When you send emails, you want to know that your intended recipients will get them, right?

That’s why the term “deliverability” needs to be important to you.

Good deliverability means your emails are getting to where you want them to go. But how do they do that? One way is email authentication.

Three ActiveCampaign deliverability team members – Hanna Fray, Patrick Cappy, and David Carriger – led a webinar talk about how email authentication can help you improve your email deliverability rates.

Watch the webinar above or read the recap below to learn all you need to know about email authentication.

What is email authentication?

Email authentication is the verification of whether a message is legitimate or illegitimate.

When you send emails, mailbox providers (like Gmail, Outlook, AOL, and Yahoo) need to identify whether the message is a legitimate email sent from the owner of the domain name or email address or a forged email sent by a spammer or phisher. This includes emails sent from ESPs like ActiveCampaign.

There are 3 established methods of email authentication used to verify a sender’s identity:

  1. Domain Keys Identified Mail (DKIM)
  2. Sender Policy Framework (SPF)
  3. Domain-based Message Authentication, Reporting, and Conformance (DMARC)

DKIM (Domain Keys Identified Mail)

DKIM is a signature any sender can apply to their email messages.

“It’s essentially a signature – like signing your name on a check – that you can apply to your email messages so that when that message goes out, and it gets to the recipient, they’re going to look at and say, let’s see where this message is coming from. When they see a DKIM signature for your branded domain, then they’re going to say ‘Okay, this matches up, let’s let them through’,” says Patrick.

This signature makes clear that the purported sender of the message is actually the sender of the message. Any domain can be used as the signature.

An example of a DKIM-verified email signature, under the “signed-by” section.

SPF (Sender Policy Framework)

SPF Stands for Sender Policy Framework. These are additional records on your domain that are going to authorize ESPs to send mail on your behalf from your domain name.

“What’s nice about SPF and ActiveCampaign is that we automatically configure it for you already; so you don’t need to go in and create another record. You don’t need to modify one unless you want to add your own SPF record,” says Patrick.

If you would still like to add ActiveCampaign to your existing SPF record you can do so by adding “include:emsd1.com” to your existing SPF record or by creating a new one. For example, if you send email from both G Suite and ActiveCampaign, your SPF record might look like this:

v=spf1 include:emsd1.com include:_spf.google.com ~all

Note: You can only create one SPF record for your domain name. If you have an existing SPF record, you will need to modify your existing record instead of creating a new SPF record.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC allows the domain owner to create a policy that tells mailbox providers (such as Google or Microsoft) what to do if email fails SPF and DKIM checks.

“DMARC is basically set up to give you a sort of extra layer of security under the domain and also provide that extra layer of email authentication,” says Patrick.

DMARC supports three main policy configurations:

  1. None
  2. Quarantine
  3. Reject

The 3 configurations of DMARC. (Source)

  • None – Indicates that emails should be treated normally if DMARC fails. It is equivalent to not having a DMARC record at all, although you can still take advantage of DMARC’s reporting features.
  • Quarantine – Indicates that emails should be delivered to the spam folder if the DMARC check fails.
  • Reject – Indicates that emails should be bounced (not delivered to the recipient) if the DMARC check fails.

To get started with DMARC, you should start with a policy of “None” so that you don’t impact your deliverability in case of a misconfiguration. You can then monitor your DMARC reports to see what the impact would be if you use a stricter policy.

The pros and cons of email authentication

You’d like to think that sending an email doesn’t have any risk, but unfortunately there are some people who can (and will) mess with them. Email authentication can help minimize this risk, but does that mean there’s no risk of using email authentication?

There are pros and cons of using (or not using) email authentication.

Pros of email authentication

  1. Protection against fraud and stop spammers and phishers
  2. Improves your email deliverability

“When we don’t have email authentication, spammers are able to essentially mimic your behavior, change the ‘From’ email addresses and get through filters and cause some damage,” says Hanna.
Without email authentication, spammers can change the source address of emails at will and try to sneak through spam filters and other defenses.

Phishers change the sender address to appear as if the message had originated from a legitimate sender.

“I got one from Netflix. It was pretty convincing, although they sent it from NetLix, so I caught it pretty immediately. But sometimes they’re really good at getting you to click links and get some private information from you,” notes Hanna.

Cybercriminals copy the brand look and feel of banks, social networks, and other well-known entities to entice recipients into clicking through to fraudulent websites where user information like passwords or account numbers can be stolen.

