red line

6 Steps To Email Authentication With SPF, DKIM, And DMARC

Marketing campaigns often rely on marketing emails, but these emails are no good unless potential customers receive them. This post will describe a plan to help ensure your emails are getting to where you want them to go.
Steps To Authenticate

Marketing email campaigns bring in valuable traffic, engagement and leads for many organizations. But before you fret over open rates or unsubscribes, are you sure the emails you send are arriving? This post will describe a plan to help ensure your emails are getting to where you want them to go. In addition, we’ll cover how to stop others from sending emails that look like they’re from your domain when they’re not.

To get your emails delivered properly, here are the steps to take:

  1. Understand the meaning of email authentication by looking at Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC)
  2. Create a list of your email service providers and other sources of emails from your domain
  3. Make sure each of your email service providers and emails sources have SPF and DKIM set up
  4. Implement DMARC aggregate and forensic reports for your domain
  5. Implement DMARC to request quarantining for unauthorized emails
  6. Implement DMARC to request rejection of unauthorized emails

1 Understanding email authentication

If your emails are properly authenticated, they’ll show up in your recipient’s inbox. Email authentication is the method of ensuring that an email is coming from who it claims to be coming from. The means of email authentication are based on three technical specifications: SPF, DKIM, and DMARC.

SPF checks that the domain the email claims to come from authorizes the source server the email was observed to originate from to send emails on its behalf.

DKIM is a digital signature method that allows verification that the email was created by a server with access to the domain’s DKIM private key and the email was not modified after it was sent.

DMARC is instructions to receiving servers about what to the if SPF or DKIM fails are observed.

The best way to ensure your emails are delivered and your domain is in good email standing is to implement SPF and DKIM for all your email services and other entities that send emails from your domain. Once this is done, DMARC can be used to cause email recipients to reject emails that do not pass the SPF and DKIM checks. The first step is to make a list of all the email services and entities you use, so you can start implementing SPF and DKIM for each.

2 List your email sources

Since our end goal is to have DMARC instruct email recipients to reject any emails that don’t pass SPF and DKIM checks, it’s important to implement SPF and DKIM for all sources of emails from your domain and every subdomain.

You need to implement SPF and DKIM for all subdomains you send emails from. So, if you have emails coming from yourdomain.com, you need SPF and DKIM for each service coming from the apex domain, yourdomain.com. If you are also sending emails from marketing.yourdomain.com, you’ll need to set up SPF and DKIM on that subdomain, marketing.yourdomain.com for each service coming from there.

I suggest using a spreadsheet to track the services and entities you have sending emails:

Examples might be the Sendgrid service or Sendmail sending emails from a server. Once you have your email sources listed, it’s now time to implement SPF and DKIM for each.

3 Set up SPF and DKIM for each email source

Use the table you created to make sure you’ve set up SPF and DKIM for each of your email sources. Most email services have instructions on how to set these up. Examples include Gmail DKIM, Gmail SPF and Sendgrid domain verification (which will implement SPF and DKIM). If you have a server you’re using to send emails, I suggest you don’t do that, but if you have to, then simply add the IP of your server to your SPF record, like: include:1.2.3.4. To configure DKIM on a server, you essentially need to set up a private key on the server and add the public key to a TXT record on the relevant domain.
Each email service has slightly different instructions on how to set up DKIM and SPF. Some services require the addition of TXT records directly for SPF and some services use CNAMES that when followed resolve to the required SPF records.

Once you’re done adding the SPF and DKIM records, it’s time to check your work.

4 Verify your work with DMARC reports

DMARC let’s you give instructions to email servers that receive your emails about what to do with emails that fail SPF or DKIM authentication checks. Dialing in your DMARC settings is a three part process involving initially just receiving reports about emails that fail SPF and DKIM check, then quarantining, and finally reject those emails.

While SPF records are required on a specific subdomain, a DMARC TXT can just be placed at your apex domain, and it will be referenced for all of your subdomains and the root.

DMARC is implemented using a DNS TXT record that has many optional and a few required tags. Here is an example of how to send a summary and fail reports to an email address:

				
					v=DMARC1; p=none; fo=1; pct=100; rua=mailto:hosting@soliddigital.com; ruf=mailto:hosting@soliddigital.com
				
			

p=none means to take no action, and the emails after rua and ruf are the address to send aggregate and forensic reports respectively.

The fo defines the type of failures that result in a report. The default value is a 0, and this generates a report if all mechanisms fail to align. It is a good idea to change this to a 1, which will create reports if any mechanism fails to produce an aligned “pass.”

Once you start receiving reports, you can use MXToolbox’s free DMARC report analyzer to understand them, or you can use a paid service. Check if there are IP addresses associated with any of the email sources you use. https://ipinfo.io/ is a good tool to accomplish this. For example, if you see the IP 209.85.220.73 in your report, you can find out more about the ip here https://ipinfo.io/209.85.220.73. You can see it’s associated with Gmail, so maybe your Gmail SPF or DKIM is not set up correctly.

You should also look at individual emails, and make sure they are passing both SPF and DKIM. You can do this by using your email sources to send you emails directly, or by having someone forward an email to you. Checking SPF and DKIM validity of an email with Gmail is simple. Just click the three dots and select, “Show original”:

Once you do this, you’ll see details about the email including SPF, DKIM, and DMARC specifics:

You can try and fix any issues you see and resend the email. For example, if you are sending emails via Gmail that are not passing SPF, make sure you have included:_spf.google.com in your SPF record.

Once you are confident that the fails you see on your DMARC reports are not originating from you, you can request receiving email servers to quarantine them.

5 Quarantine emails with DMARC

To request quarantine for emails that fail DMARC, change p=none to p=quarantine. You don’t want to do this suddenly, since it might affect the delivery of legitimate emails. To help gently introduce the quarantine process, you can use the pct percentage tag. This tag allows you to only apply the rule to some of the emails while you analyze the aggregate reports and make sure your legitimate emails are getting through.

Start with 10 percent, then slowly move up to 100 with a waiting period of a few days or weeks between each increase.

Here is how you would quarantine 10 percent of failing emails:

				
					v=DMARC1; p=quarantine; fo=1; pct=10; rua=mailto:hosting@soliddigital.com; ruf=mailto:hosting@soliddigital.com
				
			

After you do this, you’ll want to keep a close eye on your emails and ask people to notify you if they notice emails from you our your company start to go into their spam.

If there are any problems, go back to p=none; otherwise, you are ready to request rejections of emails failing DMARC.

6 Reject emails with DMARC

Finally, you can change p=quarantine to p=reject. Don’t forget to bump your pct percentage tag back down to 10 and slowly ratchet back up.

				
					v=DMARC1; p=reject; fo=1; pct=10; rua=mailto:hosting@soliddigital.com; ruf=mailto:hosting@soliddigital.com
				
			

DMARC is just a suggestion for receiving email servers, but reject is the most secure setting for DMARC. Your end goal should be to get to:

				
					v=DMARC1; p=reject; fo=1; pct=100; rua=mailto:hosting@soliddigital.com; ruf=mailto:hosting@soliddigital.com
				
			

Secure Emails Deliver

Making sure all the emails sent on behalf of your domain are properly authenticated with SPF and DKIM is a lot of work. It might take from days to weeks to dial in your email authentication. When communicating, trust is important. Email authentication via SPF, DKIM, and DMARC establishes trust between you and your email recipients so that your marketing campaigns can be more effective.

Related resources