Back to main menu

Deliverability

Email authentication: What you need to know about DMARC, SPF, DKIM, and BIMI

What to know more about email authentication but unsure where to start? In this blog we’ll explain the importance of each of the three protocols, how to configure them, and help you build trust with your audience.

Hermes delivering letter in front of screens

PUBLISHED ON

PUBLISHED ON

Sometimes the world of emails can seem like a digital Wild West; with scam bandits, fraudsters, and phishers lurking behind every whiskey-stained saloon. However, armed with the right tools and knowledge, you can don the proverbial sheriff's badge and safeguard your inbox frontier.

SPF, DKIM, and DMARC form a trusty alliance of email authentication protocols – think of them as Wyatt, Virgil, and James Earp – that show mailbox providers you are, indeed who you say you are, and keep malpractitioners far away from your brand.

And with the new Google and Yahoo requirements coming into effect in 2024, email authentication is something all senders should start taking seriously sooner, rather than later.

What is email authentication?

Email authentication is the process of verifying the legitimacy of an email sender and the integrity of their message(ing). The three standard email authentication protocols are:

  • Badge Check

    SPF (Sender Policy Framework)

  • Badge Check

    DKIM (DomainKeys Identified Mail)

  • Badge Check

    DMARC (Domain-based Message Authentication, Reporting, and Conformance).

They work in conjunction to validate a sender's identity, prevent email spoofing and phishing attacks, and improve overall security and email deliverability.

Why do I need to authenticate my email?

While most email senders send timely, relevant content to their subscribers unfortunately, as it is with many things in life, there’s a certain few that ruin it for the rest of us. Email marketing is no different.

Spammers and phishers are constantly looking to game the system, swindling unsuspecting recipients into handing over sensitive information such as account details passwords, or uploading malicious malware and viruses. To make matters worse, they often do so under your name, potentially damaging your reputation and eroding customer trust in your brand.

In addition to protecting your brand reputation, here’s a few more reasons why you should authenticate your email:

  • Badge Check

    Improve deliverability: Authenticated emails are more likely to bypass spam filters and reach recipients' inboxes, ensuring that your important communications and marketing messages are seen by your audience.

  • Badge Check

    Tighten security: By implementing authentication protocols like SPF, DKIM, and DMARC, you can strengthen the security of your email infrastructure, reducing the likelihood of email spoofing and unauthorized access to your domain.

  • Badge Check

    Compliance with industry standards: Many industries and regulatory bodies have guidelines and requirements for email authentication to protect consumer data and privacy. By authenticating your emails, you demonstrate compliance with these standards and avoid potential legal and regulatory issues.

  • Badge Check

    Optimizing email marketing performance: Authenticated emails provide recipients with confidence in the legitimacy of your messages, leading to higher engagement rates, improved click-through rates, and ultimately, better ROI on your email marketing efforts.

What are the email authentication protocols?

During the internet’s early years email quickly emerged as the primary means of communication. However, providers tended to be overly trusting at this point leading to the proliferation of spam, phishing, and email spoofing.

In response to these threats, the first email authentication protocols – SPF and DKIM – were developed in the early 2000s to verify the authenticity of email senders and prevent domain forgery. In 2012 DMARC was introduced to further strengthen these policies.

Let’s look at each one in a bit more detail.

SPF (Sender Policy Framework)

SPF acts as a sort of virtual email inbox bouncer. When an email arrives at its destination, the recipient's server asks, "Hey, are you on the guest list?" The SPF record, which acts as the guest list, contains a list of authorized IP addresses (mail servers) for a particular domain.

If the sender's email address matches one on the list, the bouncer lets it through. However, if the sender's address isn't on the IP address list, it's like trying to crash a private party without an invite—the email might get flagged as suspicious or even bounced back altogether.

In simple terms, SPF records help prevent unauthorized parties from impersonating your domain and sending potentially harmful emails, enhancing the security and reliability of your email communications.

For more information on how SPF records work and how to authenticate your email by creating an SPF record, read our in-depth article on how to handle SPF.

