Email Authentication Protocols
Email authentication protocols help verify the legitimacy of email senders, preventing spoofing, phishing, and spam. Proper authentication improves email deliverability and builds trust with email providers like Gmail, Yahoo, and Outlook.
1. SPF (Sender Policy Framework)
SPF is an email authentication protocol that allows domain owners to specify which mail servers are authorized to send emails on their behalf.
How SPF Works:
The domain owner publishes an SPF record in the DNS (Domain Name System).
When an email is received, the recipient’s email server checks the SPF record to see if the sending IP is authorized.
If the IP is listed, the email passes SPF; otherwise, it may be rejected or marked as spam.
SPF Example Record:
v=spf1 include:spf.cm.com -all
v=spf1 → Specifies SPF version
include:spf.cm.com → Authorizes http://CM.com ’s mail servers
-all → Hard fail (Emails from unauthorized senders will be rejected outright by the receiving server.)
Best Practices for SPF:
Limit the number of authorized IPs to reduce security risks.
Avoid using +all, which allows any sender, making SPF ineffective.
Use include: statements carefully to prevent exceeding DNS lookup limits (10 max).
2. DKIM (DomainKeys Identified Mail)
DKIM adds a digital signature to outgoing emails, allowing recipients to verify that emails are authentic and unaltered.
How DKIM Works:
The sending mail server adds a DKIM signature to the email header.
The recipient’s mail server retrieves the DKIM public key from the sender’s DNS record.
If the signature matches the email’s contents, the email passes DKIM.
DKIM Example Record:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4G...
v=DKIM1 → Specifies DKIM version
k=rsa → Key type (RSA encryption)
p=MIGf... → Public key
Best Practices for DKIM:
Use 2048-bit keys for stronger security.
Rotate DKIM keys periodically to prevent abuse.
Ensure all sending domains have DKIM enabled.
3. DMARC (Domain-based Message Authentication, Reporting, and Conformance)
What is DMARC?
DMARC builds on SPF and DKIM, allowing domain owners to control how email providers handle authentication failures and receive reports on email activity.
How DMARC Works:
The domain owner publishes a DMARC policy in the DNS.
When an email fails SPF or DKIM, the receiving mail server checks the DMARC policy and acts accordingly.
DMARC Policy Options:
p=none → No action; only reports authentication failures.
p=quarantine → Sends failed emails to spam.
p=reject → Blocks failed emails completely.
DMARC Example Record:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com;
v=DMARC1 → Specifies DMARC version
p=reject → Rejects unauthorized emails
rua=mailto:dmarc-reports@yourdomain.com → Sends failure reports
Best Practices for DMARC:
Start with p=none to monitor authentication failures before enforcing stricter policies.
Gradually move to p=quarantine and eventually p=reject for better security.
Regularly review DMARC reports to detect spoofing attempts.
4. BIMI (Brand Indicators for Message Identification)
What is BIMI?
BIMI allows businesses to display their brand logo next to authenticated emails in supporting email clients (e.g., Gmail, Yahoo).
How BIMI Works:
Requires DMARC enforcement (p=quarantine or p=reject).
The brand publishes a BIMI record in DNS with a link to their logo.
The recipient’s email provider verifies BIMI and displays the brand logo in the inbox.
BIMI Example Record:
v=BIMI1; l=https://example.com/logo.svg;
v=BIMI1 → Specifies BIMI version
l=https://example.com/logo.svg → URL to the brand’s verified logo
Best Practices for BIMI:
Ensure DMARC is fully enforced (p=quarantine or p=reject).
Use an SVG-format logo that meets BIMI specifications.
Obtain a Verified Mark Certificate (VMC) for wider BIMI support.
Setting Up and Maintaining Authentication Protocols
Publish SPF, DKIM, and DMARC Records:
Work with your IT team or email service provider (ESP) to configure authentication records in DNS settings.
Monitor Authentication Status:
Use Google Postmaster Tools and Microsoft SNDS to track domain reputation and authentication failures.
Regularly Update SPF and DKIM Records:
If switching email providers, update SPF and DKIM settings accordingly.
Review DMARC Reports Weekly:
Analyze reports to identify spoofing attempts and misconfigurations.
Implement BIMI for Brand Visibility:
Ensure your domain meets BIMI requirements and apply for a Verified Mark Certificate (VMC) if needed.