Setting up SPF & DKIM records for your outsourced email vendor is an essential part of reaching your customer’s inbox. This post is meant to be a palatable primer (not an exhaustive reference) on two important email authentication protocols, Sender Policy Framework & DKIM, and how to properly deploy them when working with a third party email vendor.
Send Policy Framework (SPF)
Sender Policy Framework is a framework for publishing information through DNS records that describe a list of IP addresses allowed to send emails from a specific domain. It’s a signal to spam filters that you’ve given a third party authorization to send email on behalf of your site. SPF authentication is compeletely transparent to your customers.
When your vendor sends an email on your behalf, there two From: Addresses that email clients interpret:
- SMTP MAIL FROM is the email address that is used to do SPF checks and is the address that goes into the Return-Path in the message headers. This is where an email originates from. RFC5321.MailFrom
- The From: address in the message headers is the email address that is displayed in your email client and is what’s visible to your customers. RFC5322.From
In order to authenticate an SPF record, your vendor needs to publish one for you to add to your site’s DNS. When SPF is checked, the receiver’s email client will ping your site’s DNS for the presence of the record, indicating you’ve given the vendor domain permission to send for you.
Your vendor should also pay special attention to how the From: addresses above are configured. They should not use a RFC5321.MailFrom address that includes your domain (this isn’t technincally where the email is originating from), or spoof the email headers to appear so. Since SPF authenticates against an IP address, spam filters will do an SPF check on the connecting IP against the sending domain of your vendor. As long as the SPF record is present and the RFC5321.MailFrom address matches, SPF will pass. Make sure that the from address being seen by your customers (RFC5322.From) is an address that they are familiar with. Obviously, you want to use your domain in the From: address for branding purposes and so your customers recognize it.
DomainKeys Identified Mail (DKIM)
DomainKeys Identified Mail (DKIM) is a method for associating a domain name with an email message, allowing a person, role, or organization to claim some responsibility for the message. The association is set up by means of a digital signature which can be validated by recipients. DKIM is the result of a merge between two older authentication protocals: DomainKeys & Identifeid Internet Mail. It’s important to note that SPF & DKIM complement each other, but are not mutually exclusive. One will not impact the other.
Here’s how DKIM works: The sending domain signs the message using a private key, and then puts the signature into a “DKIM-Signature” field in the email message’s header. The message receiver’s email cient reads this field, which includes the name of the sending domain, and retrieves the domain’s public key from the DNS. If the value from the header matches public key from the DNS lookup, this proves that the message was in fact sent by the domain who says they sent it.
Setting up DKIM for your site is straight forward as well. Again, your email vendor will provide another record to be added to your DNS (known as a key pair). Once you publish the public key, DKIM will pass and you will generate sending reputation for your own domain.