DKIM (DomainKeys Identified Mail)

Let’s use the postal service to help us explain what and how DKIM works. Imagine when sending a letter, you seal the envelope and write your name on the back to show it's really from you. But what if someone opens the envelope, changes its contents, and claims it's still from you? How would the recipient be any the wiser?

DKIM works a bit like a digital signature for your emails. When you send an email, your server adds a special DKIM signature to the message.

This signature is like a unique stamp (private key) that proves the email came from you (sending domain) and hasn't been tampered with along the way. When the recipient's email server receives the email, it checks the DKIM signature against a public key stored in your domain's DNS records.

If the signature matches and the key checks out, the email is considered authentic and trustworthy, like getting a letter with a verified sender's address and signature on the back. This helps prevent email spoofing and ensures that your emails are delivered safely to your recipients' inboxes.

We also put together a more detailed guide on how to create, configure, and set up DKIM in 3 easy steps

DMARC (Domain-based Message Authentication, Reporting and Conformance)

So, what happens when the bouncer either catches an email not on the guest list (SPF) or finds that its content has been meddled with (DKIM)? Well, this is where DMARC authentication comes in.

DMARC adds an extra layer of security to domain owners. It's a set of rules that tells the postal service (or, in this case, email servers) how to handle your letter. With DMARC, you're basically saying, "Hey, if this letter doesn't have my official stamp on it, or if it looks like someone's trying to tamper with it, don't deliver it—send it back to me instead."

You can set your DMARC policy to one of three settings, which will indicate what email providers do with those that have failed SPF or DKIM.

Here’s each setting and what they mean:

  • Badge Check

    p=none: Nothing happens, unauthenticated emails will still be delivered.

  • Badge Check

    p=reject: Unauthenticated emails are blocked, never seen by the recipient.

  • Badge Check

    p=quarantine: Unauthenticated emails are placed in the spam folder.

Every major mailbox provider performs a DMARC check, so having DMARC set up will offer additional protection with all the main email clients.

DMARC records help safeguard your brand image and protect your customers. Read on to learn more about them or read this article dedicated specifically to DMARC policies.

Google and Yahoo requirements 2024

In case you hadn’t heard, as of February 2024 both Google and Yahoo rolled out a new set of requirements for brands sending bulk email (5000+ emails a day). This will help reduce the risk of spam, phishing, and other malicious activities, improving the delivery of legitimate emails to subscribers' inboxes.

These three key deliverability requirements are:

  1. Badge Check

    Email authentication: Senders will be required to verify their identities with the standard protocols SPF authentication, DKIM authentication, and DMARC.

  2. Badge Check

    Add a one-click unsubscribe header: Senders will need to implement a valid List-Unsubscribe header within emails if they haven’t already, to allow recipients to easily opt out.

  3. Badge Check

    Only send emails users want: Gmail and Yahoo are getting serious about spam monitoring and senders will need to ensure they’re keeping below a set spam rate threshold.

Before you start to panic, these new requirements are actually just best practices that have existed for well over 10+ years now. In fact, many brands already abide by these authentication standards. The difference is they’re now being more strictly enforced by service providers.

“It’s an opportunity for the industry to finally come together and meaningfully upgrade the safety of the email ecosystem. We believe that all recipients should be able to trust the messages they are reading from verified senders, as well as have more control over this relationship.”

Anu Yamunan, Director of Product Anti-Abuse and Safety at Google

As it’s email authentication methods we are focusing on, both email service providers (ESP) Yahoo and Gmail mandate that bulk senders (Google set a guidepost figure of 5000 daily emails) to implement DMARC with a minimum policy of p=none. If you remember from the DMARC section above, this instructs receiving servers to log but not to take any action.

What­ you’­ll need­

How to get ther­e

What­ you’­ll need­

Gm­ail: Both­ SPF and DKIM­ are requ­ired by Gmai­l. Mess­ages that­ don’­t carr­y thes­e prot­ocols will­ be reje­cted from­ the inbo­x or mark­ed as spam­. DMAR­C is also­ requ­ired to prev­ent Gmai­l impe­rsonation in FROM­ head­ers.

