Articles in this section
Authenticate Emails with SPF, DKIM, and SenderID
Table of Contents
Authenticate your emails with SPF, DKIM, and Sender ID
Watch these videos to learn more
- How to create a DKIM record for your domain
- How to create a SPF record for your domain
- How to create a CNAME record for your domain
SPF (Sender Policy Framework)
SPF is an email authentication protocol that allows the owner of a domain to authorize other email servers to send an email on behalf of this domain.
How does SPF authentication work?
DNS Administrator should add an SPF record in the Domain Name System (DNS) listing the domains or IP addresses that are authorized to send an email on behalf of this domain.
During an SPF check, the recipient email server looks up the SPF record by looking up the domain name listed in the 'envelope from' address (also referred to as the return-path address). If the IP address/domain name of the server sending email isn’t listed in that SPF record, the message fails SPF authentication.
For example, Grasspods is using Vtiger. Grasspods administrator added vtiger.com as an authorized sender in the grasspods.com DNS record.
John, one of the users in Grasspods, sends an email to a contact from Vtiger. Contact’s email server is Gmail.
When the email is received by Gmail, it will query the DNS records for grasspods.com, and will find that the IP addresses used by Vtiger are indeed authorized to send messages on behalf of grasspods.com, and will mark that email as ‘Passed’.
Let’s take a look at an SPF policy in action and see how the process unfolds.
Who uses SPF authentication?
SPF – or Sender Policy Framework (see the Wikipedia article) – is being used to authenticate emails by large providers such as Charter, Comcast, Earthlink, Juno/Netzero, Gmail, RoadRunner, Verizon, and others.
Why does SPF authentication matter?
An SPF-protected domain is less attractive to phishers, and is, therefore, less likely to be blacklisted by spam filters, ensuring legitimate email from that domain is delivered.
If the SPF check fails, Emails might be put into the Spam folder instead of the Inbox of your prospect. Having an SPF policy provides an additional trust signal to ISPs so you can increase the likelihood that your emails arrive in the inbox.
v=spf1 include:vtigermails.com ~all
How much does the SPF authentication cost?
There is no charge. The changes to the DNS settings, typically performed by your hosting company or network administrator, only require a few minutes.
How to add vtiger to the SPF record for your domain?
- 1&1: Add or Remove TXT Records
- A Small Orange: Edit DNS record
- Bluehost: Edit DNS record
- Cloudflare: SPF
- Dreamhost: SPF
- GoDaddy: Plesk Panel 9, Plesk Panel 10
- Google Domains: Edit DNS record
- Hostgator: Edit DNS record
- HostMonster: Edit DNS record
- Hover: Edit DNS record
- Namecheap: SPF
- Network Solutions: Edit DNS Record
- Squarespace: Edit DNS record
DKIM (DomainKeys Identified Mail)
DKIM is an email security standard designed to ensure that messages aren’t altered in transit between the sending and recipient servers.
How does it work?
The following steps (separated into manageable sections) will tell you how.
Step 1: Identifying what parts of a message are to be signed using DKIM signature
First, a sender decides which elements of the email they want to include during the signing process. They can choose to include the whole message (header and body) or just focus on one or more fields of the email header. The elements they wish to include in their DKIM signing process must remain unchanged in transit, or the DKIM signature will fail authentication.
For example, if an email is forwarded from Yahoo! to Grasspods, Yahoo! may add a line of text at the top of the email (e.g. 'forwarded by Yahoo! mail'). At that point, the body of the email has been changed and, if the body were included in the DKIM signing process, the DKIM authentication would fail for the forwarded email.
However, if only an element of the header, such as the 'from' field were included in the DKIM signature, and the message was forwarded from Yahoo! to Grasspods, the DKIM authentication would pass, since, the part of the message that was changed, was not signed by DKIM.
Step 2: The encryption process
So how does this signing process sounds? Cryptography is at the center of it.
The sender will configure their email platform to automatically create a hash of the parts of the email they want to sign. Hashing is the process that converts readable text into a unique textual string.
Subject: DKIM [email protected]>
Before sending the email, that hash string is encrypted using a private key. The private key is assigned to a unique combination of domain and selector; Only the sender has access to the private key. After the encryption process is complete, the email will be sent.-----------------------------------------------------------------------------------------------------------
Step 3: Validating the DKIM signature with a public keyThe email provider receiving the email sees that it has a DKIM signature, which reveals which 'domain/selector' combination signed the encryption process. To validate the signature, the mailbox provider will run a DNS query to find the public key for that domain/selector combination.
This public key has the unique characteristic that it is the only match for the private key that signed the email, also known as a “key pair match.” The key pair match enables the email provider to decrypt the DKIM signature back to the original hash string.
The email provider then takes the elements of the email signed by DKIM and generates its hash of these elements. Finally, the mailbox provider compares the hash it generated with the decrypted hash from the DKIM signature. If they match, we know that:
- The DKIM domain really does “own” the email otherwise, the decryption process wouldn’t have worked in the first place.
- The elements of the email signed by DKIM were not changed in transit (if they were changed, the hashes would not match).
Why it matters?Email providers who validate DKIM signatures can use information about the signer as part of a program to limit spam, spoofing, and phishing, although DKIM does not tell receivers to take any specific actions. Depending on the implementation, DKIM can also ensure that the message has not been modified or tampered with in transit.
The problem with DKIM is that because it’s more difficult to implement, fewer senders have adopted it. This spotty adoption means that the absence of a DKIM signature does not necessarily indicate the email is fraudulent. Therefore, DKIM alone is not a universally reliable way of authenticating the identity of a sender. In addition, the DKIM domain is not visible to the non-technical end-user and does nothing to prevent the spoofing of the visible “header from” domain.
Sender ID is an email authentication protocol. It was developed by Microsoft to prevent domain spoofing and phishing exploits by verifying the domain name from which e-mail messages are sent.
Sender ID validates the origin of e-mail messages by verifying the IP address of the sender against the legitimate owner of sending domain.
Exchange uses Sender ID for validation. By using Sender ID, you will ensure that your email is delivered to recipients that use Exchange.
How it Works?
The process of extracting the domain using the sender ID check is as follows:
- When an e-mail message is received by the inbound mail server it will check for the Sender field.
- If the Sender field exists, then use the domain in this field.
- If it doesn’t exist, then use the domain in the From field.
Using the domain in the From field recipient server looks up From domain’s published DNS record and determines whether the sending server’s IP address matches the one on in the record. If the record matches, the e-mail is authenticated and delivered to the recipient. Otherwise, the message is either discarded or returned to the sender as a bounce e-mail.
In the below example, since there is no Sender field, the domain is using the From field. Here, the From field is grasspods.com. SenderID next checks the SenderID record in DNS. If it does not exist, it falls back to the SPF record.
Say the sending email server IP is - 126.96.36.199 and when it does a SenderID lookup on the From domain grasspods.com, it will result in the below record.
v=spf2.0/pra include:vtigermails.com ~all
The “include” says to do a SenderID lookup for vtigermails.com
v=spf1 ip4:188.8.131.52/24 ~all
Here SenderID looks for the spf2.0 syntax. Since it doesn’t find spf2.0, it falls back to spf1 syntax. Then it compares 184.108.40.206 against 220.127.116.11/24, and finds that the IP is in the range. Later passes the SenderID check.