In this post, we will look at common security standards for email sending in order improve email delivery placement. We will look at methods, such as DKIM and Sender Policy Framework (SPF), which we can use to establish trust between a sender and receiver. We will also look at a few tools which we can use to test and verify that a domain configuration is working properly.
Why is Email Security Important?
The Simple Mail Transfer Protocol (SMTP), which is the foundation for sending email today, was built during a time when encryption and authorization was not widely used. As more individuals, businesses, and entities relied on internet communication through email, it became apparent that protection from spoofing, spamming, and other fraudulent acts was necessary to add onto the protocol.
This brings us to our first point, email is not secure by default. It is trivial to create an email which looks like it is coming from another party. Just like it is possible to type another individuals name on a letterhead and send it through conventional mail, the same is possible with email. As a result, a set of standards for establishing trust between a sender and receiver were created.
For the above reasons, it is clear that Email Service Providers, such as Gmail and Outlook, will rank secure and trusted email higher than insecure counterparts. If you do not ensure proper security of your email and domain configuration, your email will be vastly more likely to end up in spam folders, caught by spam filters, or worse cause a domain blacklist. All of these scenarios will cause your delivery performance to be poor resulting in less opens and clicks and less outreach to your audience.
Email Security Used Today
From an email service provider and user prospective, there are several security goals that need to be addressed:
- Validate that the content of an email has not been changed from sender to receiver.
- Validate that the sender is authorized to send an email as a particular identity.
Both of these concerns are addressed using public Domain Name System (DNS) records.
DomainKeys Identified Mail (DKIM) is used to detect email content modifications. DKIM does this by adding a domain signature to each email sent. This signature is computed using public key encryption of a hash of the headers and body of an email.
The idea is that the sender uses a private key to sign all outbound email and attaches the
DKIM-Signature as a header to the email. The receiving email provider then uses this signature and a computation of the of the headers and body to verify the authenticity of the email content has not changed.
Setting up DKIM keys and DNS records will vary from system to system. Here are some example documents to get you started:
- G Suite: Enhance security for outgoing email (DKIM)
- Postfix: How To Install and Configure DKIM with Postfix on Debian Wheezy
While DKIM validates the content of an email, the Sender Policy Framework (SPF) is used to validate that a sender is authorized to send email as a particular domain or identity.
From the Common Mistakes of SPF, "the purpose of SPF is to advertise your domain's mail servers" and this done by specifying each server which is authorized to send email. This is done by using TXT records attached to the sending domain.
"v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 a -all"
This record defines the framework version, an IPV4 address range, and an IPV4 address, along with allowing the A record to send email. The final
-all specifies to drop all email sent not matching these patterns.
The SPF syntax can be found at: http://www.open-spf.org/SPF_Record_Syntax/
Finally, there is the Domain-based Message Authentication, Reporting and Conformance (DMARC) protocol. Building on top of the last two security measures, DMARC specifies that the domains used in the SPF and DKIM validations must align with the FROM header on an email message.
In addition, DMARC allows to define what to do when a breakage in validation of SPF or DKIM occurs. For example, you can tell a sender to send a report back to you on failures of validation.
For instructions on setting up DMARC, see:
To make sure that your domain configurations are functioning correctly, I recommend using the following tools: