Email Authentication 101: What It is and Why It is Important for Brand Reputation

webbuladeliverabilityblog_graphic_authentication

For 2022, Webbula is launching a series of blog posts about email deliverability topics. We have a variety of esteemed authors from the email industry lined up to participate. 

  • Subscriber Management: How to Start, Maintain, and Break Up by Elizabeth Jacobi. Read it. 
  • Email Opt-Ins: It's All About Consent In the End by Matthew Vernhout. Read it here. 

Sign up for the discussion! 

WebbulaDeliverabilitySeries2022_authentication

Congrats, you spent months researching and you finally found your email marketing software provider. Now what? The very next step should be setting up your email authentication. Yes, you heard that right, before you upload your list, create content, and especially before you press send you must authenticate your email. 

What is Email Authentication? 

Email authentication may seem complicated or difficult to manage and understand, but anyone can do it. Here’s why: it’s a set it and forget it method. It only needs to be implemented once, and only needs to be updated if you change or add new tools for sending emails that are linked to your sender domain. 

The most difficult part of understanding email authentication is knowing where you should copy and paste the DNS records within the DNS panel. The good news is, you’re not alone and your hosting provider’s support team or Let’s Authenticate the World can help you out.

Email authentication is a process that validates you are the rightful owner while allowing you to send emails, protect your sender domain, and build domain reputation. It’s simply a technical solution that shows the inbox providers your email truly comes from you. This can be done within your inbox using G Suite or Zoho and with email tools such as CakeMail, Flowmailer, or Netcore Cloud (Read this awesome article from Pepipost to learn more). Setting up email authentication properly is the foundation for maximizing email marketing performance.

Although email authentication practices can be hard to absorb and implement, it's a cornerstone of proving the reliability and validity of your email messages for a few reasons.

 

3 Reasons Why Email Authentication Is Important

 

1. It helps protect you and your email subscribers from phishing – and get your email to the inbox.


Phishing is still a top-of-mind threat. In 2020, 75% of organizations around the world experienced some kind of phishing attack, and this figure increased by 22% in the first half of 2021. According to a Proofpoint study, 74% of phishing attacks in the US were successful. Overall, the 2021 report from Ponemon and IBM found that data breach costs rose from $3.86 million to $4.24 million, the highest average total cost in the history of this report. 

Email Marketers need to show to Internet Service Providers (ISPs) like Outlook or Gmail that they are the authentic sender who merits reliable inbox placement. This is how you can build a great relationship and domain reputation with each inbox provider you send emails to.

 

2. It improves your credibility and reputation


Reliable emails must produce positive engagement from subscribers, such as clicks and opens. Positive engagement guides ISPs into understanding that the email is appreciated by subscribers, which reflects positively on your sender reputation – since you are proving ownership of that positive engagement. 

 

3. It guards your brand reputation.

To stand out from the internet crowd, brand reputation is key. Authenticating your email minimizes the likelihood of your followers and subscribers receiving phishing messages from your domain and helps build trust. 

 

What does Email Authentication mean for me as a sender?

Over the past few years, email authentication has evolved into various protocols to protect senders and subscribers on different levels. All of the following standards address slightly different issues and help improve your email's overall legitimacy, reliability, and security.

Sender Policy Framework (SPF)

SPF lets the holder of any domain notify the ISP of Internet Protocols (IPs) and mail servers that can send an email/message on behalf of the domain.It aims to protect the sending domain by letting inboxes which IPs are allowed to send using the authenticated domain. Any email sent from other IPs won’t be considered authenticated, even if other authentication measures pass. 

To use SPF, add a TXT record to your domain's Domain Name Services (DNS) zone file to specify which IP address you are sending from. The tool you use to send emails will provide you the IP addresses your email is sent from. Please note that each domain or subdomain can have only 1 SPF record, and all sending IPs should be merged into this single record in your DNS panel. Once an email is delivered, the ISP checks the SPF record from the "envelope sender" domain (also known as the return path) to see if it contains the IP / mail server that sent the email. 

    • If the search matches, the email passes SPF authentication
    • If the SPF search fails, it will fail SPF and ultimately render the email unauthenticated. 
    • The ISP does not know if the email was sent by the real owner of the domain or not and might decide to send your email to the junk/spam folder or nowhere at all.

Domain Keys Identified Mail (DKIM)

An email authenticated with SPF isn’t enough to protect everyone from mass spam, phishing, or spoofing. SPF proves that the IPs are allowed to send using this domain but does not validate that the sender owns the domain. DKIM, on the other hand, allows the sender to validate the content of the message with the recipient’s ISP and proves they own the domain and can send from it. 

