Sep 24, 2020


Web Design

There are many reasons why an email may not be received. Lately we’ve been seeing more and more clients encountering issues with third-party services sending as their domain. The reason why has to do with these modern-day email authentication policies: SPF, DKIM, and DMARC.

Breaking it Down

SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) are two types of email authentication protocols that have been around for years. DMARC (Domain-Based Message Authentication Reporting and Conformance) is a relatively newer authentication method now being more heavily enforced by major email giants like Microsoft and Google. At Envision, we recommend to our clients that they at least have SPF or DKIM in place alongside DMARC. However, if possible, having all three – SPF, DKIM, and DMARC – is best.

How Do They Work and Why Implement Them?

The main purpose of instituting SPF/DKIM is to audit what servers can send email as your domain(s) and prevent email spoofing. This email spoofing applies to two scenarios: (1) internal phishing efforts and (2) nefarious domain usage.

With internal phishing efforts, setting up an SPF/DKIM record can make it harder for cyber-criminals to conduct malicious activity within your organization by sending emails that look like they are coming from a safe address but really are not. For example – an SPF/DKIM record can help prevent an email asking for money transfers that looks like it came from your CEO’s email address. An SPF/DKIM record can also help deter bad actors from launching external phishing efforts using your domain name.

The main purpose of instituting SPF/DKIM is to audit what servers can send email as your domain(s) and prevent email spoofing.

In addition to setting up SPF/DKIM, we also recommend instituting DMARC simply because SPF/DKIM are not enough of a protective measure by themselves anymore, especially since they were both first introduced more than a decade ago! DMARC is an added authentication method that tells email servers how to enforce SPF/DKIM records. Its purpose is two-fold – first, to verify messages sent as your domain by authenticating them against your SPF/DKIM records, and secondly, to define what action the email server should take with messages that fail these checks.

If an incoming message fails the DMARC check (is deemed suspicious), there are three potential actions your email server can take, which can be specified based on your organizational preferences:

  1. None – take no action on the message and allow it to be delivered normally.
  2. Quarantine – mark the message as spam and deliver it as such.
  3. Reject – most systems treat Reject the same as Quarantine. However, if this is not the case, the email will not be delivered at all – not even to a spam folder.

So – what do SPF/DKIM and DMARC have to do with emails not being received?

Organizations often have a handful of third parties sending as their domain such is commonplace for services ranging from MailChimp or Constant Contact to your website to your HR platform. In these cases, you want the email to have your domain (not the third party) in the “from” field.

If your organization is not accommodating for DMARC, email servers might be rejecting or quarantining emails (marking them as suspicious) that are sending as you. What’s more – you might not even know this has been going on!

Long-Term Adjustments, Better Results

With DMARC, you can set up a daily report that will show you how often messages are validated, how many invalid messages your system is seeing, and the actions your email sever is taking regarding these suspicious messages. Based on these reports, you can adjust your DMARC policy accordingly – this is where the email deliverability issue comes into play.

By taking a deeper look at the DMARC reports that are produced, you can see what services and IP addresses are sending email using your specific domain name. Then, you can refine your SPF/DKIM records to allow certain services/IPs to send as your domain. You can also categorize those services/IPs you do not wish to send as your domain as invalid. While DMARC is not an immediate solution, it can have long-term benefits if you properly manage and interpret the reports produced.

Have Questions or Concerns? We Can Help.

Email deliverability issues can be a headache, but we have experienced, knowledgeable email and web experts within our Ground Control and Digital Innovation and Design teams that would be happy to work with you. If you don’t already have a DMARC policy in place, we can help you to integrate one with your current email system. If you have already set up DMARC but are still having issues receiving or delivering emails (or both!), we can assist with that as well. Contact our email and web experts today at (401) 272-6688.

Explore our website design and development services to find our how you can keep your website modern, secure, and ready for what's ahead.