SPF authentication starts by identifying all legitimate IP addresses that should send email from a given domain and then publishes this list in the DNS. Before delivering a message, email providers will verify the SPF record by looking up the domain included in the “envelope from” address within the hidden technical header of the email. If the IP address sending an email on behalf of this domain is not listed in the domain’s SPF record, the message fails SPF authentication.
For DKIM authentication, the sender first identifies what fields they want to include in their DKIM signature. These fields can include the “from” address, the body of the email, the subject and more. These fields must remain unchanged in transit, or the message will fail DKIM authentication. Second, the sender’s email platform will create a hash of the text fields included in the DKIM signature. Once the hash string is generated, it is encrypted with a private key, which only the sender can access. After the email is sent, it’s up to the email gateway or consumer mailbox provider to validate the DKIM signature. This is done by locating a public key that is an exact match of the private key. Then the DKIM signature is decrypted back to its original hash string.
Tools and Best Practices
- Due to the volume of DMARC reports that an email sender can receive and the lack of clarity provided within DMARC reports, fully implementing DMARC authentication can be difficult.
- DMARC parsing tools can help organizations make sense of the information included within DMARC reports.
- Additional data and insights beyond what’s included within DMARC reports help organizations to identify email senders faster and more accurately. This helps speed up the process of implementing DMARC authentication and reduces the risk of blocking legitimate email.
- Professional services consultants with DMARC expertise can help organizations with DMARC implementation. Consultants can help identify all legitimate senders, fix authentication issues and can even work with email service providers to make sure they are authenticating properly.
- Organizations can create a DMARC record in minutes and start gaining visibility through DMARC reports by enforcing a DMARC policy of “none.”
- By properly identifying all legitimate email senders - including third-party email service providers—and fixing any authentication issues, organizations should reach a high confidence level before enforcing a DMARC policy of “reject.”