Streamlined SPF, DKIM, DMARC, and BIMI Configuration for Improved Deliverability

Email Authentication Essentials: SPF, DKIM, DMARC, and BIMI

In the world of email marketing, deliverability is critical. A well-crafted email campaign can only be successful if the emails reach their intended recipients. Email authentication is a powerful set of tools that help ensure the deliverability and security of emails. This article covers the fundamentals of SPF, DKIM, DMARC, and BIMI records and offers actionable steps for setting them up.

SPF Records: Essential Information

Sender Policy Framework (SPF) records are a simple and effective method to help minimize email spoofing - impersonating your domain. SPF records let mail servers know the legitimate servers allowed to send emails on behalf of your domain. This cuts down on the number of spam emails sent by malicious actors.

A proper SPF record can look like this:

v=spf1 ip4:123.45.67.89 include:_spf.google.com -all

Let's break this down:

• v=spf1: The version of the SPF record. Currently, set this to spf1 for best compatibility.
• ip4:123.45.67.89: The IP address from which emails can legitimately be sent.
• include:_spf.google.com: Include SPF entries from Google's servers. This is useful when using Gmail or Google Workspace as a mail server.
• -all: Denotes the end of the SPF record. This -all indicates the strictness setting, meaning that if an email does not originate from the stated servers, it will likely be flagged.

DKIM Signing: Authenticate Your Emails

DomainKeys Identified Mail (DKIM) is designed to verify emails sent from your domain actually originated from authorized systems. By using cryptographic authentication, DKIM ensures the email was not altered during transit and matches the signing domain.

Once DKIM is set up, a DKIM signature is added within the email header, looking something like this:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;
s=google; t=1607943863;
h=mime-version:from:to:subject:date:message-id:content-type;
bh=C1N/zIVlW01zke8KfMI5i9lwVOyHbju61ADz6T8yCWc=;
b=Sn+/DwEK+WPi9Ml3Y/TBZYWZCBDrZdnhtm8Ey5WCFKwoLsj8FrHUx2wSf5psZxiD
lzPWAR9t7LVlye/mVWuZ0PlxKURhefmvOGBYwALsY/IhXOU0pMdYjHYFoH7mAowQRLJs
Kwcta1YiOLIc2OZ0vypnk4z3ev89LFQt0vs=

You don't add the DKIM signature manually. Contact your email service provider (ESP) or mail server administrators to generate and implement the DKIM key for your domain.

DMARC Policies: Control Email Authentication

Domain-based Message Authentication, Reporting, and Conformance (DMARC) controls SPF and DKIM email authentication mechanisms. With proper configuration, a DMARC policy streamlines SPF/DKIM authentication checks, providing feedback on failed and successful checks. Additionally, you can set a DMARC policy to handle misconfigured or spoofed emails with disposal actions like quarantine or reject.

A DMARC policy record looks like this:

_dmarc.example.com IN TXT "v=DMARC1; p=quarantine; sp=reject; pct=100; rua=mailto:[[email protected]](mailto:[email protected]); ruf=mailto:[[email protected]](mailto:[email protected])"

Here's what this entails:

• v=DMARC1: The DMARC version.
• p=quarantine: The default policy when DMARC alignment fails. Set to reject for stronger action.
• sp=reject: The policy for subdomains.
• pct=100: The percentage of emails considered for the DMARC check. Set to 100 to evaluate all.
• rua=mailto:[[email protected]](mailto:[email protected]): Address receiving the aggregate DMARC reports.

Brand Indicators for Message Identification (BIMI): The Standard to Display Company Logo

BIMI allows marketers to display logos next to their sender names in a supported email client dashboard (currently Gmail and Yahoo Mail). Leveraging BIMI, along with SPF, DKIM, and DMARC, is an excellent way to ensure security and establish credibility. You'll also offer a polished appearance that encourages more engagement (opens and clicks).

To get started with BIMI, obtain a Verified Mark Certificate (VMC). Existing DKIM selectors over HTTPS (https:\//selector1\_domainkey.example.com) are compliant, while new implementations may require SSL certificates. Find VMC providers on the BIMI Group certified provider list.

default._bimi example.com IN TXT "v=BIMI1; l= a=;

With the BIMI record boilerplate looking like:

• v=BIMI1: The BIMI version to use.
• l=: The logo URL as an HTTPS link. Maintain a 1:1 aspect ratio, max 32 kB, & use SVG format.
• a=: Terminate the BIMI policy.

Next steps for Email Authentication

Reviewing the components of your email authentication setup is essential. SPF, DKIM, DMARC, and BIMI records are powerful tools to improve email deliverability, prevent spoofing, and present a professional appearance.

Setting up these records requires understanding your specific ESP or mail server environment. Do the following:

• Set SPF records alongside your ESP documentation and DNS management.
• Request DKIM signing from your ESP or mail server administrators.
• Implement DMARC policies matching your email security needs.
• Use BIMI VMC for stylized logos that establish trust and credibility.

Further refine your BIMI implementation with tools like Postmark's BIMI Generator (for generating a BIMI-compliant SVG/PNG logo).

Stay up-to-date on email marketing best practices and network with fellow professionals at FiresideSender's community.