Marketers involved in the technical aspects of email delivery will often find themselves coming across the terms DKIM and SPF. This article here highlights the key differences between DKIM and SPF and how they essentially work.
The evolution of modern email was exciting and problematic at the same time. Of course, you know all about the positive impacts email had in our society and the revolution it created. However, it came with its own risks of security.
In the early days, email had limited features to inspect security and sender verification. Virtually all spam, scams, and viruses that spread through email did so simply by falsifying sender information. It was a huge risk. With time, the situation has gotten better. But it’s still an ongoing battle.
The good thing is we now have DKIM and SPF. These are protocols that protect us from hackers, con artists, and fraudsters who wander the web for weak security standards. Now, simply put, DKIM and SPF are basically authentication standards. These are standards that give you the assurance that you’re safe from domain hacking and fraud. When properly set, they act as a shield against malicious content.
Now, what they will do is allow you to prove that your emails are from an authentic source. There’s a growing prevalence of fraudulent and spam emails. Hence, ISPs value being able to inspect the authenticity of any email before delivering it to the recipients’ inbox. Each of the protocols features specific aspects of this authentication.
Now, before you know what DKIM and SPF can do, let’s make sure you know about what they cannot do. For instance, they cannot be a cure for email delivery issues all by themselves. Of course, they can develop a great sender reputation amongst IPS and other mail recipients. However, if you fail to follow good email practices, DKIM and SPF will not come to rescue.
So, now that you know why these protocols matter, let’s dive deeper to explain how they really work.
SPF, also known as Sender Policy Framework is a way through which ISPs such as Gmail and Yahoo can authenticate that a particular mail server is authorized to send emails for a domain. It falls under the category of a whitelist - a list of things considered to be trustworthy or credible for services allowed to send emails on your behalf. Similar to DKIM, SPF functions through DNS.
For instance, let’s say you use a service like Mailchimp to send out marketing emails. You’d then have to enter a DNS record that includes Mailchimp’s mail servers as a whitelisted credible source to send emails on behalf of your domain.
SPF’s primary function is to help email systems check whether another particular email platform is allowed to send emails on behalf of a particular domain. In simple words, suppose you use @marketing.xyz.com to send marketing emails. SPF then lets ISPs to check that your specific instance of Mailchimp is allowed to send emails using the xyz.com domain. In this manner, SPF helps ISPs to avoid a certain aspect of email spooking, where one server falsely claims to send emails from a specific domain.
SPF is critical to authenticate who’s allowed to send emails on behalf of your domain. This directly impacts your email delivery. Not only do you require it for email marketing and your company email accounts, but it’s also necessary for support services such as Zendesk, Helpscout, or anyone else sending emails on your behalf.
To understand how SPF works, you need prior knowledge of how the Internet functions. If you want to use a new domain on the Internet, the domain must be registered with a Domain Name Registrar. This is an organization that records who owns what domain and also the IP addresses associated with the domain. An IP address is a numeric string (e.g. 220.127.116.11) that servers use to find and direct requests and replies to each other.
When a request is made to a domain, a complex network of specialized servers known as Domain Name Servers (DNS) directs the request to the IP address of your company’s DNS. Your DNS then redirects the request to the correct system within your company’s internal network.
Now, when Verifybee sends out an email, SPF enables receiving systems to verify that the IP address associated with your instance is authorized to send on behalf of that domain. Suppose your email platform has an IP address of 18.104.22.168 and sends an email on behalf of @marketing.xyz.com. When an ISP receives an email from your Verifybee instance, the ISP will reach out to your company’s DNS, which is registered for xyz.com, and look for a record called an A-record that associates 22.214.171.124 with the domain marketing.xyz.com.
If the ISP finds that record, SPF marks your email as passed. However, passing SPF doesn’t mean your email will by default be delivered into the recipients’ inbox, but it does mean your email will not be blocked outright.
DKIM stands for Domain Keys Identified Mail. As mentioned earlier, it is simply an authentication method that detects whether a sender email address has been forged. The process of forging sender emails is known as email spoofing. Scammers usually use this tactic in email spam and phishing scams. DKIM acts like a gatekeeper to validate the authenticity of email messages.
When you send an email, it is signed with a private key. The Internet Service Provider (ISP) validates this using a public key called the Domain Name System (DNS). The DNS translates that domain name into an IP address. This is just a fancy way of saying that it allows you to use your browser to track websites and receive emails. DNS takes the responsibility of ensuring that no third party changes or distorts the email message during transit. This is because distorting email mid-transit is a genuine problem that happens more often than you can imagine.
On one hand, SPF determines the authenticity of an email’s source. On the other, DKIM ensures the contents of a mail haven’t been changed by unauthorized third parties. It does so by attaching a DKIM signature to all outgoing messages. Then, receiving email systems use that signature to check if the email’s content has been changed.
With DKIM, the unique private key that is used to sign emails is stored on your email server exclusively. You must keep this key secure and secret. It will be a serious security threat if hackers and con-artists get their hands on your secret key. Then, they’d have no issue forging your DKIM signatures and using them for fraudulent activities.
Afterward, in the sending and receiving process, ISPs verify the authenticity of messages. They do so by retrieving the corresponding public key from a specific DKIM record stored in your DNS.
DKIM works by using cryptographic key pairs and hashing. Cryptographic key pairs are two non-identical matching strings that encrypt and decrypt data. Hashing is a technique for creating a string of alphanumeric text through a mathematical function. The catch of these key pairs is that they can only be used with each other. One set can only be used to decrypt data that is received from its matching sibling. It can’t be used to decrypt data from a different key.
For instance, suppose you were sending an attachment with your bank account and routing number and didn’t use the correct security protocols. It could then be intercepted by a fraudster. Once intercepted, this hacker could put their own account and routing number and send it back to the intended recipient. The recipient will still think it came from you and instead pay the incorrect bank account.
A lesser-known benefit that DKIM provides is that ISPs, like Gmail, can use this information to build a reputation score for your domain. If you have top-notch sending practices such as low spam, high engagement, and minimal bounces, you’ll receive a higher score. This improves your credibility and reputation with ISPs. If you have scored low with poor practices, it’s less likely your emails will be delivered correctly. This almost guarantees that they’ll end up in that lowly spam folder nobody checks.
For instance, when you send an email from Verifybee, the receiving mail system will do the following:
It’s not all that difficult for a hacker to figure out how to send email from your domain. To protect yourself from such threatening activities, you’ll need to set up both SPF and DKIM.
DKIM is a set of keys that tell the IPs that you’re the original sender and nobody fraudulently intercepted your email. On the other hand, SPF is a whitelist that includes everyone who is authorized to send messages on your behalf.
If you’re curious to see this all in action, you can check whether an email is properly signed with DKIM or has passed SPF by checking out the email headers. In Gmail, you can see this by using the ‘Show Original’ option under settings. At the top, you would see PASS next to SPF and DKIM.
In short, not setting up SPF and DKIM will simply waste your company’s time, money, and resources since you’re increasing the chance that your emails will go undelivered. At the same time, you expose yourself to fraudulent activity.
Of course, you can always send emails asking people to whitelist you. However, expecting companies to whitelist you will only lead to rejections because most reputable companies will block any messages sent without that additional security and verification that DKIM and SPF provide.
If all this information seems too overwhelming, don’t worry. It’s just important for you to know why DKIM and SPF matter. Once you get the hang of it, it will take all of 10 minutes to ensure they’re deployed to protect you and boost your reputations with ISPs.