SPF, DKIM, and DMARC: Protecting Your Email Marketing Identity
In 2017 online identity theft and email phishing scams are legitimate digital concerns. From lottery emails to so called CRA Scams, it’s clear protecting your personal and business identities is important. In our world, this is especially important when building email marketing plans and deploying your marketing automation strategy.
The unfortunate reality is we cannot completely stop scammers from using fake sender addresses. However there are ways to improve security layers by deploying certain domain authentication records.
Thanks to three powerful authentication standards – SPF, DKIM and DMARC – the risk of phishing attempts can be reduced and Email Sending Reputations can avoid damage.
Let’s begin with a basic description of these three security standards, and the process of how to deploy them through your cPanel.
Sender Policy Framework (SPF)
SPF is a publicly available technical method to prevent sender address forgery. By creating an SPF TXT Record, you can authorize your own business domain or any third-party domain in use for sending emails on your behalf. When I say email sender, I mean the email client used for sending emails. These email clients can be the public platforms such as Gmail, Outlook, and Yahoo or Marketing Automation platforms such as Act-on, Pardot, Marketo, and HubSpot. It can even be Email Marketing tools such as MailChimp. It’s important to know that emails being sent with any external technology are using an external IP address with their own domains.
How to Implement SPF
Create an SPF TXT Record: Let use Gmail and Yahoo instances as an example. It’s a good idea to involve your IT team to make DNS record adjustments in your website’s cPanel.
Create or edit an SPF Text Record with following example:
v=spf1 include:spf.protection.outlook.com include:_spf.act-on.net include:_spf.google.com ~all
Let’s elaborate on this line of code below:
- v=spf1 is a version indicator that stays common for all SPF TXT records.
- ‘Include’ passes the following mechanism to authorize your sender domain. For example if you use Google Hosted Email, include ‘_spf.google.com’. Similarly for Outlook Hosted Email, include ‘spf.protection.outlook.com’. Moreover, if you use any external messaging system that sends out emails using your domain, it needs to be added to the record. In the example above, I included ‘_spf.act-on.net’ which is for Act-On’s Marketing Automation Platform.
Avoid Adding Multiple SPF Records
Adding a separate SPF record for each domain can cause email delivery problems. Instead, we recommend modifying your existing SPF record.
DomainKeys Identified Mail (DKIM)
As mentioned before, it is better to provide maximum security layers to prevent spoofing and enhance email deliverability. DKIM uses a signature-based method by including a public key (a cryptographic key consists of public and private keys) in your domain which is used by email receiving domains to determine if the message is legitimate or not.
How to Implement DKIM
To implement DKIM, you need to obtain a public key. This public key will be added as a CNAME record and will be pointed to the sender domain. You may refer the guidelines of your email system provider.
See below for the example on what this CNAME record looks like:
Point to: Sender’s domain
Request Domainkey and domain details from your service provider.
For Google or Outlook view following guides:
If you use any other email sending platforms, contact their support team.
Domain Message Authentication Reporting & Conformance (DMARC)
This is a new age email authentication protocol which allows senders and receivers to report domains that may be sending fraudulent messages. With DMARC, you can verify emails are authenticated with SPF and DKIM. In addition, you can provide instructions on what to do in the event a sender is not verified including: Do Nothing, Reject, or Quarantine (move to Junk/Spam).
How to Implement DMARC
DMARC is another TXT record for a mailto address. You must have SPF and DKIM setup before implementing DMARC. Once these are set up, here’s how to implement DMARC:
- Type ‘@’ for Host.
- For TXT Value type “v=DMARC1; p=none; rua=mailto:[email protected]; adkim=r; aspf=r; pct=100; sp=none”
Notice sp=none. You can change it to quarantine or reject.
Protection Against Email Server Vulnerability
At some point, everyone has had a tough time identifying what is real and what is spoofed in recent years. While there are many more tactics and sophisticated programs designed to protect against email phishing or spoofing, SPF, DKIM, and DMARC are relatively easy to implement and doing so is well worth your time.