Ensuring your emails make it into inboxes starts with correctly configuring email authentication mechanisms within your DNS settings. Gaining a solid understanding of DNS and these mechanisms is a critical first step in improving email deliverability.
In today’s age of email infrastructure, it’s paramount to have these mechanisms configured. Modern spam filters will normally not let your emails hit the inbox without them.
- User Request: The procedure begins when a user enters a human-readable domain (www.example.com)
- DNS Query: The user’s application sends a DNS query to a local DNS resolver, which is typically provided by the user’s ISP or a public DNS resolver service.
- Resolution Process: The local DNS resolver checks its cache for the IP address associated with the domain name. If found, it returns the IP address to the user. If not, it proceeds to resolve the domain name by querying a series of DNS servers.
- Hierarchy of DNS Servers: The resolver checks with a hierarchy of DNS servers, including root DNS servers, top-level domain (TLD) servers, and authoritative DNS servers for the specific domain. Each server directs the resolver to the next level until the IP address is obtained.
- Response to Client: Once the IP address is received from the authoritative DNS server for the domain, the local DNS resolver stores it in its cache and returns it to the client. The client can then use this IP address to connect to the desired web server or email server associated with the domain.
DNS stands for Domain Naming System. It operates much like a phone book for the internet. The name in the phone book is linked to a number that you can use to contact the person. DNS functions similarly by converting an easy to remember domain name (Amazon.com) to a series of numbers that tells your machine where the content you’re requesting is housed. Emails utilize the DNS as well. You’re able to input an email address (firstname.lastname@example.org) and the DNS retrieves an IP address that tells your sending server exactly where it needs to go. Without an IP address, the email could not be delivered.
Organizations configure their DNS records known as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) to authenticate and secure their email communications. When an email is sent, the recipient’s email server checks these DNS records to ensure the email’s legitimacy. If the checks pass, the email is considered authentic and is more likely to be delivered to the recipient’s inbox.
- Email Signing: When an organization sends an email, the email server signs the outgoing message with a private key, generating a digital signature. This private key is unique to the organization and domain.
- DNS Record: The organization publishes a DKIM public key in their DNS records as a TXT (text) record. This public key is used by receiving email servers to verify the digital signature.
- Email Transmission: The signed email is transmitted to the recipient’s email server or email service provider.
- Verification Process: Upon receiving the email, the recipient’s email server retrieves the DKIM public key from the sender’s DNS records using the domain extracted from the email’s DKIM signature header.
- Signature Verification: The recipient’s email server uses the DKIM public key to verify the email’s digital signature. If the signature matches the email’s content and hasn’t been tampered with during transit, the email is considered authentic and is more likely to be delivered to the recipient’s inbox as a legitimate message.
DKIM stands for DomainKeys Identified Mail. It’s an authentication measure that allows the receiving server to ensure that your email has not been altered in transit. It operates off of a public key and a private key. The public key is normally housed by your email service provider while the private key is something you own. When an email arrives, the receiving server is able to check the private key (in the header of your email) against the public key to ensure that the email did in fact come from you.
The DKIM is set up within your DNS settings as a TXT record. It’s an authentication measure that helps protect you from fraudulent emails being sent on your behalf. Having a properly configured DKIM can have a huge impact on email deliverability. Many email service providers use DKIM authentication as part of their spam filtering algorithm. Ensuring that you have a properly configured DKIM can get you that much closer to having your email end up in the inbox versus the spam folder.
- DNS Record Publication: The domain owner (sender) publishes an SPF record in their DNS records. This record specifies the authorized mail servers (IP addresses or domains) that are allowed to send email on behalf of the domain.
- Email Transmission: When the sender’s email server sends an email, the recipient’s email server checks the SPF record of the sender’s domain by querying DNS. The recipient’s server extracts the sender’s domain from the email’s “From” address.
- SPF Record Verification: The recipient’s email server compares the IP address of the incoming email’s sender with the list of authorized IP addresses or domains specified in the SPF record. If the sending IP is included in the SPF record, the email is considered legitimate. If not, it may be marked as suspicious or rejected, depending on the recipient server’s policy.
- Email Delivery Decision: Based on the result of the SPF check, the recipient’s email server determines whether to accept, reject, or mark the email as spam. A valid SPF record helps prevent email spoofing and ensures that only authorized servers can send email on behalf of the domain.
SPF stands for Sender Policy Framework. It’s another authentication measure that helps ensure no one is using your domain name to send fraudulent emails. It operates off of a list of acceptable mail servers that are able to send messages from your email domain. SPF records are DNS (Domain Name System) records that list these authorized mail servers, and when an email is received, the recipient’s mail server can check the SPF record of the sender’s DNS to verify whether the sending server is legitimate or not. If the sending server is not listed in the SPF record, the receiving server can take actions such as marking the email as spam or rejecting it altogether.
The SPF, like the DKIM, exists as a TXT record within your DNS settings. By implementing SPF records, domain owners can reduce the likelihood of their domains being associated with spam or phishing activities which can also negatively impact your domain reputation. Also, many Email Service Providers use SPF records as part of their spam filtering algorithms. A correctly set-up SPF record can increase email deliverability by ensuring that legitimate emails from your domain pass authentication checks and reach recipient inboxes.
- DMARC Policy Publication: The domain owner (sender) publishes a DMARC policy in their DNS records. This policy includes instructions on how receiving email servers should handle emails that claim to be from their domain. The policy may specify actions such as “none” (monitoring only), “quarantine” (place in spam folder), or “reject” (reject outright) for failed DMARC checks.
- Email Transmission: When the sender’s email server sends out an email, the recipient’s email server checks the DMARC policy of the sender’s domain by querying DNS. The recipient’s server extracts the sender’s domain from the email’s “From” address.
- DMARC Verification: The recipient’s email server combines DMARC with SPF and DKIM checks. It checks if the email aligns with the sender’s DMARC policy by verifying the SPF and DKIM results. If alignment fails (e.g., SPF or DKIM checks fail), the recipient server follows the instructions specified in the DMARC policy (e.g., quarantining or rejecting the email).
- Reporting and Feedback: DMARC includes a reporting mechanism that generates reports for the sender domain. These reports provide valuable insights into email authentication failures, helping organizations identify issues, improve email deliverability, and protect their domain’s reputation.
DMARC stands for Domain-based Message Authentication, Reporting and Conformance. DMARC works in conjunction with SPF and DKIM. It allows domain owners to set rules for how receiving servers should handle emails that fail DKIM and/or SPF authentication checks. These actions can include rejecting the email, quarantining it, or simply monitoring it for further analysis. It can help prevent email spoofing and phishing attacks by ensuring that only authorized senders can use their domain in email communications.
DMARC can also provide valuable insights into email traffic, showing organizations who is sending emails on their behalf, and how those communications are being handled. It’s important to note that misconfiguring DMARC or setting overly strict policies can potentially lead to deliverability issues. It’s necessary to implement DMARC carefully and monitor its impact on your email infrastructure to strike the right balance between security and email deliverability.