We live in a world where millions of emails are exchanged every day. It’s amazing that most of us use this technology without actually understanding what makes it work behind the scenes.
Like any email users, you’re probably painfully familiar with spam and phishing emails, which you’d be receiving by the dozens if anti-spam filters weren’t as good as they are now.
There are two things working behind the scenes to ensure that emails are delivered reliably — DKIM and SPF, and knowledge of these systems is important for anyone who sends out emails to customers and needs to ensure that these are in fact arriving to their destination.
Basically, in the early days of the Internet, it used to be very easy to pretend to be somebody you’re not and send a malicious message to a recipient who wouldn’t think twice about opening it. It became clear that some further authentication was needed to prove that messages that say they’re from someone are actually originating from that source. In medieval times, we had wax seals with each person’s unique mark. These days, we have SPF and DKIM to do the same thing.
Sender Policy Framework (SPF)
SPF works in the same way that DNS works to guarantee that you’re on a website that is in fact what it claims to be. It works in a three-step process:
- The website’s administrator publishes a list of all the email servers from which messages will be going out for that domain. This policy, called an SPF record, is listed as part of the domain’s overall DNS records.
- When an email server receives an incoming email message, the first thing it does is to look up the rules for the Return-Path domain in DNS and compare the IP address of the mail sender with the authorized IP addresses defined in the SPF record.
- The receiving mail server then uses the rules specified in the sending domain’s SPF record to decide whether to accept, reject, or flag the email message as potential spam.
Creating a complete and accurate SPF record is very important for ensuring your messages are arriving reliably where they are being sent, and also that other messages that are pretending to come from you are being reliably blocked.
Domain Keys Identified Mail (DKIM)
DKIM also works by checking the DNS record, but in this case, it uses a digital signature that appears in the header of the incoming email message. Here’s how it works:
- The website’s administrator publishes a cryptographic key as a TXT in the domain’s DNS record.
- When a server sends out an email, it attaches a unique, encrypted DKIM signature to the header of the email.
- When an email server receives an incoming email message, it takes the unique DKIM signature and uses the DKIM key in the DNS to decrypt it. It then compares it to a freshly computed version. Upon a match, the email is cleared as authentic and allowed into the inbox.
Basically, SPF and DKIM are not that complicated — they need to be set up correctly when you’re setting up your outbound email server, and then kept up to date with any changes to your email delivery.
DKIM and SPF enabled on all CanSpace accounts by default. CanSpace also realizes how important it is that our clients emails are delivered correctly, so we actively monitor all our servers to make sure they are not on any DNS blacklists (DNSRBLs).
If you are having issues with your emails being delivered correctly by your hosting provider, check that they have enabled DKIM and SPF for your account, and check that the outgoing IP address of your server is not listed on any blacklists. Or better yet, switch to CanSpace!