Email Authentication Protocol
Table of Contents:
Introduction
Authentication is the method to verify that the email messages you are sending are from your business and are trusted. Authentication allows other participants like ISPs, message transfer agents (MTA), mail delivery agents (MDA), and mail user agents (MUA) to verify that an email attributed to you as a sender has been sent by you before they transfer or deliver it. There are three main types of email authentication protocols as listed below.
- SPF
- DKIM
- DMARC
About SPF
The SPF is a TXT type record you get from your ESP and put in your DNS that specifies what servers may send emails on behalf of your domain.
For a detailed article about the SPF authentication implementation of SPF, see our Ongage Blog Post: Email Authentication Protocols: What are They and Why Are They Important?
Ongage Best Practice Regarding SPF Records With Multiple ESPs
Ongage recommends using different sending domains for different ESPs, for a variety of reasons, one of them being that the reputation of 1 ESP account will affect the reputation of the other ESP account.
Having said that, it is possible to merge 2 SPF records into one. So if you take the SPF record rule from one ESP and another SPF rule from another ESP, the two rules can be merged into 1 SPF record, so that you can use the same sending domain for both ESPs from Ongage, but as noted above this is not recommended.
Ongage Best Practice about using sub domains
To the ESPs that are asking for MX records, you can use info@subdomain.domain.com in the from address so that the reply comes to the actual inbox. The reason for setting this up is you do not face any dns overlap issues. Another reason is setting up an inbox to receive the reply address.
About DKIM
DKIM authentication seals the content of your email using a cryptographic lock referred to as a “DKIM signature.” Adding this encrypted lock to emails’ headers prevents the email from being opened by anyone who doesn’t have the corresponding key.
For detailed steps about the Domain Keys Identified Mail, visit our Ongage Blog Post: Email Authentication Protocols: What are They and Why Are They Important?
About DMARC
The Domain Message Authentication Reporting and Conformance protocol enables you to share authentication instructions with other mail agents and receive reports identifying unauthenticated emails being sent in your domain’s name.
For more about DMARC and how to implement, visit our Ongage Blog Post: Email Authentication Protocols: What are They and Why Are They Important?
Image from dmarc.org
About BIMI
Brand Indicators for Message Information (BIMI) protocol allows companies to display their brand’s logo next to the email subject line, telling email recipients that the message is coming from a verified source.
What is a BIMI record?
It is a type of DNS record that is used to display the company’s logo inside your email message. It helps email recipients to identify you as a trusted sender. To enable the BIMI record, ensure your DMARC authentication is set up on the domain.
Requirements to get started with BIMI
To get started with BIMI you need:
- To be DMARC verified.
- An SVG file of your logo (square shaped).
- A DMARC policy (p=) of “quarantine” or “reject” for Verizon Media (AOL and Yahoo!). Else your logo will not be displayed.
- To have a Verified Mark Certificate (VMC).
Note: To get Verified Mark Certificate (VMC) you can contact one of the following participating certificate authorities.
Digicert: support@digicert.com
Entrust Datacard: sales@entrustdatacard.com
How to create a BIMI record?
To create a BIMI record for your domain follow the steps listed below.
- You need the logo file in the SVG format. To know in detail the steps to convert your logo in SVG format, you can refer to the documentation here.
- Go to the DNS hosting provider and create a new record.
- To add the host value, you need to enter the value. Consider for example default._bimi.example.com. The hosting provider will then append the domain/subdomain for the value that you have provided.
- After adding the value, you need to select the type of DNS record from the dropdown list. A BIMI record is a type of TXT DNS record. So make sure you select the “TXT” option from the dropdown list.
- You need to add the value information. The two required tag value pairs that are necessary to be present on every BIMI record: v and L.
- The only tag-value pair for v (version) is v = BIMI1.
- Confirm the L (location) tag is present and followed by a full URL of your logo using HTTPS (where L is lowercase L).
- Click on the “Save Record Set” button so you can generate your new BIMI record.
- You need to also test your BIMI record to check the record you just created follows proper syntax. You can visit here to run a BIMI record check.
How to Set Up Protocols
As Ongage is a front-end platform connecting to back-end email delivery vendors, who do the actual sending of the emails. DKIM and SPF are not set up in Ongage. Rather you need to go to your Email delivery vendor (e.g., Dyn, SparkPost, Mailgun, Amazon SES, etc.) and get the keys from them to put in your DNS. Typically those vendors have either clear instructions on how to do that, or can help you set up those.
Once the set up is done, they will add a DKIM and SPF header to all your email messages, when sent from Ongage via one of those email delivery vendors. Please speak to your back-end email delivery vendor (aka ESP/SMTP vendor) on how to get those setup. ESP will provide you with TXT and/or MX records to be set up ready to configure for your sending domain.
In general, the setup process of these protocols (SPF, DKIM, and DMARC) differ in all ESPs, ideally they will provide a DNS record respectively for each protocol to configure for your sending domain for all three protocols.
To have a detailed view of the TXT type DNS records you can visit our blog post about Email Authentication Protocols: What are They and Why are They Important?
About DNS Services
Following are links to a variety of leading DNS services
- Bluehost: General DNS Setup
- CloudFlare: General DNS help
- DynDNS: General DNS setup
- HostGator: General DNS setup
- Hover: General DNS setup
- Network Solutions: General DNS setup
- Rackspace Cloud DNS: General DNS setup
Check DNS Verification & Propagation of your Sending Domains
Following is a great tool to check your DNS record propagation status once the record is configured for respective domains.
Appendix
Resources for setting up SPF and DKIM
- Amazon SES: DKIM, SPF
- GoDaddy: SPF
- Dreamhost: SPF
- Namecheap: SPF, DKIM
- United Domains: DKIM and SPF (in German)
Articles about Email Authentication: SPF, DKIM, DMARC and BIMI
- Email Authentication Protocols: What Are They and Why Are They Important? (Ongage Blog: September 2020)
- 3 DNS Records Every Marketer Must Know (March 2017)
- Why DMARC Matters for Email Marketing (April 2017)
- What marketers need to know about DMARC (July 2016)
- Article Explaining DMARC Overview