Authenticate your mails (SPF, DKIM)

Email authentication is a critical but often overlooked issue. Lack of authentication can lead to deliverability issues, unwanted emails and ultimately damage to your brand's reputation. In this article, we will explore the importance of authenticating your emails and the three main technologies used to achieve this: SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance).

SPF (Sender Policy Framework)

The Sender Policy Framework (SPF) is an email authentication technique that helps prevent email address spoofing. In essence, SPF allows domain owners to specify which email servers are authorized to send email on their behalf. When an email server receives a message, it checks the SPF record of the sender's domain to ensure that the sending server is authorized to send email on their behalf. If the SPF check fails, the email may be marked as inauthentic or even rejected, which helps protect your domain against unauthorized use.

DKIM (DomainKeys Identified Mail)

DomainKeys Identified Mail is another authentication technique that focuses on ensuring the integrity of emails and verifying that they have not been modified in transit. With DKIM, the sender's email server digitally signs each outgoing email using a private key. The receiving server verifies this signature using the public key stored in the DNS record of the sender's domain. If the DKIM signature is valid, the email is considered authentic and has not been altered since it was sent.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an additional layer of authentication that builds on SPF and DKIM. DMARC allows domain owners to specify how mail that fails SPF or DKIM authentication should be handled. You can configure DMARC so that failed emails are delivered, marked as spam, or rejected altogether. In addition, DMARC provides detailed reports on attempted mailings on your behalf, allowing you to monitor and improve the authentication of your emails.

Why should you use SPF, DKIM and DMARC protocols?

Email authentication via SPF, DKIM and DMARC is crucial in today's digital world. Here's why you should seriously consider incorporating these security measures into your communications:

First, these technologies help you prevent spoofing and phishing, two common methods of cyber deception. In doing so, you protect both your brand and your recipients.

It also improves the deliverability of your emails. Mail servers evaluate authentication to decide whether a message is delivered or marked as spam. By authenticating your emails with SPF, DKIM and DMARC, you increase the chances of them reaching the inbox.

You also strengthen the credibility of your domain. Your recipients can trust that your emails are genuine, which increases the likelihood that they will open and respond to them.

Protecting your brand and reputation is another key benefit. By preventing unauthorized use of your domain in fraudulent emails, you avoid damaging your image.

In addition, by meeting your subscribers' expectations, you offer them a safe and positive experience.

Finally, DMARC provides you with detailed reports on your domain usage, allowing you to identify problems and improve your security policies.

How to configure a DNS record for SPF authentication

When setting up your SPF, keep two key considerations in mind:

1. An SPF record is technically a TXT record type. Do not confuse this with the term "SPF type" (which, although usable, is not recommended). SPF records should be configured as TXT type records.
2. In each domain, there should be only one SPF record. If you have multiple SPF records in your domain, mail servers may get confused and not know which one to use, which could result in authentication problems.

To set up or verify your SPF records, you can log in through your hosting account. If you notice that you do not have an SPF record, it is important that you create one. In case you already have an existing SPF record, you simply need to update it. Also, in some specific situations, it may be relevant to consider including an SPF record on a particular subdomain, different from the SPF record of the main domain. This gives you the flexibility to tailor authentication to different areas of your email infrastructure.

Configuring a DNS Record for DKIM Authentication

To enable DKIM authentication, you will need to create a new DKIM record in your domain's DNS configuration. Unlike SPF, DKIM allows the inclusion of multiple DKIM DNS records without complications. From your hosting account, proceed to the creation of a new DNS record, selecting the TXT type.

Depending on the hosting provider you use, you may need to place quotation marks around the TXT record value. If you are in doubt about whether or not to include quotation marks, we recommend contacting your hosting provider for specific guidance.

Configuring a DNS record for DMARC authentication

Before starting to implement DMARC, it is essential to verify that the SPF and DKIM records are properly configured. As previously mentioned, DMARC establishes the policy to be followed in case of SPF and DKIM protocol failures by means of a specific DNS record.

For DMARC to function properly, it is essential that there is a match between the domain names present in the SPF and DKIM records, as well as in the "From" header of the email. With this alignment, DMARC gives you the option to apply one of the following three policies in case the match is not met:

1. None: This policy implies that no further action will be taken, allowing the local policy to be applied by default.
2. Quarantine: In this setting, emails that do not comply with the required alignment may be marked as spam, which instructs mail servers to place them in the recipient's spam folder.
3. Reject: Under this policy, messages that do not comply with the specified alignment will be rejected and will not be delivered to the recipient's inbox.

Ensuring that your SPF and DKIM records are in order is an essential step in taking full advantage of DMARC and ensuring the authenticity and security of your emails.

1. Log in to the control panel of your domain or web hosting service provider.
2. Create a new DNS record type "TXT". In the "Name" or "Host" field, enter "_dmarc" followed by your domain (for example, "_dmarc.mycompany.com").
3. In the "Value" or "Content" field, configure the DMARC policy you wish to implement. This includes specifying how mails that do not pass SPF or DKIM authentication should be handled. An example DMARC policy might be: "v=DMARC1; p=quarantine; rua=mailto:dmarc@miempresa.com; ruf=mailto:dmarc@miempresa.com; sp=quarantine".
4. Save the configuration.

It is important to mention that the exact configuration of these DNS records may vary depending on your domain or web hosting service provider.

If you want advice, do not hesitate to contact us, enter hereYou will see all our services and get personalized advice.