As email marketers you will undoubtedly eventually hear about some technical aspects of email deliverability – you will come across the acronyms SPF (Sender Policy Framework), DKIM (Domain Keys Identity Maail), and DMARC (Domain-Based Message Authentication, Reporting and Compliance). What do these all mean though and why are they important to you as an email marketer?
At a high level what these do is enable you to prove that your emails are authentic and demonstrates that Eloqua (for example) is authorized to send emails you behalf of your company and the contents have not been tampered with.
Let’s take a closer look at each of these technical protocols:
SPF (Sender Policy Framework)
SPF stands for Sender Policy Framework and specifies which IP addresses and/or servers are allowed to send email “from” a particular domain. This is similar to the physical world when you put a return address on a postal letter. If the recipient knows who the letter is from, they are more likely to open it and read your letter. In the digital world, the recipient is the receiving email server, who decides whether to actually deliver the email to someone’s inbox.
To understand how SPF works lets explain how the internet works. If you want to use a domain, for example martechhero.com, the domain must be registered with a Domain Name Registrar which is an organization that records who owns the domain and also the IP addresses associated with the domain. An IP address is a numeric string, for example the IP address for martechhero.com is 126.96.36.199.
When an email system such as Eloqua sends out an email, SPF allows the recipient system to verify that the IP address associated with your instance is authorized to send on behalf of that domain. So, for example, if your email platform sends from the IP of 111.222.333.444 and sends an email on behalf of martechhero.com the receiving ISP will reach out to martechhero.com’s DNS and look for an A-record that associates 111.222.333.444 with the domain martechhero.com. If the ISP finds that record then your email is said to have passed SPF.
DKIM stands for Domain Keys Identity Mail and is a way to ensure that the contents of the emails have not been altered by unauthorized third parties. In essence it “signs” your emails as a trusted email. Using the postal mail comparison, this would be like having your letter notarized before sending it. If the recipient knows that the sender was verified, they are more likely to trust the contents of the letter. In the digital world, the recipient is the receiving email server, who can better trust emails signed with DKIM because it shows that the email is who it says it’s from, and that it hasn’t been tampered with.
DKIM works by using hashing and cryptographic key pairs. Hashing is a method for creating a string of alphanumeric text through a mathematical function, while cryptographic key pairs are two non-identical matching strings that encrypt and decrypt data.
Thus, when a DKIM signature is applied to an email, parts of the email are first hashed to generate a seemingly random alphanumeric string. So, for example, martechhero.com might become 19s7J657ghyest. This hash is further encrypted using a private cryptographic key that only your servers can access. This encrypted data makes up part of the DKIM signature, which will also detail the location of the sibling public-key on your DNS.
When you send an email from an email system like Eloqua, the receiving mail system will do the following:
-Create its own hash from parts of your email as it is stipulated in the DKIM signature
-Use the location given by your DKIM signature to find the public key and use it to decrypt your string to the original hash.
-Compare the self-generated hash to the decrypted hash and make sure they match. If the self-generated hash does not match the decrypted one that would mean that there was tampering. If the match was made then the email would pass DKIM.
DMARC stands for “Domain-based Message Authentication, Reporting and Conformance” and is the final step to securing your email. It puts together a policy to officially follow what’s in your SPF and DKIM records.
DMARC allows the administrative owner of a domain to publish a policy in their DNS records to specify which mechanism (DKIM, SPF or both) is employed when sending email from that domain; how to check the From: field presented to end users; how the receiver should deal with failures – and a reporting mechanism for actions performed under those policies.
To pass DMARC, a message must do two things:
-Pass either SPF or DKIM authentication, and
-Pass SFP or DKIM validation. Validation is where the friendly from address in the email, also known as the mail-from address, matches the bounceback address, which is also called the header-from address.
That is the high level overview of these email sending authentications but if you have any questions or comments let us know.