Mastering Email Deliverability Part 3: Demystifying Email Authentication Protocols + Compliance Requirements
May 10, 2024
By Alen Čapelja
Email deliverability is the measure of how successfully your emails reach their intended inboxes. Getting an email from point A to point B seems fairly straightforward, but when you factor in spam filters and other potential roadblocks, deliverability is not as simple as it sounds.
In the third installment of our Mastering Email Deliverability series, we build on the concepts introduced in parts one and two, looking beyond the fundamentals of design, content, and reputation to explore email authentication protocols and other tools that play a significant role in improving deliverability.
Overview of Email Authentication Protocols
Email authentication protocols prevent your emails from being flagged as spam, phishing, or spoofing attempts, increasing the likelihood that your messages will reach their intended audience.
Three standards are used for email authentication, with each playing a crucial role in maintaining the integrity and trustworthiness of email communications. (The standards are discussed in greater detail in “Mastering Email Deliverability Part 1.”)
Sender Policy Framework (SPF)
SPF helps prevent spammers from sending emails that look like they're coming from your domain by publishing an SPF record in your domain name system (DNS) settings listing the IP addresses that are authorized to send emails for your domain. The receiving server uses this list to verify and approve your emails.
DomainKeys Identified Mail (DKIM)
DKIM uses a public/private key pair that allows the receiving server to verify that an email claiming to be from your domain was actually sent from your domain and that the email content hasn't been tampered with.
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
DMARC helps protect your domain from unauthorized use, such as phishing scams, by creating a policy in your DNS records that provides instructions for how the receiving server should handle failed email authentications and report incidents back to you.
In addition to the above three standards, many organizations include Dedicated Sending Domain and Brand Indicators for Message Identification in their email deliverability strategy.
Brand Indicators for Message Identification (BIMI)
BIMI is a specification that serves as a valuable tool for email marketers and brands because it not only improves email deliverability through enhanced recipient engagement but also increases brand visibility and trust within the email ecosystem.
Dedicated Sending Domain (DSD)
DSD is a strategy often used in email marketing to isolate email sending activities from a company's main domain or shared domain. This action enhances email deliverability by protecting the main domain's reputation and, where applicable, prevents it from being affected by negative engagement from a shared domain. (See “Mastering Email Deliverability Part 2” for a deeper dive into sender reputation and deliverability.)
These email authentication protocols and practices work together to verify the legitimacy of emails and protect your domain’s reputation, which are essential factors in email deliverability success.
How Authentication Protocols and Best Practices Work to Verify Sender Legitimacy
On the surface, email authentication protocols may sound complicated, but when you look at them from a functional perspective, it’s easy to understand the value they bring to your email deliverability efforts.
SPF
Imagine you're hosting an exclusive gala and you give a list of authorized guests to door security. An SPF record for your email domain functions like this list. Just as the security guard checks the guest list to see if a person is allowed in, email servers check the SPF record to see if an email comes from an allowed server. If someone who's not on the list tries to enter, they're turned away; an email from an unauthorized server might be rejected or marked as spam.
DKIM
Think of DKIM like a wax seal on a letter. In the old days, people would seal letters with a unique stamp in wax to prove it came from them and hadn't been tampered with. DKIM serves a similar purpose for emails. It attaches a digital "seal," or signature, to an email. When the email reaches its destination, the recipient checks this seal against a public key (like comparing the seal to a known stamp) to verify the email came from you and hasn't been altered en route.
DMARC
We’ve all been warned of the dangers of letting strangers into our homes without proper identification. For instance, if someone comes to your house claiming to be from the gas company, they should be able to provide credentials (i.e., SPF and DKIM) to verify who they are. If the person doesn't have the credentials, you might choose to not let them in (reject), ask them more questions (quarantine), or let them in but keep an eye on them (none). DMARC is like those instructions for your email. It tells email servers what to do with emails that fail SPF or DKIM checks, based on the policies you set.
BIMI
BIMI is like a VIP badge for emails. Just like a VIP badge at an event instantly tells you someone is important and should be welcomed in, BIMI lets an email stand out by showing the sender's logo next to the email in the inbox. It's like a stamp of approval, saying, "This email is definitely from who it says it is."
DSD
DSD is the PR rep of email deliverability. DSD can help protect your main domain's reputation or prevent it from being affected by negative engagement from a shared domain if your email marketing campaigns result in high bounce rates or spam complaints. DSD also allows for better control and monitoring of your email sending practices and deliverability.
