SendPost Blog - Email API & SMTP

Email authentication can be a bit of a confusing topic, but don't worry! If you've heard that email authentication protocols can help improve deliverability, you're on the right track.

They help protect your emails from being marked as spam or rejected by the recipient's email server. This is especially important if you're sending high volumes of emails, as a single spam complaint or rejected email can damage your sending reputation and negatively impact the deliverability of your future emails.

Email authentication protocols might sound like a mouthful, but they're actually simple to understand.

Email authentication is a process of verifying the identity of the sender of an email message to ensure that the recipient knows who is sending the message and that the message has not been altered or forged in transit.

Your email service provider adds special code to your emails that acts as a digital signature. This signature helps verify that the email is coming from a legitimate source and not a fake one.

Email authentication helps protect your sender reputation. When you authenticate your emails, you're demonstrating to email providers that you're a trustworthy sender and that your messages are not spam or phishing attempts. This can lead to higher inbox placement rates and better overall deliverability. By authenticating your messages, you're providing an extra layer of security that helps ensure that your subscribers are receiving messages from you and not from a malicious actor.

The authentication information in emails is typically found in the message header, which isn't usually visible to the reader. This means that authenticating your emails won't affect the content of the email.

SMTP, the standard protocol for sending emails, does not have any built-in authentication features. This is why SPF, DKIM, and DMARC were created to enhance the security of SMTP. These standards will be discussed in more detail later on, but for now, it's important to know that using all three of these standards is crucial for a complete email authentication system.

Setup SPF Authentication

To set up SPF for your email, you need to check if your domain already has a published SPF record stored in your site's DNS as a TXT record.

The easiest way to do this is by using an online NSLOOKUP tool like Kloth.net or Toolbox. Simply enter your domain name in the tool, search for TXT records, and look for the SPF record. If there is no SPF record found, you'll need to create one yourself and publish it as a new DNS record.

The SPF record will specify the SPF version, the authorized IP addresses that can send emails on behalf of your domain, and the handling of emails from unauthenticated senders.

If you find that your domain has a published SPF record, it will show you a result similar to this:

v=spf1 ip4:207.171.160.0/19 -all

This string of characters is the SPF record that establishes the version of SPF you're using, the IP addresses that are authorized to send emails on behalf of your domain, and how to handle emails received from unauthenticated senders.

To create an SPF record, follow these steps:

1. Open a text editor and create a new file.
2. Copy and paste the following into the file: "v=spf1 ip4:[IP ADDRESS] -all".
3. Replace [IP ADDRESS] with the IP address of your sending domain.
4. If you need to add additional IP addresses, use a space after the last digit of the previous IP address, and add "ip4:[IP ADDRESS]" for each additional IP address.
5. If you need to include a third-party domain, add "include:[THIRD PARTY DOMAIN]".
6. End your SPF record with "-all", indicating to ISPs that any email coming from your domain without a proper SPF record will be rejected.
7. Your SPF record should look something like this: "v=spf1 ip4:12.34.56.78 ip4:23.45.67.89 include:thirdparty.example.com -all".
8. Save the file and publish it as a new DNS record.

To see SPF records in action, you can open any email that you received and check the headers and/or the original mail. The "mailed by" domain tells you whether or not the SPF is applied properly. It should match the domain of the 'from' email address

Setup DKIM Authentication

DomainKeys Identified Mail (DKIM) is a protocol that is used to verify the authenticity of an email message. It uses a digital signature, which is added to the email headers, to verify that the email has not been altered or tampered with during transit.

Here's how it works: when the email is sent, the sender's mail server applies a digital signature to the message headers, which includes information about the sending domain and a public encryption key. The recipient's mail server then retrieves the public key from the sending domain's DNS and uses it to decrypt the digital signature. If the decrypted signature matches the content of the email headers, it verifies that the email has not been altered and is authentic.

To set up DKIM authentication, follow these steps:

1. Generate a DKIM key: The first step is to generate a unique DKIM key for your domain. You can use a tool like OpenDKIM to generate this key.
2. Publish the public key: After generating the key, you need to publish the public key in your domain's DNS records. This allows email providers to access the public key and verify the authenticity of your email.
3. Add the DKIM signature to your emails: You will also need to add a DKIM signature to the headers of your emails. This signature is a digital signature that verifies the authenticity of the email.
4. Test the DKIM authentication: Once you have completed the above steps, test the DKIM authentication to ensure it is working properly. You can use an online tool like DKIM Core Validator to test the authentication.
5. Monitor the authentication: Finally, monitor the authentication to make sure it is functioning correctly and to detect any issues early. You can use a tool like Google's Postmaster Tools to monitor your email authentication.

Setup DMARC Authentication

Email authentication can be a complicated process, but setting rules for unauthenticated emails simplifies things and improves your deliverability rates, especially if you have a complex sending infrastructure.

This is where DMARC comes into play. Adding DMARC records to your DNS records enhances your email deliverability and gives the domain owner more control over email authentication.

Here are the steps to set up DMARC:

1. Determine the policy for your domain: Choose between "none", "quarantine", or "reject" to determine what should happen to unauthenticated emails from your domain.
2. Create a DMARC record: A DMARC record is added to your domain's DNS records as a text (TXT) record. Use a DMARC generator to create the record based on your chosen policy.
3. Publish the DMARC record: Add the DMARC record to your DNS records by adding a new TXT record through your domain name registrar or DNS hosting provider.
4. Monitor DMARC implementation: Verify that your DMARC record is working properly by monitoring email logs, bounce rates, and deliverability rates.
5. Make changes if necessary: If you encounter any issues with your DMARC implementation, make changes to your DMARC record and monitor the results to ensure proper implementation.

Final Thoughts

Once you get your email authentication system up and running, you can sit back and relax. You'll barely have to lift a finger, as your email authentication should run smoothly. But keep an eye on a few key email marketing metrics, such as bounce rates and deliverability rates. If you notice any spikes or drops, it may be time to take another look at your email authentication setup.

So what's the payoff for all this email authentication effort? A great email deliverability rate and a return on investment that'll make email marketing profitable. And if you're using a quality email service provider, they'll take care of the heavy lifting for you. At SendPost, for example, we keep a close eye on the health of our clients' email programs, making sure that their emails are always reaching their intended inboxes. You can sign up here or get a demo if you want to finally stop struggling with email deliverability.