How To Authenticate an Email: SPF, DKIM, DMARC, and BIMI

How To Authenticate an Email: SPF, DKIM, DMARC, and BIMI
16 September, 2022 • ...
Irene Dmitrieva
by Irene Dmitrieva

Imagine that you set up an email campaign, wrote engaging content, and made a cool email design, but for some reason, it ended up in spam folders all the same. 

There are things that can make or break an email campaign that have nothing to do with the quality of the email itself. These factors are technical and relate to email authentication.

Setting up email authentication is important for making sure your email marketing campaigns are effective as it helps to provide security and improve the deliverability of your emails. It involves several measures that we describe in this guide. Read on to make sure all your emails are properly authenticated and able to reach their recipients.

If you want to go straight to the set-up step-by-step guide, click here.

We also have separate detailed guides on setting up every specific record:

What is email authentication and why do you need it?

Email authentication is the process of verifying the identity of the sender and the legitimacy of their email messages. It plays an important role in any organization that uses email marketing. It helps email services like Gmail distinguish legitimate emails from spam and phishing emails when someone tries to impersonate your brand to get confidential information. 

Email authentication exists to protect email users from spam, phishing, and other types of malicious activity. By authenticating email messages, email providers can help ensure that only legitimate messages are delivered to users’ inboxes.

Email authentication also helps to protect email users’ personal information and privacy. By verifying the sender of an email message, email providers can help prevent scammers from spoofing the sender’s address and sending spam or phishing emails that appear to come from a trusted source. In other words, authentication serves as a checkpoint for detecting unauthorized and malicious IP addresses sending emails from your domain.

According to an FBI report, business email compromise (BEC) scams were the most costly cybercrimes in the United States in 2021. With an estimated loss of nearly $2.4 billion, BEC frauds resulted in 19,954 claims. Use email authentication to protect your brand image, minimize cyber threats, and ensure faster delivery speeds.

Email authentication requires the use of certain standards to work properly. These standards include SPF, DKIM, DMARC, and BIMI — security protocols that serve different purposes. Collectively, they provide a comprehensive solution to email authentication.

Important

Since February 1, 2024, setting up SPF, DKIM, and DMARC stopped being a best practice only and became compulsory for all bulk senders with the introduction of the new requirements by Google and Yahoo.

How does it work exactly?

SPF, DKIM, DMARC, and BIMI – these four technologies are not the only authentication methods, but they are the basis for checking emails. Let’s see how email authentication works based on these standards.

  1. A domain or organization owner establishes authentication procedures for all of its sending domains. 
  2. The organization sets up the email servers and infrastructure to follow these regulations.
  3. The email authentication rules are located in the DNS records for each domain that sends emails. Receiving mail servers then authenticate these emails from the sender based on said published rules.
  4. Depending on the results of the email authentication, receiving servers will either deliver the email, quarantine it, or reject it.

SPF (stands for Sender Policy Framework). This is a method for detecting fraudulent sender addresses during email delivery. It helps recipient email servers see whether emails from a domain have an authorized IP address.

SPF operation scheme

DKIM (stands for DomainKeys Identified Mail). This is an anti-phishing and anti-spam technology. It fixes information about your digital signature after systems authenticate your domain and affixes it to every new email. The recipient system can find your key in the DNS.

When a message is received, the public key is accessed, which allows decryption of the private key. If the decryption is successful, the authenticity of the email is confirmed and the high reputation of the sender is confirmed along with it. Otherwise, the domain loses its reputation, which means additional checks or blacklisting of mail addresses.

DKIM operation scheme

DMARC (stands for Domain-based Message Authentication, Reporting, and Conformance). DMARC allows you to establish what should happen to emails pretending to come from you but are actually not OK.

The technology is used for protection against spoofing, i.e. using a domain for sending fraudulent messages on behalf of another person. In brief, according to the DMARC rules set on the domain, suspicious messages can either be rejected or marked as spam or simply skipped further – depending on the wishes of the owner of the domain.

How DMARC works

BIMI (stands for Brand Indicators for Message Identification). This standard allows businesses to display their logo in the recipient’s inbox when email is authenticated.

When an email is sent from a domain with a valid BIMI record, the recipient’s email client can fetch the logo and display it next to the email. The email client can also verify the authenticity of the email using the verification token.

