Host: Lauren Meyer, VP of Industry Relations & Compliance at Kickbox
Guest: Matthew Vernhout, VP of Deliverability at Netcore Solutions
Matthew Vernhout is the VP of Deliverability North America for Netcore Solutions, the founder and editor-in-chief at EmailKarma.net and the founder of the Canadian Email Summit. Matt’s resume is extensive because he’s been working in email for 20 years. He’s a very active member within the email and digital marketing community, advocating on behalf of privacy, deliverability, and many other things.
He’s worked at several ESPs, sat on the board for or been chair of multiple organizations, including Auth-Indicators Working Group (focusing on BIMI) and the Email Experience Council. And to top it off, he was named the EEC’s Email Marketer Thought Leader of the Year in 2019.
What is email authentication?
One of the most important aspects of email marketing is building trust. Whether it’s with mailbox providers (MBPs), subscribers, or email service providers (ESPs), your brand and your reputation as a sender are everything. And while it would be great for MBPs to be able to trust the mail based on your sending domain right off the bat, anyone who’s gotten a spoofed email that they thought was legitimate knows that isn’t always the case.
That’s where authentication comes into play. One of the more technical aspects of email, email authentication, is a series of technical solutions aimed at helping MBPs with the complicated task of delivering only legitimate emails from your domain to the inboxes of their users while refusing emails sent by anyone pretending to be you.
Why is Email Authentication Important?
While email authentication protocols can take some time to understand and implement, it’s an important part of deliverability and success with email for a few reasons.
It sets you apart from most senders on the internet.
According to Mimecast, 70% of all email sent worldwide is malicious. Yikes! That means it’s up to you to show MBPs like Gmail or Outlook that you are a legitimate sender who deserves consistent inbox placement. If your domain is authenticated, it signals to MBPs that your domain is less likely to generate bad email activity caused by others pretending to be you.
It improves sender reputation and deliverability.
Trusted mail is more likely to generate positive engagement by subscribers like opens and clicks. And that positive engagement shows MBPs that mail is trusted and wanted by subscribers and that email sent from your domain should be placed in the inbox more consistently.
It protects brand reputation.
When it comes to your long-term moneymaker, nothing tops your company’s brand. Authenticating your email reduces the likelihood of your subscribers receiving phishing messages from your domain, building trust and that warm, fuzzy feeling when they see emails from your brand.
But what does “authentication” actually mean from a sender’s perspective? Over the years, it has evolved into several protocols. We’ll walk through a couple of the more common authentication protocols you should be aware of and consider implementing in this post.
Authentication standards you need to know about
Each of the authentication standards below solves a slightly different problem, helping improve the overall legitimacy, trustworthiness and security of an email. We’ll dig deeper into each one individually, but here is a high-level summary:
- SPF: helps MBPs verify that messages appearing to come from a particular domain, in the “Mail From:”, are sent from IPs or servers authorized by the domain owner.
- DKIM: adds a digital signature to every message. This lets receiving servers (aka MBPs) verify that messages aren’t forged and weren’t changed during transit.
- DMARC: enforces SPF and DKIM authentication, and lets domain owners and admins get reports about message authentication and delivery status.
- BIMI: requires a DMARC policy at enforcement and enables senders to display brand-controlled logos in their customer’s inbox.
All of these are implemented by adding a TXT record to a domain’s DNS records. And the good news is that if you’re facing a deliverability issue that is driven by authentication, it’s something you can fix relatively quickly (unlike sender reputation).
Let’s start with SPF and DKIM, which have both been around since the early 2000’s, as spoofing and phishing attempts began to rise. At a very basic level, note that SPF and DKIM should be the minimum setup for any email sent today because MBPs consider them standard practice.
Sender Policy Framework (SPF) is an email authentication protocol that allows the owner of any domain to inform MBPs which IPs and/or mail servers are authorized to send email on behalf of your domain.
