SPF, DKIM, DMARC and even BIMI records improve the throughput of emails to the recipient's mailbox. Spam filters are constantly evolving and the technology around email authentication is also getting better. In this article, we discuss the following:
SPF (Sender Policy Framework)
DKIM (DomainKeys Identified Mail)
DMARC (Domain-based Message Authentication Reporting and Conformance)
BIMI (Brand Indicator Message Identification)
Note!In the Tuonetti Webhotel, SPF, DKIM and DMARC records are automatically enabled.
Big players set the rules
The vast majority of all email traffic in the world goes through Google's Gmail. Microsoft's Outlook is also another huge action in this game. While these big players decide the rules of the game, small players invariably have to obey to make sure that emails end up in the inbox and not directly in the SPAM folder.
SPF, DKIM, DMARC, BIMI records
SPF, DKIM, DMARC and BIMI records are used to authenticate the sender of the email. In other words, they are designed to prevent someone else from sending email on your behalf. For example, Microsoft mail servers may not even accept emails that are missing these records. In such a situation, the emails do not even end up in spam, but the server blocks the traffic from happening at all. It is therefore important that the SPF, DKIM and DMARC records are set correctly for each domain from which the email is to be sent.
SPF, DKIM, DMARC and BIMI are DNS Records. So to enable these, you need to have access to the DNS management of your domain. Note! An error in updating records can, in the worst case, cut off your email traffic altogether. We recommend that you contact your service provider if you are not sure what you are doing.
The Sender Policy Framework (SPF ) record is used to tell you which servers are allowed to send email through your domain. The SPF record therefore lists all the different servers from which you might be sending email. Usually there is only one of these mail servers, but in some cases a separate service or server may be used to send newsletters.
An example of an SPF record that allows emails to be sent from a Google server, as well as from an Amazon server.
Add allowed servers to include:exampleidomain.fi style
The all tag at the end tells you how tight the restriction should be.
-all = fail. Full blocking. Emails do not reach their destination.
~all = soft fail. Emails will go through, but they will be flagged.
+all = allow all. Allows all servers in the world to send mail from this domain.
The DKIM record, DomainKeys Identified Mail, is, like the SPF record, also a protocol for verifying the authenticity of the source of an email. However, DKIM is better in the sense that it lasts longer than message retransmission. This is to ensure that the original message has not been manipulated from the original when it is forwarded.
DKIM is an encrypted key in the header of an email message that allows the server to verify that the email was actually sent by the domain owner.
The DNS type is TXT, which may contain the subdomain prefix google._domainkey or default._domainkey, depending on your provider's settings.
The content of the record starts with v=DKIM1
Next, we define k=rsa, where k stands for "key" and rsa stands for key type. RSA is the most common, but may vary depending on the service provider.
p stands for Public Key, i.e. the public part of the encrypted key. The private key remains on the server against which the public key is checked.
The DKIM key is obtained through the service provider's service. WithTuonetti, this can be turned on automatically via Webhotel. For Google Workspace, we will turn on the DKIM record on your behalf.
Domain-based Message Authentication Reporting and Conformance, or DMARC, is a record that adds guidance and reporting to the existing SPF and DKIM records. This record allows the domain owner to get information about who else is trying to send messages on your behalf. DMARC therefore tells the recipient what to do when the rules for DKIM or SPF records are not respected.
An example of a DMARC record that moves emails that fail DKIM and SPF record checks to spam.
A BIMI record is not necessary, and we don't really recommend it unless you are a larger company that distributes a lot of email. For example, Google also requires a certificate to display the logo in Gmail. To obtain the certificate, you must have an internationally recognised brand name with an associated logo. You can then apply for a certificate for the logo, which normally costs around €1,000. Some providers will display your logo in mailboxes even without this.
Summary of SPF, DKIM and DMARC records
Together, the SPF, DKIM and DMARC records are very effective in the fight against spam. Google's and Microsoft's requirements to use these records may seem technically cumbersome, but almost without exception the above records are automatically enabled by modern service providers. At the latest, your service provider's customer service should be able to activate all the necessary records for you. But it is good to understand what the function of these records is.
Note, however, that SPF, DKIM and DMARC records alone are not sufficient to ensure that an email will always reach the inbox without exception. For example, the reputation of the server's IP address has a significant impact on the forwarding of email. There are also services that assess the reliability of different domains. The same services may place a domain on a block list if it is found to receive a lot of spam.