Implementation Tips and Best Practices for Setting Up Authentication Protocols
Now that you understand how email authentication protocols work, let’s look at some tips and best practices for setting up authentication protocols in your organization:
SPF
- Keep it simple: Ensure your SPF record isn't overcrowded with too many authorized sending sources because this can lead to errors and affect your sender reputation.
- Avoid "+all" mechanism: Using "+all" in your SPF record essentially allows all IP addresses to send emails on your domain's behalf, including fraudulent ones, which defeats the purpose of SPF.
DKIM
- Pay attention to key length: Ensure your DKIM keys are at least 1,024 bits long, though 2,048 bits is recommended for enhanced security.
- Rotate keys regularly: Regularly changing your DKIM keys makes it harder for attackers to compromise your email security.
DMARC
- Utilize DMARC reporting: DMARC reports provide insights into your email channel and the sources sending messages on your domain's behalf. Use tools to parse these reports for actionable insights.
- Ensure DMARC alignment: Verify that the "From" header aligns with DKIM's domain tag and SPF's return-path address to pass authentication checks.
- Enforce gradually: Start with a "p=none" policy for monitoring, then move to "quarantine," and finally to "reject" as you become more confident in your email authentication setup.
- Include non-active domains: Deploy DMARC for all your domains, including those not actively sending emails, to protect against spoofing.
BIMI
- Enhance visibility and trust: By setting up a BIMI record with your verified logo, you increase your brand's visibility in the recipient's inbox and add a layer of trust to your email communications.
- Complement existing protocols: BIMI works in conjunction with SPF, DKIM, and DMARC, enhancing the overall effectiveness of your email security strategy.
All these settings are made at the domain level in your DNS, and it's essential to monitor your configurations even after achieving compliance. Staying proactive in your email security practices can further enforce your deliverability reputation.
Compliance Requirements for Email Deliverability
Data privacy and consent are hot-button issues for email marketers. Staying up to date with changes and maintaining compliance with requirements and regulations must be a part of your email deliverability strategy. Non-compliance not only can damage your brand’s reputation and customer trust but can also lead to fines and other penalties.
Below are some recent updates from Google and Yahoo that directly impact email delivery and authentication protocols.
In February 2024, Google and Yahoo set new compliance requirements for bulk email senders aimed at enhancing email security and deliverability. These changes require all emails sent to these ISPs to have a DMARC policy in place in the sender's DNS.
This policy ensures that emails have to pass DMARC alignment, meaning they need to align with SPF and DKIM authentication standards to be delivered. The policy applies to senders who dispatch 5,000 or more messages a day to these providers, including emails sent via third-party email service providers (ESPs) using your email domain.
Google has defined a bulk sender as anyone who sends "close to 5,000 messages in a 24-hour period one or more times." This includes all types of emails sent with the same domain in the “From” header within a 24-hour period. Transactional and customer support emails are also included in this total, which means that even senders who do not typically consider themselves bulk senders might be affected.
To comply with these changes, senders must ensure that their emails are authenticated using SPF and DKIM and that they have a DMARC policy published. Additionally, Yahoo and Google require that senders enable easy, one-click unsubscribe options in their emails and maintain a low spam rate to avoid having their messages rejected or marked as spam. It is also advised that emails be formatted in accordance with RFC 5322 standards to improve deliverability.
These compliance requirements aren’t just applicable for maintaining access to Gmail and Yahoo inboxes; they’re also best practices across the email marketing industry. Ensuring compliance with these standards helps improve email deliverability and protect your brand reputation.
Take Control of Email Deliverability with Authentication Protocols
Authenticating your emails' legitimacy and protecting your main domain's reputation are essential to reaching the right audience with your email marketing efforts.
Implementing the SPF, DKIM, and DMARC standards in conjunction with DSD and BIMI best practices is the most effective approach to getting the results you need.
Not sure how to get started? Schedule a call with SmartBug’s deliverability experts and let us provide a road map to improve deliverability and growth for your email marketing campaigns.
About the author
Alen Čapelja is SmartBug’s E-commerce Service Design Manager. He specializes in next-level problem solving and pushing the limits within the creative and client services departments. Alen employs a user-first approach that he’s refined after more than a decade of e-commerce work. Being part of executing more than a million emails in various ESPs has given Alen a broad understanding of e-commerce marketing and technology capabilities. Read more articles by Alen Čapelja.