It was designed to help protect a sending domain from sender address forgery (aka “spoofing”) and allow MBPs to have more trust in the legitimacy of an email. Spoofed messages are used for a variety of malicious purposes, for example, to spread false information, to send out malware, or to trick people into giving out sensitive information.
In order to implement SPF, a TXT record is added to the DNS (Domain Name Service) zone file of a domain, specifying which IP addresses are allowed to send email on behalf of that domain. When an email is sent, MBPs check the SPF record of the “envelope from” domain (also called the return-path) to see if the IP / mail server which sent the email is included.
- If the lookup is a match (aka “pass”), the email passes through to the next security check or spam filter and may eventually be delivered to the inbox.
- If the SPF lookup fails, it’s indicative of spam, so it’s possible the mail will be delivered to the spam folder or rejected entirely because the MBPs do not have confidence that the mail is actually from you.
If you use an ESP, it’s possible that they default to signing emails with their own SPF and DKIM. If you wanted to sign SPF using your own domain, you would need to add their information to your SPF record to let MBPs know that it’s ok to accept mail from your domain if it comes from that ESP’s servers.
During our discussion, Matthew pointed out that “Like all things in life, you need to do a little bit of housekeeping from time to time.” If your SPF record becomes out of date, or if you keep adding protocols or suppliers (e.g., their ESP, ticketing support service, CRM platform, their own website, corporate mail servers, etc.), you can bloat the record beyond the specification (which limits you to 10 DNS lookups). This can cause delivery issues, so it’s recommended to use subdomains for each mail stream (i.e., welcome program, marketing newsletters, transactional emails, sales emails, etc.), so you can properly segment those and authenticate properly.
While SPF is helpful in establishing some trust in the legitimacy of emails, it only tests where an email came from and if it was approved to come from that location. It does not protect against types of spam, spoofing and phishing where someone intercepts a message during transit and changes the content or replays that content forward with different URLs (maliciously).
As a result, DomainKeys Identified Mail (DKIM) was introduced, allowing senders to authenticate the content of their messages, and receivers (MBPs) to trust that the message has not been modified during transmission. It’s common to have one key from the sender (brand) and one key from the network where the message is sent from (ESP).
The way this works is by using a pair of keys: one private and one public, to verify the validity of a message.
- A private domain key adds an encrypted signature header to all outgoing messages sent from your domain.
- A matching public key is added to the Domain Name System (DNS) record for your sending domain. When an email server receives a message from your domain, it uses the public key to decrypt the message signature and verify that the message hasn’t been altered.
This process gives MBPs the ability to check the source, the content, and pair those together in order to build a reputation profile and find an answer to one question: is this mail likely coming from a legitimate source?
As Matthew mentioned during our chat, DKIM essentially allows the receiving side to prove that stamp A matches stamp B when it arrives.
We’ve just barely broken the surface on DKIM, so check out this great DKIM resource from Postmark to gain a deeper understanding of how it works and how you can implement it.
It’s important to note that implementing SPF and DKIM is considered standard practice by Mailbox Providers (MBPs), so be sure to have them configured for all of your sending domains.
If you use an Email Service Provider (ESP) to send your emails, they will be the best resource for getting your sending domain properly set up. You can also refer to Google’s tips for SPF and DKIM, or plug your domain into Netcore’s grademyemail tool, which guides you through the process of creating these TXT records and adding them to your DNS.
Introduced back in 2012, Domain-based Message Authentication, Reporting & Conformance (DMARC), is an email authentication, policy, and reporting protocol designed to protect your company’s email domain from being used for email spoofing, phishing scams and other nefarious cyber activity.
When a domain owner publishes a DMARC record into their DNS record, it allows them to have more control over how MBPs handle emails from their domain in the event that they are not properly authenticated with SPF and/or DKIM. It’s your way of telling the MBPs that if it doesn’t pass authentication, it’s probably not actually you, and they shouldn’t deliver it to their users’ inboxes.
