These are techniques created to confirm the identity of a sender. It answers the question of if the sender is who they really claim to be. It comes in handy in uncovering and blocking suspicious mail and protect recipients from the abuse of spoofing and phishing. The usual authentication protocols are DMARC, DKIM, and SPF.
There are three main email authentication methods. All of these methods are based on DNS TXT records:
The idea of having the three methods in place sounds great. But realistically, your chosen method will depend on the resources available, your technical ability, and business needs.
For instance, DKIM should be the minimum if you send an email via your own domain. Likewise, a domain-aligned SPF and DMARC are more suitable if you are part of a large or security-conscious organization; a business that white-labels our application; a business using our application for financial transactions; or a business that prioritizes the protection of its valuable brand image.
The role of the DKIM is to verify that an email’s content gets to the recipient without being tampered with. The verification is done using a hash – a unique code representing different elements in an email, including its content and FROM field. After generating the hash, it is encrypted with a private key and finally added to the email’s header when the email is leaving the outbound mail server.
When the email gets to the inbound mail server, it verifies the presence of the DKIM in the email’s header. Once verified, it generates its own hash representing the matching email elements, including the content, FROM field, and others. With the hash generated, the server checks the domain supplied in the DKIM signature and queries that domain’s DNS for the public key required for the decryption of the hash. The email will only pass DKIM if there is a match between the decrypted hash from the email header and that of the server’s hash of the necessary fields as present in the email received.
SPF authorizes individual outbound mail server IPs, allowing them to send on behalf of a domain. Campaign Monitor is configured to supply an SPF record for you automatically. This authorizes the domains we send your emails through. Emails sent with the default SPL settings will most likely pass DMARC, provided your DKIM is properly configured.
The role of DMARC is to block spammers, phishers, and other illegitimate and authorized parties from forging a sending domain or parading themselves as who they are not. So, in essence, DMARC prevents spoofing.
Where the inbound email server supports DMARC, it guarantees the owner of a sending domain considerable control over how to deal with a spoofed email on that server. The options include doing nothing, quarantining (receiving and sending it to junk/spam), or rejecting (blocking it altogether).
An email that passes SPF or DKIM will pass DMARC. Likewise, if the domain used in the FROM address of an email matches the domain used in the SPF or DKIM records, the email will pass DMARC.
However, an email that passes DMARC may not necessarily end up in the inbox. There are other checks an email must scale through before it gets to the final destination. Such checks include sender reputation checks, spammy content scans, and similar checks. It is advisable to configure and verify that your DKIM and domain-aligned SPF are in place before setting up DMARC.