Email Authentication: What is DMARC, SPF, DKIM and BIMI?

Email authentication is the process of verifying the legitimacy of an email sender and the integrity of their message(ing). The three standard email authentication protocols are:

• SPF (Sender Policy Framework)

• DKIM (DomainKeys Identified Mail)

• DMARC (Domain-based Message Authentication, Reporting, and Conformance).

They work in conjunction to validate a sender’s identity, prevent email spoofing and phishing attacks, and improve overall security and email deliverability.

While most email senders send timely, relevant content to their subscribers unfortunately, as it is with many things in life, there’s a certain few that ruin it for the rest of us. Email marketing is no different.

Spammers and phishers are constantly looking to game the system, swindling unsuspecting recipients into handing over sensitive information such as account details passwords, or uploading malicious malware and viruses. To make matters worse, they often do so under your name, potentially damaging your reputation and eroding customer trust in your brand.

In addition to protecting your brand reputation, here’s a few more reasons why you should authenticate your email:

• Improve deliverability: Authenticated emails are more likely to bypass spam filters and reach recipients’ inboxes, ensuring that your important communications and marketing messages are seen by your audience.

• Tighten security: By implementing authentication protocols like SPF, DKIM, and DMARC, you can strengthen the security of your email infrastructure, reducing the likelihood of email spoofing and unauthorized access to your domain.

• Compliance with industry standards: Many industries and regulatory bodies have guidelines and requirements for email authentication to protect consumer data and privacy. By authenticating your emails, you demonstrate compliance with these standards and avoid potential legal and regulatory issues.

• Optimizing email marketing performance: Authenticated emails provide recipients with confidence in the legitimacy of your messages, leading to higher engagement rates, improved click-through rates, and ultimately, better ROI on your email marketing efforts.

During the internet’s early years email quickly emerged as the primary means of communication. However, providers tended to be overly trusting at this point leading to the proliferation of spam, phishing, and email spoofing.

In response to these threats, the first email authentication protocols – SPF and DKIM – were developed in the early 2000s to verify the authenticity of email senders and prevent domain forgery. In 2012 DMARC was introduced to further strengthen these policies.

Let’s look at each one in a bit more detail.

SPF acts as a sort of virtual email inbox bouncer. When an email arrives at its destination, the recipient’s server asks, “Hey, are you on the guest list?” The SPF record, which acts as the guest list, contains a list of authorized IP addresses (mail servers) for a particular domain.

If the sender’s email address matches one on the list, the bouncer lets it through. However, if the sender’s address isn’t on the IP address list, it’s like trying to crash a private party without an invite—the email might get flagged as suspicious or even bounced back altogether.

In simple terms, SPF records help prevent unauthorized parties from impersonating your domain and sending potentially harmful emails, enhancing the security and reliability of your email communications.

Let’s use the postal service to help us explain what and how DKIM works. Imagine when sending a letter, you seal the envelope and write your name on the back to show it’s really from you. But what if someone opens the envelope, changes its contents, and claims it’s still from you? How would the recipient be any the wiser?

DKIM works a bit like a digital signature for your emails. When you send an email, your server adds a special DKIM signature to the message.

This signature is like a unique stamp (private key) that proves the email came from you (sending domain) and hasn’t been tampered with along the way. When the recipient’s email server receives the email, it checks the DKIM signature against a public key stored in your domain’s DNS records.

If the signature matches and the key checks out, the email is considered authentic and trustworthy, like getting a letter with a verified sender’s address and signature on the back. This helps prevent email spoofing and ensures that your emails are delivered safely to your recipients’ inboxes.

So, what happens when the bouncer either catches an email not on the guest list (SPF) or finds that its content has been meddled with (DKIM)? Well, this is where DMARC authentication comes in.

DMARC adds an extra layer of security to domain owners. It’s a set of rules that tells the postal service (or, in this case, email servers) how to handle your letter. With DMARC, you’re basically saying, “Hey, if this letter doesn’t have my official stamp on it, or if it looks like someone’s trying to tamper with it, don’t deliver it—send it back to me instead.”

You can set your DMARC policy to one of three settings, which will indicate what email providers do with those that have failed SPF or DKIM.

Here’s each setting and what they mean:

• p=none: Nothing happens, unauthenticated emails will still be delivered.

• p=reject: Unauthenticated emails are blocked, never seen by the recipient.

• p=quarantine: Unauthenticated emails are placed in the spam folder.

Every major mailbox provider performs a DMARC check, so having DMARC set up will offer additional protection with all the main email clients.

In case you hadn’t heard, as of February 2024 both Google and Yahoo rolled out a new set of requirements for brands sending bulk email (5000+ emails a day). This will help reduce the risk of spam, phishing, and other malicious activities, improving the delivery of legitimate emails to subscribers’ inboxes.

These three key deliverability requirements are:

1. Email authentication: Senders will be required to verify their identities with the standard protocols SPF authentication, DKIM authentication, and DMARC.

2. Add a one-click unsubscribe header: Senders will need to implement a valid List-Unsubscribe header within emails if they haven’t already, to allow recipients to easily opt out.

3. Only send emails users want: Gmail and Yahoo are getting serious about spam monitoring and senders will need to ensure they’re keeping below a set spam rate threshold.

Before you start to panic, these new requirements are actually just best practices that have existed for well over 10+ years now. In fact, many brands already abide by these authentication standards. The difference is they’re now being more strictly enforced by service providers.

As it’s email authentication methods we are focusing on, both email service providers (ESP) Yahoo and Gmail mandate that bulk senders (Google set a guidepost figure of 5000 daily emails) to implement DMARC with a minimum policy of p=none. If you remember from the DMARC section above, this instructs receiving servers to log but not to take any action.

If you’d like to know more about what both Yahoo and Google have to say about these changes and what they mean for email senders, we invited Yahoo’s Senior Director of Product, Marcel Becker, Google’s Director of Product Anti-Abuse and Safety, Anu Yamunan, to go through all your questions in our recent webinar.

BIMI is like the bonus track added on to a newly released EP. After you’ve done your due diligence and configured your authentication protocols (SPF, DKIM, and DMARC) you’re rewarded with this exclusive new content.

So, what is BIMI? Essentially, it allows senders to display their brand’s logo next to email messages within the inbox. You can see what that looks like in the example below:

This is important for email senders for a couple reasons:

1. It shows recipients that the email is, indeed, authentic.

2. BIMI is a DNS TXT record that provides additional authentication.

Remember how we said this was a sort of reward for your good email authentication behavior? That’s because to implement BIMI your DMARC policy must be set to either p=quarantine or p=reject.

While Google and Yahoo have mandated your policy be set to p=none, this shouldn’t be your ongoing standard as it does little protect against phishing or spoofing. And, as Sinch Mailgun’s Kate Vice President of Deliverability, Kate Nowrouzi, suggests in her email predictions for 2024 this is likely to change to p=reject by the end of the year.

Moving towards implementing a stricter set of DMARC policies is definitely something to keep top of mind moving towards the end of the year.

Well, now that you know first-hand the importance authenticating your email program and protecting your brand image it’s time to get everything set up correctly.

We have detailed documentation to set up the SPF and DKIM email authentication protocols required by Gmail and Yahoo. If you’re looking for even more tailored support, check out our Deliverability Services! We have a dedicated team of experts ready to help your company navigate these evolving industry standards and implement the tailored strategy that best fits your email needs.

And remember, implementing these authentication protocols doesn’t just benefit your brand, but also your customers and subscribers who will be able to browse their inboxes safely and securely.