You can choose to set your policy to 3 different levels:
- p=none (aka “monitor mode”) – tells MBPs to take no action if your authentication fails
- p=quarantine – informs MBPs to take an action to place the mail in the quarantine / spam folder because you’re fairly certain it’s not from you due to the fact that it fell outside my authentication records (but you’re not 100% sure, so you don’t want the MBP to reject it)
- p=reject – informs MBPs to “reject the mail” if authentication fails because you’re really sure that everything you send is well authenticated, so if they get something from you that’s not passing, it’s probably not actually from you.
One major point of confusion with DMARC is that you don’t need both SPF and DKIM to be passing. If you get a pass condition on both or even just one of those, DMARC will pass, and you’re good to go. It’s only when you get a fail condition on both SPF & DKIM that MBPs will need to take action, as per the DMARC policy you selected (above).
As Matthew said during our interview, one of the biggest benefits of implementing DMARC is the reporting: having the ability to know when and where emails are being sent using your domain. If an authentication failure is detected, you have access to detailed reporting (including the IP that sent the mail, the pass/fail condition and the domains involved) to know if you’re improperly authenticating your own mail or if some bad actor is trying to send spoofing or phishing emails while pretending to be you.
It is recommended for all to begin their DMARC implementation with p=none, which is often referred to as “monitor mode”. This activates the DMARC reports that are sent by most of the major MBPs, allowing you to identify and resolve any issues with your SPF, DKIM or DMARC setup without impacting the deliverability of your own emails. It’s not uncommon for organizations to discover some long-forgotten mail server that needs to be updated during this time.
Want some help with your DMARC reports? The aggregated DMARC reporting and alerting features within the Kickbox Deliverability Suite allow you to proactively monitor for DMARC failures and be alerted of issues with your SPF, DKIM and DMARC authentication when they arise. Powerful data filters and a streamlined interface enable you to dive deep into your DMARC reports with just a few clicks when something seems amiss.
Get your free consultation today to see if the Deliverability Suite is right for you.
Some senders may never move past monitor mode, whereas banks and other financial companies like Paypal almost always have their DMARC policy set to the strictest enforcement level (p=reject). This is due to the sensitive nature of the emails they send, as well as the increased likelihood of their brand being spoofed.
Once you’ve confirmed that all of the mail you send is properly configured, you can move on to a p=quarantine enforcement policy and eventually to p=reject. This process needs to be handled with care, as moving to a strict enforcement too quickly can lead to authentication issues resulting in MBPs rejecting your legitimate emails.
The adoption of DMARC has been relatively low, considering how many domains are actively sending email within any given day or week. A Valimail study released over the summer indicates that while DMARC adoption has increased 48% over last year (2019), and almost 2.5x the number of 2 years ago (2018), most of the 1 million domains that have published DMARC records have only gone as far as monitor mode.
Why so low? “Too many organizations find it difficult to reach DMARC enforcement due to the complexity of their email ecosystems and the fear of accidentally blocking good senders when moving to a more restrictive policy,” the study states.
Some of the primary challenges with DMARC implementation include:
- Time-consuming – particularly for larger, more complex organizations that have many moving parts — all must be accounted for, audited, and updated to ensure you don’t end up failing your own mail because you forgot it was being sent from that server left in someone’s basement.
- Potentially expensive – some organizations choose to hire a 3rd party firm or consultant to guide them through the lengthy process.
- Deliverability issues – Misalignment issues can cause ice cream headaches and more time spent with deliverability consultants. Our friends at ActiveCampaign have put together a nice summary if you are in need of assistance with an alignment issue. If that doesn’t solve your issue, head to the source: the FAQ at DMARC.org.
But if you can make it through all of that, you’ll come out the other side with a sending domain that is properly authenticated and well-protected by DMARC. Just a few more steps until your domain will be primed and ready to receive a well-earned reward: which brings us to BIMI!