“When we have authentication set up, especially when we have a DMARC policy in place, we’re able to better prevent this from happening to you and your brand. And we’re protecting that domain,” says Hanna.
All major mailbox providers use email authentication to filter out suspected spam emails. It helps them validate that the email is originating from a legitimate source.

It can also help improve your deliverability.

Email authentication = good deliverability. (Source)

Email authentication can help improve your ability to get notifications and other critical product emails to your users’ inboxes.

That’s because email authentication can help make it more likely that sending domains for your email will be trusted by receiving mail servers.

Cons of email authentication

There’s really only one, and it’s only a maybe.

  1. Hurts your deliverability*

“If you’re not a legitimate sender, if you purchase a list, don’t clean your list, ignore unsubscribes, if you have a really high spam and abuse complaint – all of these things that feed into a bad overall reputation. And then you go and say, Hey, that spammer or that bad center that you thought I was, yes, I am definitely that person. What do you think is gonna happen with your emails?” says Hanna.

“Keep in mind that it’s possible that you’ll see a dip when you implement email authentication, but you can improve that.”

How does domain alignment affect email authentication?

DMARC depends on domain alignment. Every email has a From: address that’s visible to the recipient (this is known as the Friendly From, or RFC 5322.From). So for user@example.com, the domain is example.com.

Every email also has a separate MAIL FROM address (known as the Envelope From, or RFC 5321.From) that’s used to tell other servers where to send bounce notifications. This is also sometimes called the Return-Path (which is where the email certification company, Return Path, gets its name).

“Let’s just jump back in time to say the 1970s, right. So you need to create an electronic version of mail, you know, you need to communicate with people asynchronously, so you can’t just pick up the telephone and call them. You know, you need to send them a message and they need to be able to receive it on their own time and respond back to you.”

“That’s kind of how email works. So when they create an email It was designed to be very similar to mail where you have a message or envelope. And then you’ve got the letter itself. And so the envelope can be addressed to one person. And then the letter can be addressed to someone else, right. And so that ties into how SPF and DKIM and demark work and so so when you send that email out, you’ve got this idea of the envelope having a specific sender, and then the letter itself having a specific sender, and demark cares about that in what they call domain alignment,” says David.

“This is an example of that an SPF aligned email so that that domain name in the envelope example.com that matches what the recipient would see which is user@example.com.”

How domain alignment appears in an email. (Source)

“If I send this to Hanna, or if I send this to Patrick, I’m not trying to spook who I am here; I’m using the same domain for both. This would pass DMARC alignment for SPF. But some, in some cases, SPF won’t be aligned. And so there’s another way we can actually pass DMARC. We can also use DKIM,” says David.

DKIM inserts a signed signature into your email to verify the authenticity of the sender.

Part of the DKIM signature is a domain identifier (the d= value). So if you are signing mail with the key for example.com, the DKIM signature will indicate that with the d=example.com field.

If DKIM passes (the message has not been altered or tampered with before delivery to the recipient) and DKIM is aligned (the domain in the Friendly From matches the domain in the DKIM signature), that’s also enough for DMARC to pass!

By default, emails sent from ActiveCampaign are not aligned.

We use our own email address (with a domain name different from yours) as the Envelope From. This is how ActiveCampaign is able to automatically process bounces for you!

When an email address bounces, we know because we receive the bounce notification. We then have processes in place to see if the email address bounced because it doesn’t exist, and automatically unsubscribe that email from your list.

Fortunately, this is easy to fix!

If you set up DKIM inside your ActiveCampaign account, this will allow you to pass DMARC via aligned DKIM (we will sign the message using your domain name).

How DMARC works. (Source)

“When the mailbox provider gets a message, they’re going to say, ‘is there a DMARC record?’ And if there is, then they’re going to take a look at SPF and they’re going to take a look at DKIM – and one of them needs to pass and be aligned. If SPF passes and it’s aligned, then great we passed a mark. If DKIM passes and is aligned, then great, we passed a mark. So it doesn’t matter if one fails as long as the other succeeds,” says David.

“For the majority of people, DKIM is going to be sufficient enough. We handle SPF for you and we do set up DKIM. But in terms of having a DMARC policy, it doesn’t necessarily make sense for everyone to have that aspect of authentication is too much work. If you’re not in a vertical that has exposure to being phished or spammed, don’t worry about it as much. Just know it’s an option and why it could help. But for the majority of you, certainly, start out with DKIM and hopefully, we’ll see some deliverability improvement,” says Hanna.