Email - how hard can it be?
The first email was sent in 1971, and things haven’t changed much since. So, how hard can it be?
It’s pretty hard. It’s too easy to spoof and send fake emails, and many people have been tricked in one way or another. What can we do to stop people from using our email addresses for spam, spoofs, and the fishing emails that are ever so popular?
Well, a few things. So let’s get started.
DNS
To fix email, or at least a small part of it, we need to dive deep into the DNS (short for the Domain Name System) and add a few records.
All devices on the Internet have an IP address, which looks something like 142.250.74.142. But that is hard for humans to remember, so we need a way to make it more memorable, and that’s where DNS comes in. A DNS server translates between a human-readable address and the IP address used by machines. As I write this, the address above is the translated version of google.com.
To send reliable emails, you need the following records in your DNS;
- Sender Policy Framework (SPF)
- DomainKeys Identified Mail (DKIM)
- Domain-based Message Authentication, Reporting & Conformance (DMARC)
Let’s look at them one by one and how they are related.
SPF
This is a TXT record in the DNS stating which servers are allowed to send emails for the domain name. The receiver can then verify that the domain in the email’s Return-Path is included in the record.
The TXT record looks like this;
v=spf1 a mx include:mydomain.com ~all
Note that you can only have one SPF record in the DNS, so include all domains that send emails on your behalf. These are often services like MailChimp, Postmark, or Klaviyo, and you might also have a CMS that sends emails, so make sure to include those.
If you need to have multiple domains, the record will look like this:
v=spf1 a mx include:mydomain.com include:spf.mtasv.net ~all
Above are our mydomain.com and Postmark’s spf.mtasv.net added to the SPF record.
DKIM
The DKIM authentication method uses a [private and public key pair setup]( The DKIM authentication method uses a classic private and public key pair setup. ). A public DKIM key is also a TXT record and looks something like this:
_v=DKIM1;t=s;p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBzXkunA
132Pf3SwHF7UKTODjFW8JKXUFWCHcNLvRHPCFDzJDPuAuoZq0XAIoOStu+Qq+/
ggm1zDYbgsaIkOmkBWV9m/NPQ3BbXNEnCqjsyVxWlrQs0R01W4ihsHM8BkbE7
dGRot1DdDM1HBMxrMDEOPuEZaNjtpgcJVRqswz7YwIDAQAB_
The Email Service Provider (ESP) uses the private key to cryptographically sign the sent email with a unique hash based on the private key and the message content. This hash is then placed in the message header.
The public key, saved in the DNS, can be used by the receiver to verify that the message body and attachments were not altered in transit and are sent from a valid domain.
DMARC
DMARC ensures that you pass either SPF or DKIM and that your DNS records are set up correctly. If not, the email will not be delivered. That is a little scary, but you can set up DMARC without quarantining or rejecting emails initially.
Why would you do this, then? I’ll tell you. The ESPs that support DMARC will send a DMARC report to the rua email address stated in the record.
This report is in XML format, but many (free) tools will help you parse and summarize it. If you’d like to get started, I recommend Postmark’s free DMARC reporting tool. Then, monitor it for a while, and when you’re happy with the results, move to the more strict quarantine or reject policy.
Ok, that sounds good, then. But how do we implement DMARC?
Yes, you’re right. We will implement it in the DNS with a TXT record. Who would have guessed…
And that one will look something like this:
v=DMARC1; p=none; sp=none; pct=100; rua=mailto:example@yourdomain.com;
The domain owner publishes a DMARC policy in their DNS with recommendations on how they would like receivers to process their mail based on SPF and DKIM authentication results.
This policy applies to all mail using that domain in the From header of the email. For DMARC to pass, either SPF or DKIM must pass and align with the DMARC domain.
If you send a lot of emails, more than 5000 emails a day, you need to read up on the "Yahoo and Google DMARC requirement" that came into force on February 1, 2024. To continue to have reliable delivery, the messages must pass DMARC Alignment, or they will not be delivered.
One more thing - BIMI
Another nice-to-have is adding a Brand Indicators for Message Identification (BIMI) TXT record to visualize your logo next to the emails you send. To add BIMI, you need to have:
- SPF and/or DKIM authentication alignment
- DMARC enforcement (either p=quarantine or p=reject)
So, after getting your DMARC set up and verifying that you don’t send emails from sources other than those you have included in your policy, you can force the emails to be quarantined or rejected.
This is a prerequisite for a BIMI implementation, so ensure your DMARC policy is set to enforcement mode (p=quarantine or p=reject) before implementing BIMI.
You can also verify your logo with a Verified Mark Certificate (VMC), even if it’s not a hard requirement.
When ready, you can, for instance, use the BIMI Record Generator by EasyDMARC to put everything in place.
References
Cloudflare has a set of good articles explaining DNS and the different records used to implement SPF, DKIM, and DMARC.
As do Postmark
- SPF record: Protect your domain reputation and email delivery
- DKIM: What is it and why is it important when sending emails?
- DMARC: What is it and why do you need it?
Articles
Other related resources
- Zonemaster - a domain test service published in the DNS-Labs from The Swedish Internet Foundation , "an independent, business-driven and public-benefit organization" that is "working for an internet that contributes positively to people and society".
- Turn on DKIM for your domain by Google Workspace Admin Help
- Before you set up DMARC and Add your DMARC record by Google Workspace Admin Help
Tools
- DMARC Check Tool by MxToolbox
- [DMARC Domain Checker](DMARC Domain Checker) by dmarcian
- BIMI Record Generator by EasyDMARC
Standards