From copy to design, you’ve spent hours on that perfect fundraising email – but it’s all in vain if it lands in the spam folder! Here’s how to configure your email authentication so your emails land in the inbox.
At first, email authentication might sound intimidating.
But it simply refers to how your supporter’s email service provider (say, Gmail or Outlook.com) knows that the email you’re sending really came from you. By authenticating emails, email providers like Gmail protect their users (in this case, your supporters) from bad actors who want to do them harm by “spoofing” them.
What is spoofing?
Spoofing is when someone sends an email in your name to your supporters. It’s a forgery.
Normally, hackers spoof people to steal sensitive personal information.
Imagine you receive an email and in the FROM line it says “FireFly Partners.” In the REPLY-TO line, it says “FireFly Partners.” It might even have what appears to be our logo on it. But in this email, you’re asked to send us your social security number.
Watch out! This email is a spoof! We would never ask for sensitive information via email.
Another tactic used in spoofing attacks is if you’ve ever received an email from someone you knew asking you for money because they’re stranded in a foreign country without their wallet. And you know they’re safely at home with their cat. That was a spoofing attack.
Email authentication is an extremely important part of keeping yourself and your supporters safe from spoofing attacks like these. Email providers like Google do their best to weed out unauthenticated emails that look suspicious. And if you haven’t configured your email authentication properly, your emails might be the victims of a zealous email filter.
So how do you configure your email authentication so email providers know that it’s really you sending the email?
Let’s walk through this process together – and get your emails in front of your supporters!
Email Authentication Standards
Let’s start by looking at three things (SPF, DKIM, and DMARC) that should be configured to help ensure your messages are being delivered properly. DKIM, SPF, and DMARC are all standards that enable different aspects of email authentication.
A “standard” is simply the technical requirements that must be met by email senders so that email receivers like Gmail allow them in.
It’s important to know that standards are things you’ll never see as you design and send your emails. It’s a part of your email providers’ back-end. In other words, email authentication is something that should happen “under the hood” to make sure your emails arrive in your supporter’s inbox.
Each of these three standards addresses complementary issues.
- SPF allows senders to define which IP addresses are allowed to send mail for a particular domain.
- DKIM provides an encryption key and digital signature that verifies that an email message was not faked or altered.
- DMARC unifies the SPF and DKIM authentication mechanisms into a common framework and allows domain owners to declare how they would like email from that domain to be handled if it fails an authorization test.
Totally clear, right? No worries! Let’s take a moment to break each one down a little further.
#1 – Sender Policy Framework (SPF)
If the sender is not permitted to send emails with your domain, the email fails the SPF check on the receiving server (your supporters’ Gmail, Outlook, or another inbox), and the spam policy configured on the DNS server determines what to do with the message.
Each SPF TXT record contains three parts:
- A declaration identifying itself as an SPF TXT record,
- The IP addresses allowed to send mail from your domain and the external domains that can send on your domain’s behalf (Gmail, Outlook, etc.), and
- An enforcement rule.
You need all three in a valid SPF TXT record.
The enforcement rule (what happens when the message sender failed the SPF check) is usually one of these options:
- Hard fail. Mark the message with ‘hard fail’ in the message envelope and then follow the receiving server’s configured spam policy for this type of message.
- Soft fail. Mark the message with ‘soft fail’ in the message envelope. Typically, email servers are configured to deliver these messages anyway. Most end users do not see this mark.
- Neutral. Do nothing, that is, do not mark the message envelope. This is usually reserved for testing purposes and is rarely used.
Although SPF is designed to help prevent spoofing, there are spoofing techniques that SPF cannot protect against. So for further protection, once you have set up SPF, you should also configure DKIM and DMARC.
#2 – Domain Keys Identified Mail (DKIM)
DKIM is the standard that allows an organization to claim responsibility for a message in a way that can be validated by the recipient. Specifically, it uses an approach called “public key cryptography” to verify that an email message was sent from an authorized mail server, in order to detect forgery and to prevent delivery of harmful email like spam.
How does DKIM work?
First of all, it supplements SMTP, the basic protocol used to send email, because SMTP does not itself include any authentication mechanisms. DKIM works by adding a digital signature to the headers of an email message. That signature can be validated against a public cryptographic key in your organization’s Domain Name System (DNS) records.
A DKIM signature is a header added to email messages. The header contains values that allow a receiving mail server to validate the email message by looking up a sender’s DKIM key and using it to verify the encrypted signature. Signatures are unique from message to message, but the basic elements will be present in every DKIM signature header.
Think of it this way.
Say you wanted to send your grandmother a letter and you wanted her to know that it was from you and no one else. How would you do that? Well, if grandma was the only one in your life who called you “my little Brussel sprout,” you could sign your letter by saying “Your loving, little Brussels sprout.”
This would be your “public key cryptography” that would tell her that no one else could have written this letter to her. It’s your very own special code language with grandma (because your grandma is just that cool).
#3 – Domain-based Message Authentication, Reporting & Conformance (DMARC)
While SPF and DKIM can be used as stand-alone methods, DMARC must rely on either SPF or DKIM to provide the authentication.
DMARC builds on those technologies by telling your supporters’ inbox what to do if a message from your domain is not properly authenticated. DMARC ensures that legitimate email is properly authenticating against established DKIM and SPF standards and that fraudulent activity appearing to come from domains under the organization’s control is blocked (These can be active sending domains, non-sending domains, and defensively registered domains).
The two main ways DMARC works are what’s called “domain alignment” and “reporting.”
DMARC’s alignment feature prevents spoofing of the “header from” address by:
- Matching the “header from” domain name with the “envelope from” domain name used during an SPF check, and
- Matching the “header from” domain name with the “d= domain name” in the DKIM signature. (Remember that special code name we talked about above? DMARC aligns them to make sure that the code name is being used in all the right places in your email.)
To pass DMARC, a message must pass SPF authentication and SPF alignment and/or DKIM authentication and DKIM alignment.
A message will fail DMARC if the message fails both:
- SPF or SPF alignment and
- DKIM or DKIM alignment.
DMARC allows senders to instruct email providers on how to handle unauthenticated mail via a DMARC policy, removing any guesswork on how they should handle messages that fail DMARC authentication.
Senders can either:
- Monitor all mail, to understand their brand’s email authentication ecosystem, and ensure legitimate mail is authenticating properly without interfering with the delivery of messages that fail DMARC
- Quarantine messages that fail DMARC (e.g., move to the spam folder)
- Reject messages that fail DMARC (e.g., don’t deliver the mail at all)
Email Authentication Frustration
Really, you won’t notice that any of these standards are being used to keep your emails safely within supporters’ inboxes. But the problem is that all three of these authentication methods are completely optional! If you are not using any of these email authentication methods, your organization is a prime target for being spoofed, and your messages will not be delivered. And you wouldn’t even know it.
If you think your messages aren’t making it to your subscribers’ Inboxes, or want help with email deliverability, reach out to our team of digital marketing experts today.