Do you know how to prevent your emails from being spoofed, improve your email deliverability and ensure that people who signed up to your email lists continue to receive your marketing emails?
If you are using your domain name to send emails then email authentication is crucial to your email deliverability. It’s like the digital signature for your domain designed to protect your brand’s identity, content and reputation.
“If you spend more time on making your coffee than on securing your email communications, you’ll be hacked.” – EmailOut
Email authentication is an unnerving subject. More often than not, as an email marketer, you’ll come across an alphabet soup of different abbreviations and acronyms that will make your head spin. With the increasing number of spam and phishing emails, implementing email authentication has become essential. As daunting as the topic might be, the basic concepts are not as complex as one might think. Do you know which are the top email authentication methods that will help you ensure the security of your email marketing messages?
In this article, we’ll cover the following topics on email authentication:
- What is email authentication?
- How does it work?
- Email authentication methods
- How to set up your email authentication in EmailOut?
Ready to dive in?
The foundation of successful email marketing is for email campaigns to reach the subscribers’ inbox. You can devote hours upon hours on crafting the most highly-personalised, perfectly designed email campaign but… how will your subscribers see it if it ends up in the spam folder?
Most email providers (like Gmail, Yahoo!, Outlook, etc.) are always on the lookout for ways to make sure the emails they deliver to the users’ inbox are relevant and secure. However, with the increased distribution of unsolicited and harmful phishing emails, email servers have placed numerous security protocols to help verify the authenticity of an email message, and it’s sender, before it reaches the intended recipient. If the email does not pass the required email authentication process, it’s highly likely your email campaign will experience deliverability issues like ending in the spam folder or not being delivered at all.
To prevent your marketing emails from going to spam, you need to follow four essential email deliverability best practice –
1) only email people who’ve asked you to;
2) ensure your content is relevant, well-designed, engaging and avoid spam words/phrases (for example, free, best, download now, etc.);
3) never send emails with hard-to-read or unexpected content; and
4) don’t bombard your subscribers with tons of email campaigns or send so infrequently that they forget about you.
Five factors can have an impact on your email deliverability (aside from not having email authentication) –
a) spam complaints – when a recipient marks your email as ‘spam’;
b) bounces – when an email address is invalid or doesn’t even exist;
c) spam traps – email addresses created for the sole purpose of catching fraudulent emails;
d) IP address reputation – it measures the reputation of your IP address based on the quality and type of the emails you’re sending; and
e) domain reputation – it measures the reputation of your email address based on the quality and type of emails you’re sending.
With these factors and best practice covered, you need to move your focus on how to improve your emails’ performance. Cue, implementing email authentication. But, before I give you details on the four main email authentication methods, let’s first find out what email authentication is and how it works.
The Nature Of Email Authentication
In technical terms, email authentication is a process that helps identify the sending source (for example, sending domain or IP) of an email so that Internet Service Providers (ISPs) can route the email accordingly.
Simply put, email authentication is a process set to help you, the sender, prove you are who you say you are (not that J@ne D0e from M1cr0s0ft urgently requesting users to update credit card details) and that the email you’re sending is not forged/spoofed. In other words, email authentication allows email marketing tools to send emails on your behalf AND as your domain.
Every email you send to a recipient gets processed by the recipient’s email client incoming server. It gets analysed and based on your email authentication method, it either passes or fails the authentication process. Once the email server has this information, it will determine if your email should be delivered to the recipient’s inbox (pass), flagged as spam (fail) or completely disregarded from the server (fail-filtered). If you have no email authentication in place, the chances of your email being considered as spam and rejected are very high which will subsequently lead to decreased email deliverability.
The Way Email Authentication Works
Email marketers can approach email authentication in several different ways. However, as much as the implementation of each approach comes with its specific technicalities, this is how the general email authentication process works –
1) the sender establishes a policy defining the rules by which emails from their domain name can be authenticated;
2) the sender configures its email servers to implement and publish the rules;
3) the email server receiving the email authenticates the message by verifying the details of the incoming email against the rules defined by the domain owner;
4) the receiving email server takes action based on the results from the authentication process to either deliver, flag as spam or disregard the email.
When the receiving email server gets your message it looks for specific information in your email and the Domain Name System (DNS) records of your domain to determine the legitimacy and security of your message and whether it is safe for the recipient to receive, and, consequently, if the email came from an authorised source.
It is important to note that even if you’ve set up one or more email authentication methods but they failed the authentication process, your email can still end up being flagged as spam or rejected by the mail servers. Hence, rather than quickly setting up only one email authentication method, ensure you have multiple email authentication methods in place and regularly monitor the effect they have on your emails and your deliverability.
Email Authentication Methods
To set up an email authentication method, you have to create a few DNS records (or upload a file) to your domain hosting provider using the information rendered by your email marketing platform.
Beyond just looking at the sender’s email address, there are four email authentication methods (or standards) ISPs use that email marketers can take advantage of to ensure their emails will not end up in the spam folder or be rejected by the mail servers.
Sender Policy Framework (SPF)
Sender Policy Framework or SPF is an email authentication method whose purpose is to detect falsification of the sender address (return-path header) during the delivery of the email. It’s a DNS record that specifies which IP addresses and/or servers are allowed to send email communications from that particular domain.
When implementing SPF, always keep in mind that each domain can have a maximum of only one SPF record.
When an SPF record is checked, there are five possible results –
a) None – no SPF record exists;
b) Neutral – an SPF record was found. Yet, neither a positive nor negative assertion was made about the sender;
c) Pass – the sender is authorised to send email communications on behalf of the domain;
d) Fail – the sender is not authorised and the mail server may disregard the email;
e) Soft fail – the sender is not authorised but the mail server may not disregard the email only based on this.