If you’­re a Mail­jet user­, just­ foll­ow our deta­iled gui­de to get your­ doma­ins auth­enticated with­ SPF and DKIM­. If you’­re not,­ we’v­e outl­ined the proc­esses for obta­ining thes­e auth­entications in thes­e post­s: How­ to hand­le SP­F­ and DKI­M setu­p. For DMAR­C you will­ need­ to set up at mini­mum a p=no­ne poli­cy.

How to get ther­e

Ya­hoo: Will­ requ­ire stro­ng auth­entication and for user­s to “lev­erage indu­stry stan­dards such­ as SPF,­ DKIM­, and DMAR­C”.

Impl­ementing DMAR­C take­s a bit more­ time­, as DMAR­C allo­ws you to make­ choi­ces rega­rding your­ poli­cy base­d on your­ emai­l prog­ram. Get star­ted now by chec­king out our arti­cle Wha­t is DMAR­C and how it work­s.

If you’d like to know more about what both Yahoo and Google have to say about these changes and what they mean for email senders, we invited Yahoo’s Senior Director of Product, Marcel Becker, Google’s Director of Product Anti-Abuse and Safety, Anu Yamunan, to go through all your questions in our recent webinar.

BIMI (Brand Indicators for Message Identification)

BIMI is like the bonus track added on to a newly released EP. After you’ve done your due diligence and configured your authentication protocols (SPF, DKIM, and DMARC) you’re rewarded with this exclusive new content.

So, what is BIMI? Essentially, it allows senders to display their brand’s logo next to email messages within the inbox. You can see what that looks like in the example below:

Mobile devices with and without inbox logos

This is important for email senders for a couple reasons:

  1. Badge Check

    It shows recipients that the email is, indeed, authentic.

  2. Badge Check

    BIMI is a DNS TXT record that provides additional authentication.

Remember how we said this was a sort of reward for your good email authentication behavior? That’s because to implement BIMI your DMARC policy must be set to either p=quarantine or p=reject.

While Google and Yahoo have mandated your policy be set to p=none, this shouldn’t be your ongoing standard as it does little protect against phishing or spoofing. And, as Sinch Mailgun’s Kate Vice President of Deliverability, Kate Nowrouzi, suggests in her email predictions for 2024 this is likely to change to p=reject by the end of the year.

Moving towards implementing a stricter set of DMARC policies is definitely something to keep top of mind moving towards the end of the year.

If you want to find out more on how to implement BIMI to further strengthen your email authentication, our partners at Sinch Mailgun put together a detailed resource on why BIMI is more than just a funny name.

How Sinch Mailjet can help

Well, now that you know first-hand the importance authenticating your email program and protecting your brand image it’s time to get everything set up correctly.

We have detailed documentation to set up the SPF and DKIM email authentication protocols required by Gmail and Yahoo. If you’re looking for even more tailored support, check out our Deliverability Services! We have a dedicated team of experts ready to help your company navigate these evolving industry standards and implement the tailored strategy that best fits your email needs.

And remember, implementing these authentication protocols doesn’t just benefit your brand, but also your customers and subscribers who will be able to browse their inboxes safely and securely.

Sinch Mailjet

Need help publishing your DMARC policy?

Contact our support team to get assistance with your DMARC setup. Our team of email experts will be more than happy to answer any questions or concerns you may have.

Popular posts

Hermes rides a firework next to a Goddess in front of a night sky with more fireworks

Email best practices

6 min

Top email marketing trends for 2022

Read More

Hermes on a moped delivering mail to a mailbox

Email best practices

8 min

Reducing email’s carbon footprint

Read More

Mother's day gift for Hera

Marketing

14 min

Marketing calendar 2024: Dates you shouldn’t miss this year

Read More

It's never been easier to build connected experiences. Start sending with Mailjet today.Get started on your path
CTA icon