Email authentication helps to ensure that an email message was sent by the domain it claims to be sent from, and that the message has not been modified in transit.
Authentication is the effort to equip messages with enough verifiable information so that recipients (ISPs and end consumers) can recognize the nature of each message automatically. Authentication technology allows the receiver of an email and the ISP to confirm the identity of the sender.
Authentication is the answer to the following questions:
- How can I prove that these emails are actually coming from my brand/company?
- How can I differentiate my messages with all of the phishing emails that are sent out to look like they are coming from my brand?
- How can I put my best foot forward with ISPs and identify that I am who I say I am?
- How can I brand the links and images in my email to my brand?
Salesforce Marketing Cloud’s Private Domain and SAP products provide you with full authentication including SPF/DKIM signing*.
* You are able to set up SPF on your own, but DKIM signing is built into the header of a sent email and requires configuration on Salesforce outbound mail transfer agents (MTAs). If you are interested in pursuing authentication on your own, please visit this link.
SPF: Sender Policy Framework :
Most widely used. Easiest to implement. SPF gives a mild delivery boost at Gmail and AOL, and is necessary for AOL white listing. It is also used by some B2B senders.
SPF is a simple email-validation system that can help to detect forgery of the sender address (email spoofing), which is an abuse of email authentication systems. It does this by giving the receiving mail server a way to check that incoming mail from a domain is being sent by an authorized host.
Using SPF: A domain owner creates a list of authorized sending IPs or servers, and publishes it in the DNS as an SPF record. When an email is sent to a recipient, the recipient’s mail server looks up the SPF record for the domain in the email’s “From” address. If the IP address of the server that sent the email is not included in the SPF record, the email may be marked as failed SPF evaluation and may be blocked, marked as spam or quarantined.
DKIM: Domain Keys Identified Mail:
The next version of DomainKeys. Needed for Yahoo FBL inclusion. Also used at some smaller domains and anti-spam appliance/software. **DKIM Authenticates FROM, BODY, additional values. Encrypted value placed in the header. Public key used to Decrypt the value. Not specific to IP address. Specific to sending machine.
DKIM uses a digital signature to authenticate the domain that sent the email, and allows the recipient’s email server to check that the signature is valid.
Using DKIM: When a sending server adds a DKIM signature to an email message, it includes information about the domain that sent the message, as well as a digital signature that can be used to verify that the message has not been modified in transit. When the recipient’s email server receives the message, it can use the information in the DKIM signature to check that the message was indeed sent by the domain it claims to be sent from, and that the message has not been modified.
Are you working with Salesforce Marketing Cloud and have some questions about DKIM? This FAQ might be helpful.
DMARC (Domain-based Message Authentication, Reporting & Conformance):
SFMC does support the use of DMARC and will implement DMARC upon your request, but it is really recommended only for the most technically savvy. Salesforce is not able to advise on email stream vetting or suggest a DMARC policy. They would recommend you partner with a domain assurance consultant or vendor such as Proofpoint or Agari if you’re interested in exploring DMARC options.
DMARC is used to give email domain owners the ability to protect their domain from unauthorized use, also known as email spoofing.
Using DMARC: A domain owner creates a DMARC policy and publishes it in the DNS. When an email is sent to a recipient, the recipient’s mail server checks the sender’s domain for a DMARC policy. If there is one, the mail server checks if the from address aligns with the domain in the email, and also check if the email is passed either SPF or DKIM. If it fails in either one of the check, the email will be marked as failed DMARC evaluation and may be blocked, marked as spam or quarantined.
Are you working with Salesforce Marketing Cloud and have some questions about DMARC? I have written a short article on this topic.
SPF (Sender Policy Framework) is a simple email-validation system that can help to detect forgery of the sender address (email spoofing), which is an abuse of email authentication systems. It does this by giving the receiving mail server a way to check that incoming mail from a domain is being sent by an authorized host.
Using SPF: A domain owner creates a list of authorized sending IPs or servers, and publishes it in the DNS as an SPF record. When an email is sent to a recipient, the recipient’s mail server looks up the SPF record for the domain in the email’s “From” address. If the IP address of the server that sent the email is not included in the SPF record, the email may be marked as failed SPF evaluation and may be blocked, marked as spam or quarantined.
Advantages of these authentications include:
- Help prevent phishing and email spoofing
- Improve email deliverability
- Reduce spam and improve email security
- Increase consumer trust in email communication
If you engage with an enterprise solution, like Salesforce Marketing Cloud, you are guaranteed a compliant configuration of your setup, as part of the provisioning process. The authentication will be taken care of, once you decide on which domain you will be sending from, and order a Sender Authentication Package, as part of your account setup.
If you need to configure these settings yourself, you must be familiar with DNS configuration, have access to the DNS panel of the domain from which your emails will be sent, and follow instructions provided by the ESP in question. These instructions normally define the values for CNAME, TXT and A records you need to set up for the domain.