How BIMI works
Source: DMARCLY

To benefit from all four email authentication mechanisms, you need to add records to the DNS server of the domain used to create the mailboxes. The exact algorithm depends on the particular hosting company, whose servers the domain’s DNS records point to.

How to authenticate the email: a step-by-step guide

So, how to nail email authentication and allow trouble-free communication between a brand and a client? Here’s what you need to do so that the system verifies your identity. We also have a detailed guide on how to set up your email

Authenticating IP address and SPF

To authenticate emails using SPF, you need to add an SPF record to your DNS server. The SPF record specifies which IP addresses are allowed to send emails on behalf of your domain.

To avoid SPF authentication failures, you must be aware of all IP addresses that send emails from your domain so you can include them in your SPF record. You need a separate SPF record for each email domain you use if you want stable email deliverability rates. Otherwise, your success in sending emails will depend on the domain used. 

To add an SPF record, you need to edit the DNS zone file for your domain. Add the following line to the SPF record .txt file:

v=spf1 ip4:[IP ADDRESS] -all

Replace IP ADDRESS with the IP address of your email server. The ~all at the end of the record indicates that any other IP addresses should be considered invalid.

Authenticating IP address and SPF
An example of how it looks like in one of the web hosting services. It might be different in another services, though it’s likely to be similar

If you need more IP addresses, put a space after the final digit of the prior IP address and write “ip4:[IP ADDRESS]” for every extra IP. You can include third-party domains by adding “include:[THIRD PARTY DOMAIN]”.

After you’ve finished, you should have something similar to this:

v=spf1 ip4:21.43.65.87 ip4:23.45.67.89 include:thirdparty.example.com -all

Save the SPF record and restart your DNS server. Your email should now be authenticated with SPF.

Configuring DKIM

The process of creating a key in an email service provider (ESP) will vary depending on which one you use. If you use Selzy to send email campaigns, setting up DKIM looks like this:

  1. Log into your private account and copy your public key.
  2. Once that’s done head over to the domain hosting control panel where TXT records are located. 
  3. Paste the copied key in the Value field:
DKIM setting up

Although the mechanics of DKIM may be confusing, thankfully implementing it is not. We wrote a detailed article on how to set up DKIM for your domain. By adding DKIM to your DNS records, you increase the probability that your emails will end up in mailboxes instead of spam folders. 

Publishing the DMARC record

To use DMARC, you need SPF and DKIM set up. Do this preparatory work before beginning DMARC implementation.

DMARC allows you to have more sway over your email authentication system, rendering your SPF and DKIM standards stronger. It allows you to choose how you want to handle emails that have not been authenticated: either do nothing with them, put them in spam, or just reject them.

Adding a DMARC for your domain is quite easy. To do that, you should enter into your hosting’s DNS records control panel and put a new TXT record there. We have also written detailed instructions on the DMARC setup process.

The approximate procedure:

  1. Go to the website of your hosting provider.
  2. Go into the control panel.
  3. In the settings menu, find the management of DNS records.
  4. Insert a new TXT record.
DMARC setting
Source: ClouDNS
  1. Click on the Save button.

Enforcing BIMI

To implement BIMI, businesses must first publish a valid DNS record for their domain. This record must contain information about the business’s logo, as well as a verification token. 

Here is a BIMI record example:

v=BIMI1; l=https://yourserver.com/logo.svg;a=https://yourserver.com/vmc.pem

With our detailed guide, you will have no questions about how to implement BIMI.

Conclusion

If you want your emails opened by customers and not get caught in their spam folders, make sure to authenticate your emails. Email authentication verifies the sender of an email and ensures that the email is legitimate. This is done by using standards such as SPF, DKIM, DMARC, and BIMI. When an email is authenticated, the receiving server is sure that it comes from the sender that it claims to come from.

Take measures against email fraud by implementing email authentication. This will also ensure your emails actually reach your subscriber. If you haven’t already, now is the time to take action. 

BTW, if you don’t have time to figure it out, you can always order an email authentication service from specialists at Selzy, we’re ready to help you with that, just give us a call! Start your email marketing for free now.

16 September, 2022
Article by
Irene Dmitrieva
As a marketing copywriter, I have experience creating compelling content for websites and social media posts. My background in market research helps me ensure that my copy is both on-brand and data-driven. I am excited to bring my skills and experience to Selzy team and help drive success for this company.
Visit Irene's
Selzy
Selzy
Selzy
Selzy
Selzy
Latest Articles
Selzy Selzy Selzy Selzy