Email is one of the easiest and most effective ways to reach your customers. But at the same time, it’s also a common target for problems like spam, fake senders, and phishing attacks. To protect against these risks, email providers and internet standards groups created special security checks called email authentication protocols.
These checks help confirm whether an email really comes from the domain (or website address) it claims to be sent from.
The three most common authentication methods are:
When these methods are set up, they make it much harder for fake emails to get through, keep your domain reputation safe, and improve the chances that your messages land in your customer’s inbox instead of the spam folder.
Now we’ll take a closer look at how each one works.
SPF is an email authentication protocol that allows a domain owner to specify which mail servers are authorized to send emails on behalf of their domain.
The domain owner publishes an SPF record in their DNS, listing authorized servers or IP addresses.
To learn more about creating a SPF record, click here.
To learn more about creating a CNAME record, click here.
Example: Grasspods, a company using Vtiger, adds vtiger.com as an authorized sender in its DNS records. When John (a Grasspods user) sends an email, Gmail checks the DNS for grasspods.com and sees that Vtiger is authorized. Gmail then marks the email as Passed SPF.
There is no charge. The changes to the DNS settings, typically performed by your hosting company or network administrator, only require a few minutes.
SPF record example: v=spf1 include:vtigermails.com -al
To authorize Vtiger to send emails on behalf of your domain, you’ll need to update your domain’s DNS settings and add an SPF record. The steps vary depending on your domain hosting provider.
DomainKeys Identified Mail (DKIM) is an email authentication method designed to prove that an email really came from the claimed sender and that it hasn’t been changed along the way. It works by attaching a digital signature to each email. This signature is unique to the sending domain and allows the receiving server to verify the message’s authenticity.
Think of it as a tamper-proof seal for emails. If the seal is intact, the receiver knows the message is genuine and unchanged. If the seal is broken, the system flags it as suspicious.
The DKIM process can be broken down into three key steps:
Whatever is selected must remain unchanged during transit—if any of the signed elements are altered, DKIM validation will fail.
To learn more about DKIM, click here.
Imagine Yahoo forwards an email to Grasspods. If Yahoo modifies the body of the email, for example, by adding a line such as forwarded by Yahoo Mail then the body no longer matches the original hash. If the body was part of the signed elements, the DKIM check will fail.
However, if only the From field (in the header) was included in the DKIM signature, the validation would still pass because the modified body was not part of the signed content.
This flexibility allows domain owners to choose what is most important to protect, while still allowing for legitimate forwarding or minor changes in transit.
Sender ID, developed by Microsoft, is another email authentication method focused on preventing domain spoofing by verifying the sender’s IP address against the sending domain’s DNS records.
HELO vtigermails.com
MAIL FROM: [email protected]
RCPT TO: [email protected]
DATA
Subject: Special offer
From: John
QUIT@grasspods.com>
In this case, there is no Sender field, so Sender ID uses the From domain: grasspods.com. Sender ID then checks for a spf2.0/pra record in DNS. If it doesn’t exist, it falls back to the SPF record.
DNS Records: grasspods.com v=spf2.0/pra include:vtigermails.com ~all
vtigermails.com v=spf1 ip4:1.2.3.0/24 ~all
Sender ID uses the From domain for validation, and if a Sender ID record is missing, it falls back to SPF.