BIMI: your reward for being a good email citizen
Brand Indicators for Message Identification or BIMI (pronounced: Bih-mee) is a bit different from SPF, DKIM and DMARC in that it’s not really an authentication protocol or standard. It’s more of a reward available to organizations that have built a strong sender reputation and put in the work to deploy DMARC protection, enabling them to display brand-controlled logos in their customer’s inbox.
In order for a brand’s logo to be displayed, their email must also pass DMARC authentication checks with either a p=quarantine or p=reject policy in place (which requires SPF/DKIM to pass as well). This ensures that the organization’s domain has not been impersonated. In advance of hitting ‘Send’, marketers also need to produce an SVG version of the desired brand logo and publish a BIMI record for their domain in DNS.
If you’re not seeing your BIMI record show up, there are a few likely reasons:
- Your BIMI record is not published correctly.
- BIMI only works when sending bulk mail or transactional mail. If you’re sending tests from your personal 1-to-1 email address, BIMI will likely not be enabled.
It’s important to note that each participating mailbox provider has its own criteria for determining when a domain’s BIMI logo may be displayed. If you’re sending tests from your personal 1-to-1 email address, your BIMI logo will likely not show up at Yahoo but could at Gmail. It’s also heavily dependent on having a good sender reputation, so be sure you’re following best practices when it comes to list collection and management.
While no significant studies have been released (yet) to draw a direct connection between an increase in revenue from email and BIMI, the ability to nurture brand recognition and trust, as well as provide an enhanced user experience for email subscribers, should not be overlooked. Not to mention the ability to control the logo displayed for your brand across all MBPs with one simple update.
Verizon Media Group (Yahoo/AOL) is the only MBP to currently support BIMI publicly, however Gmail announced the start of a pilot program in July 2020, and other MBPs have announced intentions to adopt in the near future as well.
As the Communications Chair for the AuthIndicators Working Group, Matthew shared a lot of great information on BIMI during our video chat. Interested in giving it a try? Head over to the official BIMI website, or check out Netcore’s grademyemail tool, which guides you through the process of implementing BIMI (plus offers a whole lot of other cool stuff related to authentication).
Common questions you might have about authentication
Before we dig into some questions folks might have about authentication, note that there are multiple addresses found within the emails you send, including:
Mail From (aka “friendly from”) – technically referred to as RFC.5322 from address, this is the from address that humans see right next to the subject line in their email client.
Envelope From (aka the “display from”, “return-path” or “bounce address”) – technically referred to as RFC.5321 from address, the purpose of this address is to tell receiving servers where bounced messages and other email feedback should be sent. This is the address that an email server uses to lookup the SPF record. It’s not typically seen by most of your subscribers, because it’s only found within the email headers.
d= which is used to sign DKIM. This is also only found within the email headers.
Now onto the questions…
What domains matter within the email headers? How much of an impact does each of these have on deliverability?
The short answer is: ALL of the domains and email addresses you add to your email headers and within the body of your emails matter. They each have a reputation tied to them, and if even one of them has a very poor reputation, it could cause trouble for the destiny of your email.
You’ll also want to be aware of Message IDs and links within the body of your content. If you include a link that has a poor reputation or has been blocklisted (such as a 3rd party affiliate link that has been used by other senders), while your organizational domain might have a good reputation, the source that you’re pointing to has a poor reputation, so this can impact delivery of your message.
Align them as best you can across the same or a similar organizational domain (which may include subdomains).
Is domain alignment really a big deal?
It can be! Anti-abuse providers and MBPs often say to “align as much as you can across the entire content of the message.”
Not having every domain in your email fully aligned may not doom your mail to the spam folder if you have a strong sender reputation and are doing “everything else” right, but putting in the work to align as many domains as possible can help avoid unforeseen issues with authentication. The less variation you have, the less opportunities you have for a problem.
When it comes to alignment, the most important to consider is your Mail From and Envelope From. Aim to have them aligned with your DKIM key and SPF. As a reminder, this is also the key to your DMARC and BIMI records being properly set up, so do your best to align everything to your d= DKIM domain.