In practice, DKIM is a digital signature that is added to your email’s header and gets validated by the receiving inbox when your email is received. If the keys match, your email is authenticated. Again, having a valid SPF record while your DKIM signature is failing will make the ISPs consider your email to be unauthenticated. Both forms of authentication are needed for the email to be considered authenticated.

Note that you need a unique DKIM key from every tool you use that sends email using your domain. It is as simple as copying and pasting the two values provided by your tool to your DNS panel. Unlike SPF, multiple DKIM keys can be used per domain or subdomain. 

Domain-based messages authentication, reporting, and conformance (DMARC)

DMARC was introduced in 2012 and was designed for email authentication, reporting, and policy protocols. DMARC protects your company's email domain from being used for email/message phishing, spoofing, and other cyber threat activities. 

Once a domain owner issues a DMARC record in a DNS record, you have better visibility and control over what is happening with your sender email. You don't want anyone else sending emails from your domain. You don’t know what they could be up to and it could harm your reputation and deliverability.  

You may also be unaware of the tools that are used to send out emails. Senders think of the most obvious tools for sending emails when it comes to authentication, such as personal inboxes or an email marketing platform. Don't forget that your domain can be used to send emails from a variety of other applications, such as accounting systems or calendar invites! If you don't confirm these emails are validated, they'll end up in the spam folder, especially if you have a strict DMARC policy.

DMARC is the last line of authentication defense. It allows you to tell inboxes what to do with an email that does not pass SPF or DKIM. 

Here are the three policies you can set within your DMARC record and what you can “ask” from the inbox by implementing them. You can opt to set the policy at three different stages:

  • "p" as none (also known as "monitor mode") - Instructs the ISP not to take action if confirmation fails and to decide on its own what should happen to said email.
  • "p" as quarantine - Instructs ISPs to take action and put the mail in the spam/quarantine folder.
  • "p" as reject - Instructs the ISP to "reject mail" if authentication fails 

You will receive daily emails created from recipient inboxes such as Google or Hotmail if you have DMARC enabled. They'll include details like why emails from your domain failed DMARC (a faulty DKIM key, for example) and from which IP they were transmitted. You must know when your identity is being used without your permission in the same way you want to know when your credit card is being used without your permission. This enables you to examine and resolve problems before they affect your deliverability and domain reputation for the long term. 

It's crucial to start with the DMARC “p” value set to none. This guarantees that you have enough time to catch all of the emails you're sending that aren't authorized and remedy the problem. Then move to stricter policies/DMARC “p: values once you are sure you have properly authenticated your sender email with all tools that you use that send emails. 

How do you authenticate your sender domain?

To authenticate your domain you will need three things:

  • The domain-based email addresses you are using to send mail
  • A list of all the tools sending email from your domain(s)
  • Access to your DNS records from your web hosting provider's dashboard
  • And lastly, copy and paste skills

The first step is to list all tools that may send emails and notifications using your sender domain. I suggest asking everyone working within the company or brand. You never know who signed up to use a tool that makes their daily work life easier which also sends emails or notifications! Collect all the DNS entries you need to copy and then paste them into your DNS panel as described by your tools.

Contact your hosting provider or email marketing tool if you don't know what to copy/paste. If you have a list of all the DKIM, SPF, and DMARC keys you need to add, we're here to collaborate quickly and ensure they're adequately implemented. 

If you can't find the help you are looking for, feel free to contact your support team or sign up here to get it done for free without solicitation at Let's Authenticate the World.

If you're afraid to make your changes in the DNS panel, you can always ask your email tool support team to forward the required authentication entries, which you can then send to your hosting provider's support team. 

Below is a list of the most common email marketing providers and authentic information about authenticating domain-based email. Before anyone panics, I made sure it's a simple, straightforward, and one-time thing. If you know where to look and how to copy and paste, you are ready to go!

Constant Contact

Campaign Monitor

Hubspot

Cakemail

Mailgun

Mailchimp

AWeber

iContact



yann-torry-a

About the author

Yanna-Torry Aspraki is a Deliverability Specialist & the CBDO of EmailConsul. 

Sitting on the executive team at the intersection of Product, Growth, and Sales, YT helps drive the company forward in a market in desperate need of accessible and reliable deliverability tools, while representing EmailConsul in places email & deliverability have never been before.




Clean, Protect and Grow Your Database