Let us analyze this SPF record and learn how to build one ourselves:

• v=spf1 is the beginning and is referring to the version of the SPF. SPF1 is the most widely adopted version and is also referred to as the SPF Classic
• include: is for specifying the domains used to send emails from.
• ~all concludes the record by specifying all other unauthorized domains.

Some records include IP addresses instead of server names, like so: v=spf1 ip0:000.00.00.0 ip6:000.00.00.00 include:_spf.google.com include:mailtrap.io include:_spf.reply.io ~all

How to properly authenticate with SPF?

If you are using a Mailtrap Email API/SMTP service, then you already have a prepared SPF server you can simply copy and paste in your DNS records.

Otherwise, when building an SPF record there are many details to consider. SPF comes with qualifiers, and the details of those qualifiers define the purpose of the SPF record:

• ~ is used to trigger a soft fail, accepting an email but marking it with SPF fail.
• – is used to reject emails.
• + is used to trigger a pass, allowing email messages.
• ? is a neutral qualifier, indicating an absence of policy.

The plus mark qualifier is also automatically assumed if there are no qualifiers indicated by the end of the DNS record. And all of the qualifiers above are simply suggestions and can be entirely ignored by the server if needed.

Domain Keys Identified Mail (DKIM)

DKIM is also considered an important email authentication method to possess. It is a digital signature attached to the transferred email and is validated by the receiving server upon arrival. Upon each DKIM validation, a public key is generated and added to the DNS records of the domain.

The DKIM signature is encrypted with an individual and a private key. The signature itself contains details of the email, such as the email header and body. The entire DKIM signature is created upon the creation — do forgive the tautology — and delivery of the email itself. Upon arrival, the server compares the public key from the DNS records to the private key. If everything matches - the test is passed. But if the email message went under any modification the DKIM test fails and the email message is discarded.

DKIM record example

DKIM record does look more complicated than an SPF record: DKIM-Signature: v=1; a=rsa-sha256; d=example.net; s=newyork;

     c=relaxed/simple; q=dns/txt; t=1117574938; x=1118006938;

     h=from:to:subject:date:keywords:keywords;

     bh=MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI=;

     b=dzdVyOfAKCdLXdJOc9G2q8LoXSlEniSbav+yuU4zGeeruD00lszZ

              VoG4ZHRNiYzR

As previously, let us dissect the entire record to understand it better to build ourselves:

• s= is a selector and labels the associated DNS.
• bh= hashed email message body
• b= the digital signature in a hashed format

These are the most important three. It is also important to understand, that a domain itself can have multiple selectors. Multiple sectors serve different purposes, such as an email for newsletters, promotions, sales, etc.

How to properly authenticate with DKIM?

DKIM is highly advised to be configurated with SPF. DKIM focuses on a singular aspect of phishing prevention and provides no mechanics for indicating to a server how to treat failed verification attempts. Authenticating emails with both of these email authentication methods, DKIM and SPF, provides a far more secure email exchange and information on where the email message originated from, and where it has been modified. For proper email authentication with DKIM, it is important to update your private and public keys once or twice a year.

Domain-based Message Authentication Reporting and Conformance (DMARC)

DMARC is not considered an authentication method, as it builds upon other email authentication methods, such as SPF and DKIM. DMARC adds domain alignment, which is an additional layer of security. The domain alignment procedure verifies SPF and DKIM. This procedure can either be “relaxed” or “strict”. Choosing the correct variant is particularly important. If you select “strict”, you need to make sure to include all transactional and marketing domains to avoid rejecting important emails. To clarify, DMARC does not require SPF or DKIM, but having all three is considered a best practice to properly authenticate your emails.

The trick would be to select a “relaxed” method, but use email suppression lists to control which emails you interact with and which you do not. With DMARC you are able to configure additional policies for failed verifications. That helps with the generation of email performance reports.

 DMARC record example

DMARC record example is as follows: v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1; adkim=r; aspf=r

The tags in the record are more extensive than we have seen in other two email authentication methods:

• v is the version of DMARC.
• p is the policy of DMARC.
• rua email addresses receiving reports about emails failing DMARC check.
• ruf email addresses receiving individual and instantaneous reports about failed checks.
• adkim optional domain alignment for DKIM.
• aspf domain alignment for SPF.

How to properly authenticate with DMARC?

Even though I mentioned configuring SPF and DKIM with DMARC is the best practice, you might find it surprising that it is not the most popular one. And that is the precise reason spoofing is often a problem. 

If you have already configured SPF and DKIM, you must add DMARC to have the strongest email authentication method for your domain. However, it is worth taking time when configuring DMARC to ensure proper authentication. If the configuration was flawed the DMARC tests fail. 

Conclusion

And now you know the tips and tricks on how to properly authenticate your email. Many might consider email authentication a complicated procedure, yet proper guidance can help significantly. We understood how email authentication improves email deliverability.

And with improved email deliverability you have better control over soft and hard bounces. It is important to take time in understanding email authentication and patiently configure it within your business. It improves your email reputation and asserts healthier business communication.