The disadvantage of SPF email authentication is that this method alone cannot authenticate the original author of the email. Instead, it authenticates only the source of it (return-path). The best course of action to prevent email spoofing is to combine SPF with DMARC and DKIM.
DomainKeys Identified Mail (DKIM)
DomainKeys Identified Mail or DKIM is an email authentication method focused on detecting fake/fraudulent sender addresses in emails (email spoofing). Just like an SPF record, DKIM is a TXT record added to a domain’s DNS. It allows the email’s recipient to check if the email message has been indeed authorised by the owner of the domain.
This email authentication method is done by adding a digital signature linked to a specific domain name to each outgoing email and affixed to the email as a header. By checking the sender’s public key published in the DNS, the email can be verified.
Unlike SPF, DKIM uses an encryption algorithm to create a pair of electronic keys – public and private. The public key is placed in the DNS record, whilst the private key remains on the servers it was created on (i.e. your mail server).
To implement DKIM, you are required to update your DNS – just like with SPF. However, it’s a bit more involved than setting up SPF since you’ll need to –
1) choose a DKIM selector – it can be anything – word, number or a combination of both (see an example below, the selector is highlighted);
DKIM-Signature: v=1; a=rsa-sha256; d=example.net; s=brisbane;
c=relaxed/simple; q=dns/txt; t=1117574938; x=1118006938;
2) generate both public and private keys;
3) publish your selector and public key; and
4) attach the token to each one of your outgoing emails.
This tool can be particularly useful for generating a DKIM public and private key.
Domain Message Authentication Reporting and Conformance (DMARC)
Domain Message Authentication Reporting and Conformance or DMARC is an email authentication method focused on handling the problem of email spoofing by protecting both the sender and the recipient. Your DMARC record instructs the receiving server not to accept an email if it fails DKIM and SPF checks.
Is DMARC enough for email authentication? On its own – no. DMARC needs SPF to work.
Brand Indicators for Message Identification (BIMI)
Brand Indicators for Message Identification or BIMI is an open standard allowing businesses to verify their identity and be easily recognised in recipients’ inboxes. Similar to SPF, DKIM and DMARC, BIMI is a text record which lives on your servers. It works alongside all the other three authentication methods to show email clients you are you. Some even call this email authentication method DMARC 2.0.
What differentiates BIMI from the other three methods is that it allows businesses to display their logo in supported inboxes.
For more information about the BIMI standard click here.
Email Authentication Methods Review
1) SPF – to authenticate the sender’s identity this standard performs a check similar to verifying a return address. Simply put, the sender can define which IP addresses are allowed to send an email for a particular domain;
2) DKIM – this standard is also used to authenticate the sender’s identity, however, it looks beyond just the sender’s email address to ensure the content of the email is not altered by utilising an encryption key and digital signature which verify the email is authentic and not spoofed;
3) DMARC – think of this standard as a courier. It ensures emails meet SPF and DKIM requirements before they are even delivered; and
4) BIMI – this standard focuses on improving the sender’s credibility and legitimacy by displaying the sender’s logo in the inbox next to the email. If a brand has set up a BIMI record, once the receiving email servers receive the email it’ll run the usual DNS checks for the sender domain and if a BIMI record is found, it’ll ‘fetch it’ and show it.
Setting Up Email Authentication In EmailOut
By updating your Domain Name System (DNS) settings, you will benefit from DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF) and Domain Message Authentication Reporting and Conformance (DMARC) authentication.
Before you even begin with EmailOut’s DNS settings set up, make sure the email address you plan to send from is set up correctly. (N.B. EmailOut allows users to add as many ‘alternative email addresses’ as they’d like.)
Your next step is to access the dedicated DNS tool. There you will see three CNAME records that you’ll need to update your DNS settings –
With these CNAME records at hand, head to your hosting service provider and search for a feature called ‘Manage DNS’ (or something similar), select your domain, then ‘Add New’ record and set the ‘Type’ to CNAME and ‘TTL’ to the smallest value. Afterwards, enter one record at a time like the example below:
If the DNS set up is successful, EmailOut’s DNS tool will have three green status ticks –
How long will the DNS set up take? The TTL (Time-To-Live) determines the time the records will take to propagate. This will vary for each domain hosting provider and may display as ‘1 Hour’ or ‘3600 seconds’ for example. Most providers will tell you it can take up to 48 hours but it’s usually a lot faster than this. The average time is 2 hours.
Email authentication is like a digital ID. It protects your brand’s integrity, identity and reputation. Implementing the proper email authentications methods like SPF, DKIM, DMARC and BIMI, will help you improve your email deliverability, email engagement and also, reassure your subscribers that you are who you say you are. Thus, creating a trusting relationship between you and the recipient.
To ensure everything with your email authentication is going smoothly, I recommend keeping an eye on email security metrics such as bounce and deliverability rates. If you notice a spike in bounces and a decrease in email deliverability, there might be something wrong with your email authentication. Ah, and remember, it’s always better to have more than one email authentication method in place.
Highly recommended further reading –
Changing DNS settings in common Domain Hosting Providers
GoDaddy: How to add a CNAME record
AWS: Supported DNS record types
123Reg: Creating a CNAME record
FreeParking: Managing DNS Resource Records
NameCheap: Creating a CNAME record for your domain
G Suite (Google): Add a CNAME record to your domains DNS records