How does email authentication work? The basics behind SPF, DKIM, DMARC, BIMI & Domain Blacklist

Understanding SPF, DKIM, DMARC, BIMI & Domain Blacklist to Improve Email Deliverability

13 June 2022

6 minutes

Areeba

post cover

Email authentication is a critical pillar of email infrastructure that ensures maximum security for your email domain. It establishes trust between an email sender and the recipient's mailbox provider, ensuring the inbox provider can authenticate that the message was sent by an authorized source. This blog discusses the main pillars of email authentication, why it's important to have them in place, and how they impact the sender's reputation.

What is Email Authentication and how does it work?

Email Authentication is a set of technologies that allows you to verify the authenticity of an email. It's like getting a stamp on your letterbox saying "We're actually from Australia Post". When someone sends you an email, they can prove that they are what they say they are by using one or more authentication methods (like SPF, DKIM, and DMARC) - which is why it's called "Email Authentication".

The process for authenticating an email starts with the sender creating a public key. This public key then gets published in their DNS records as part of what's known as a TXT record. When an email is sent from their domain name, this public key will be used to encrypt other information within the message such as headers and body text. The recipient then uses their private key to decrypt these messages so that only intended recipients can read them. 

Possible methods to set up email authentication

The purpose of setting up an email authentication is to ensure maximum security for your email domain against any attempts of phishing, spoofing, or other hacking means. Having email authentication pillars in place not only help in protecting the email domain but also help in boosting email deliverability, email engagements and sender reputation.

 The possible methods of setting up the email authentication include:

  • SPF: The Sender Policy Framework (SPF) protocol is a method of identifying which mail servers are authorized to send an email on behalf of your domain. 

  • DKIM: Domain Keys Identified Mail (DKIM) is an email authentication standard that lets you prove that emails you send were actually sent by you, and weren't altered in transit. 

  • DMARC: Domain-based Message Authentication Reporting & Conformance (DMARC) allows consumers to take control over how their domains are used online by setting policies across different mail systems—such as rejecting messages or quarantining them for further review—when receiving messages with invalid signatures or headers.

  • Domain blacklist: An email blacklist is essentially just another type of DNS blacklist where instead of providing information about bad hosts such as malicious websites or infected computers, it provides information about good domains like yours! If someone tries sending emails through one of these blacklists then recipients won't receive them because their IPs have been blocked.

  • BIMI: Brand indicators for message identification (BIMI) provide a unique identifier that can be used in place of the sender's email address, so it's easier to verify that the message is authentic. It helps companies protect their customers from potential phishing scams.

Let’s look at them in detail and see why they are so important to set up.

What is the Sender Policy Framework (SPF) and why does it matter?

SPF is a domain name record that is used to verify whether or not an email is being sent from an authorized source. The SPF record contains the hostnames that can send messages on behalf of your domain, and it’s stored in the DNS zone file for your domain. (It's also possible to store an SPF record in a subdomain). It’s one of the most common methods used to validate email, and it works by checking if the IP address sending the message matches either:

  • The IP address listed in their SPF record

  • A third-party DNS service provider like Google or Yahoo! (which can be specified in your SPF record)

If either of these checks fails, then it means that your domain has been spoofed—or faked—which gives hackers access to your inbox without ever having to break into your actual account. This makes SPF authentication very important for anyone who wants to protect their business from scams or phishing attacks.

What is Domain Keys Identified Mail (DKIM) and why does it matter?

DKIM is a system that allows you to verify emails and prevent spoofing by making sure the recipient knows it’s really you sending them an email.

When someone sends an email, they can use DKIM to digitally “sign” the message using their private key, which is kept secret on their domain. This lets recipients know who sent the message and that it hasn’t been modified in any way after leaving your inbox.

This makes DKIM useful for both preventing spam and protecting against phishing attacks—if someone tries to send out a fake email claiming to be from your bank or another trusted entity, it won’t pass DKIM checks because the domain isn’t actually associated with those trusted entities (it's just pretending!). That means that even if someone were able to fool your recipient into clicking through links or entering information into forms within these spoofed emails, they wouldn't be able to use them since there would be no way for them to get access to needed information like account numbers without first going through proper authentication procedures with whoever actually owns those accounts (which would fail due to this security feature).

To set up DKIM, you'll need to publish a private key at each of your sending servers as well as create a public key record in DNS. Then, when someone receives an email from one of these servers, they can check whether it's been signed with DKIM by looking up its public key record.

What is Domain-Based Message Authentication, Reporting & Conformance (DMARC) and why does it matter?

DMARC is a framework that helps you to monitor and manage email authentication. It's also the key to verifying that the messages you send are genuine, so if you want your emails to appear in recipient inboxes rather than junk folders, DMARC is important.

Let's break down what DMARC does:

  • Help you to monitor and manage email authentication - by enabling SPF and DKIM checking, it makes sure that false emails aren't being sent on behalf of your brand.

  • Help you to identify and report on email spoofing - if someone's pretending to be from your company or trying to impersonate one of your employees (known as "spear-phishing"), this feature helps detect those threats by identifying where they come from.

  • Help you get insight into how other services use your domain name - whether it’s for spamming or sending legitimate business-related messages, this information can help protect against abuse of the system as well as establish a baseline for future engagement efforts such as courting new customers through social channels like Twitter or Facebook Messenger where it can be difficult for them because they won't know who owns those accounts yet!

What is Brand Indicators for Message Identification (BIMI) and why does it matter?

BIMI is a new email authentication standard that can help identify legitimate emails. It is also important for detecting spoofed emails, fraudulent emails, and phishing emails. The goal of BIMI is to improve the ability of mail services to detect when an email has been altered or forged (i.e., not from its original sender).

BIMI uses a combination of technology that is already in use: DKIM and SPF allow you to verify the identity of individual messages; DMARC allows you to report on how those messages are handled; Domain Blacklisting helps you prevent spoofing attempts by excluding certain domains from your incoming mail flow.

What is meant by Domain Blacklist and how does it impact Email Authentication?

Domain Blacklist is a list of domains that have been blacklisted by the email service provider. These are usually created as a result of fraudulent emails being sent from these domains and can range from phishing emails to spam. In order to avoid blocking legitimate messages from reaching their intended recipients, Domain Blacklists are used only when a certain threshold has been reached. 

For example, if an email server receives too many complaints about a particular domain (this can be anything from [email protected] getting too many bounce backs or invalid responses) it will add the IP address associated with the sending email server to its blacklist. From then on any emails sent by that particular sending IP address will be blocked before they reach their destination mailbox.

Conclusion

By now, you should have a solid understanding of how email authentication works, along with the protocols used to support it. From there, you can make sure you’ve got everything configured properly in your own system. And of course, if you have any questions about setting up or maintaining your own email authentication framework, don’t hesitate to drop us a line and let us know!