Home Resources Blog

You can help prevent email fraud, improve your email deliverability, and help ensure continued delivery at receiving mailboxes. Email authentication is the key.

Email authentication isn’t just about security – it’s also about deliverability. By putting DKIM and SPF records in place and authenticating your emails, you can protect your brand and help your emails successfully reach the inbox.

In this post, we’ll help you understand how email authentication has become an integral part of the delivery process and take a closer look at what happens to an email once you press send.

What is an authenticated email?

As part of the email delivery process, receiving mail servers work to determine the authenticity and legitimacy of your email.

When a receiving mail server get your email it asks, “Is this email from who it says it’s from? How do I verify that? What do I do if the email is not successfully authenticated?”

Receiving mail servers will also look at the sending reputations associated with the sending domain and sending IP. Content, previous engagement for your sends among their users, and other reputational factors will also factor into whether your email will successfully get delivered to inboxes.

We’ve talked about you can broadly improve the success of your email campaigns, and how list quality or content factor into your email deliverability before.

So what do we mean when we say an email has been successfully authenticated? In short, that a receiving mail server has checked for the relevant SPF records, the DKIM key associated with your email and sending domain, and that your email has successfully passed those checks.

When sending via Campaign Monitor, SPF records are automatically set up for all clients in Campaign Monitor’s DNS records and it is these records that the receiving mail server will look for.

Your DKIM key is specific to you and is hosted in the DNS records of your domain and as such, putting it in place requires some set up from the domain owner.

Now let’s talk about how a mail server can choose to accept or reject your campaigns based on how it determines the legitimacy and authenticity of your campaigns

Your email might adhere to anti-spam regulations, contain great content and have a send-from address at your registered business domain, but those items may not be enough for a receiving mail server to give it a pass.

What you need to do is authenticate your emails, so that the receiving mail server has verifiable records to check against and say, yes, this email is from Campaign Monitor and not a phisher or a spoofer pretending to be Campaign Monitor.

What does a receiving mail server look for?

The receiving mail server looks for specific items of information in your email and in the DNS records of your domain in order to determine whether the email is legitimate, safe for its users to receive and then, whether the email is being sent from an authorized source.

DNS stands for Domain Name System. This system is essentially the phone book of the Web that organizes and identifies domains. While a phone book translates a name like “Acme Pizza” into the correct phone number to call, the DNS translates a web address like “www.google.com” into the physical IP address—such as”74.125.19.147″—of the computer hosting that site. 

SPF is a mechanism by which a receiving domain can check whether an email has originated from a sending IP that is authorized to send emails on behalf of the admins of a given domain.

When you create an SPF record, you put in place a list of IPs/sending hosts that are authorized to send mail on behalf of your domain.

So for example, someone attempts to spoof Campaign Monitor by sending an email with a forged send-from address. To a recipient, the email may look legitimate but the content may be harmful and not from a legitimate source.

With SPF records in place, a receiving mailbox can determine whether the email that appears to be from Campaign Monitor is being sent from an IP that has been authorized for sending by Campaign Monitor.

If the sending IP and sending host match those listed in the SPF record for the send-from domain, the email will have passed SPF based authentication.

If the email is sent from a sending host or IP that is not in the SPF record for Campaign Monitor, the receiving mail server can determine that the email is not coming from an IP authorized and verified by Campaign Monitor and that the email could be illegitimate in nature.

SPF records are added automatically for all clients in Campaign Monitor’s own DNS records. If you already have your own SPF record, be sure to add our details to it.

DKIM is a method of authentication that is based on adding an encrypted signature to your emails. DKIM is one of the most effective ways to combat abuse and it can also greatly improve the deliverability of your emails.

To implement DKIM authentication, you need to have access to the DNS records of the sending domain in order to add a DKIM key. This ensures legitimacy as only the domain holder can amend those records and this is one of the most integral parts of how DKIM functions. Thankfully, while the mechanics behind DKIM are fairly complicated, implementing it is relatively simple.

Once you have DKIM in place in the DNS records of your domain, your emails will be much better positioned to reach the inbox and you will also be helping protect yourself and your users against spam and phishing attempts.

Here’s a whistle-stop tour of how it works:

Once DKIM records are in place and verified, your emails will have a DKIM signature added to the email header upon sending.

This encrypted signature is generated based on the DKIM key that you have added to the DNS records of your domain and a hash string based on elements of the specific email being sent. This means that every one of your emails carries a unique DKIM signature.

When a receiving mail server gets your email, it will decrypt the DKIM signature using the public key that is hosted in your DNS records. It will also simultaneously generate a new hash string based on the same elements of the email that were used when the email was sent.

If the decrypted signature matches the newly generated hash string then the email successfully passes DKIM authentication.

DKIM authentication means that a receiving mail server can do two things:

  1. It can safely determine that the owner of the domain where the DKIM key is located did send the email.
  2. The receiving mail server can also see that the contents of the email were not changed or modified in transit between the sender and the recipient.

For those reasons, DKIM is the most robust authentication tool in your arsenal and by putting it in place you help ensure the long-term viability and success of email marketing for your brand.

Why you should care about email authentication

The increased importance of email authentication comes as a direct result of the continued use of email as a platform for fraud, spam and spoofing.

As a result, more robust measures are being taken by ISPs and receiving mailboxes to protect their users from spam and phishing emails. The implementation of more robust policies by ISPs and an increased necessity of authentication for successful delivery is one part of that combined effort.

As more and more ISPs adopt stricter policies, senders without authentication will see difficulties with inbox placement and may find themselves at risk.

Email authentication is as important to the long-term success of your email marketing as the quality of your list or the strength of your design and content.

Wrap up

By putting email authentication in place you are mitigating the potential for email fraud targeting your brand and also helping your emails reach your subscribers.

If your email campaigns are not already authenticated, now is the is the time to make it happen.

  • Mike

    I’ve read DMARC is the new must have that closes the loop on SPF and DKIM. What do you guys think – is it worth enabling?

  • Carissa

    Hi Mike,

    DMARC is a great tool which references both SPF and DKIM, but it’s helpful to understand that it wasn’t created to improve deliverability, it was created to destroy the deliverability of phishers and those who would try and spoof your domain. It’s about securing your brand identity.

    Implementing DMARC requires someone who really knows DNS and folks willing to do a lot of testing and reviewing. It’s a significant amount of work for senders, and might be more trouble than it’s worth for senders whose domains aren’t likely to be used by someone else to commit fraud.

    Having said that, if you’d like to start learning about DMARC, check out the training series on DMARC on the M³AAWG website.

  • Mike

    Thanks for the clarification and link that’s really helpful

This blog provides general information and discussion about email marketing and related subjects. The content provided in this blog ("Content”), should not be construed as and is not intended to constitute financial, legal or tax advice. You should seek the advice of professionals prior to acting upon any information contained in the Content. All Content is provided strictly “as is” and we make no warranty or representation of any kind regarding the Content.
Straight to your inbox

Get the best email and digital marketing content delivered.

Join 250,000 in-the-know marketers and get the latest marketing tips, tactics, and news right in your inbox.

Subscribe

See why 200,000 companies worldwide love Campaign Monitor.

From Australia to Zimbabwe, and everywhere in between, companies count on Campaign Monitor for email campaigns that boost the bottom line.

Get started for free