Domain Authentication: limits and developments
The authentication of the sender’s domain is increasingly important in the world of e-mail. Threats such as domain spoofing, phishing and spear phishing have encouraged the development of stronger authentication strategies for brands. Protocols such as SPF – Sender Policy Framework and DKIM – DomainKeys Identified Mail, have started showing some pitfalls. It becomes fundamental to think about adding new check methods, first of all DMARC.
Based on SPF and DKIM usage, DMARC extends their value:
- to safeguard brand’s reputation and its customers
- to protect the business
- to enable the GDPR compliance
Furthermore DMARC brings benefits to deliverability. It is now clear that the adoption of DMARC with a restrictive policy positively influences the score of the major mailbox providers, starting from Gmail which explicitly suggests it in the bulk senders guidelines.
A restrictive DMARC policy is also necessary for the implementation of the BIMI – Brand Indicators for Message Identification – i.e. showing the official brand logo directly in the inbox. BIMI is actively adopted by Verizon (Yahoo !, AOL) and will be implemented in the coming months by Gmail and Microsoft.
SPF and DKIM
SPF is the e-mail authentication protocol based on the origin IP. SPF is a DNS record of the sending domain and contains the reference to all the IPs that are enabled to send e-mails. If the e-mail receiving service recognizes the IP as valid, the e-mail is forwarded to the recipient’s inbox. Otherwise, the communication is labeled as spam. In a nutshell, it certifies that a specific IP is really authorized to send e-mails and there has not been an inappropriate use. The SPF record is validated on the envelope from domain and not on the domain visible to the final customer.
DKIM signature is instead a cryptographic signature that guarantees the integrity of the message from the moment it is sent till the inbox. Brands can sign their e-mails with their domain name and guarantee the integrity of the content of the message. For example in Send, the default DKIM is contactlab.it. This ensures that all e-mails sent via Send are properly signed with a domain that has a good reputation.
SPF and DKIM are fundamental requirements to legitimize the sender domain but they may not be enough and sometimes can be subject to false positives. In some cases, the SPF and DKIM checks could highlight problems even in totally legitimate contexts. Think about when an e-mail is forwarded or conveyed through a maling list.
What happens in these cases? When the SPF or DKIM check fails, the receiver mailbox provider – MBP has the right to decide whether the message is legitimate and therefore harmless, or potentially harmful to the mailbox user.
And this is where DMARC – Domain Based Message Authentication, Reporting and Conformance comes into play, a protocol providing brand with the option to indicate to the mailbox provider how to distinguish false positives from spoofing and phishing threats and what actions to take in each possible scenario.
How DMARC works
DMARC is a notification system thanks to which the brand acquires visibility on the traffic of its domain. In fact, in addition to reporting the result of the check on SPF and DKIM, this method creates a link between the domain visible to the reader (header FROM – RFC 5322) and the technical domains (Envelope From domain RFC 5321 and DKIM domain).
If the visible domain – from – is the same as the SPF or DKIM domain, then the DMARC Alignment occurs and the e-mail is delivered correctly.
Fig. 1: Contactlab applies a DKIM linked to the contactlab.com domain to its service e-mails
In the event that DMARC detects a misalignment between the domains, it is the brand that indicates to the mailbox provider receiver such as Gmail, Microsoft, Yahoo! …, how to manage the non-aligned e-mail. And it does it using a progressive severity logic which requires the MBP to:
- p=none → do not apply any policies and do not take any actions with the e-mail in error
- p=quarantine → mark the non-aligned e-mail as spam
- p=reject → reject the e-mail
Note that the above policies also influence BIMI, in particular the requirements to activate it are:
- Quarantine DMARC policy or reject.
- DNS BIMI records and compatible logo.
- Good domain reputation.
It appears immediate that with the spread of DMARC, the customization of the DKIM domain and its alignment with the sender’s domain or subdomain is increasingly required.
Said that, what does Send offer?
Send provides the tools to achieve full compliance with the DMARC requirements and enables you to take advantage of the benefits offered by its adoption.
In particular, it is possible to manage customized DKIMs on a domain basis within a single Send account, ensuring for each domain the alignment with the brand’s sending domains.
In this way, the brand can use different domains for different newsletters (product mailings, commercial communications, etc.), always comply with DMARC and ensure the highest level of deliverability.
To find out the requirements for multi-DKIM activation, contact Contactlab representative or our Customer Service. In addition, the Contactlab Deliverability Team is available to help you in the correct implementation of the DMARC policy, with technical and strategic suggestions.