If you’re working to implement DMARC, the return-path is an important one to pay attention to because, to be considered DMARC Compliant, each message must pass either:
- SPF Authentication and Alignment tests;
- Or DKIM Authentication and Alignment tests
In simpler terms, that means that in order to pass DMARC, the domain present in the Return-Path must match the domain found in the FROM address (the one recipients see in their inbox).
One potential issue Matthew shared with us was that if you’re using an ESP, they may be using one of their own branded domains to sign authentication (for example, authenticating SPF using their domain, and relying on your DKIM key and Friendly From address for domain alignment under DKIM only). This can add complications and risks when it comes to alignment. Most ESPs do align or allow for customization so you can configure them to align, but if you’re worried about this, talk to your email vendor. Or, if you want to test it out, send yourself an email at Gmail (from your ESP) and review the email headers.
What advice do you have about setting up a new domain?
If you’re setting up a brand new domain that will be used for a new (or existing) mail stream, there are a few things you should take into account:
- Domain age can impact deliverability. “Day Old Bread” is a list looking at the age of a domain. Some ESPs won’t authorize a domain that’s younger than 2 weeks (except on special, vetted occasions).
- Avoid domains with hyphens in them. If your brand has a hyphen, then go for it! But if your website is hosted at kickbox.com, do not create a domain such as kickbox-email.com. This can look like a spam or phish email to both MBPs and your recipients. Instead, make use of subdomains (such as email.kickbox.com). The other good news? Subdomains are free! No need to pay for new domains when you can set up a subdomain under your TLD (top-level domain, where your website is hosted).
- Warm-up your new domain the same way you would warm up an IP. Particularly if you’re sending to destinations like Gmail who are heavily focused on domain reputation, you’ll want to start building a positive sender reputation by sending small volumes to engaged recipients and increasing that volume slowly over time. We will not be going down the rabbit hole that is warm-up plans today, so talk to your ESP or favorite deliverability expert if you’re about to go through this process.
How to know if you’re properly authenticated?
The best way to check if your emails are properly configured is to send a test! We recommend using a Gmail account, since Gmail makes it very clear to see if your SPF, DKIM and DMARC have passed or failed. Here’s a quick tutorial on how to view email headers (and your authentication results) within Gmail.
You can also plug your domain into one of the many DNS lookup tools available within the industry today. We recommend Netcore’s grademyemail tool, which guides you through the process of creating TXT records and also provides guidance on how to correct any issues that are detected.
If you use an Email Service Provider (ESP) to send your emails, they will usually be the best resource for helping you troubleshoot issues with your domain configuration.
Track the performance of your email program using your email metrics and 3rd party tools that will allow you to monitor for authentication failures, blocklistings and bounce messages suggesting that the domain(s) within your email are causing deliverability issues.
Also, as Matthew suggested in a recent article, perform audits on your authentication to ensure everything is up to date. The regularity with which you do this will depend on the complexity of your email program.
In order to truly optimize your email program, you need to excel at many aspects of email marketing, from strategic to creative, with the technical parts landing somewhere in between.
While the more technical aspects of email, including authentication, might give you an ice cream headache from time to time, it’s essential to have at least a basic understanding of how it works, why it’s important, and how it can help (or hurt) your deliverability.
But don’t stop there because email authentication is not a one-way-ticket to the inbox. Hate to break it to you, but spammers authenticate, too! Authenticating your emails will help MBPs have more trust in the mail you’re sending.
Stay tuned for the next episode
In the next installment of our series, we’ll cover the all-important topic of Permission: how to get it, why it’s important, and what can go wrong without it. We’ll be joined by another special guest speaker, so you won’t want to miss it!.
Not caught up on the series? Check out our last episode all about email metrics, how to effectively guage email deliverability and what metrics you should be monitoring.
Get Your Free Deliverability Consultation
Speak with a deliverability expert to see if the Kickbox Deliverability Suite is the right fit for your organization.