Email Undeliverable 2023 – DKIM, SPF, DMARC
Have you recently gotten an “email undeliverable” error in 2023? If you see this, it is part of a phishing attempt via spoofing. This “email undeliverable” error actually has to do with DKIM, SPF, and DMARC – which are part of email authentication. In this article, we are going to go over what these mean and how you can handle Email Undeliverable and set your business up with DKIM, SPF, DMARC.
If you are sending out or receiving emails, you must make sure emails are authenticated. Authentication is the “process or action of proving or showing something to be true, genuine or valid”. There are three parts to email authentication – SPF, DKIM, and DMARC. These three components show proof that an email message is genuine and is coming from the actual source it claims to be from.
Why Email Authentication Is Important
So, why is email authentication important? Overall, with the flood of spam and phishing messages floating around. It is essential that messages are properly authenticated. Think of email authentication as a sort of “digital ID card”. It helps mailbox providers (MBPs) and spam filtering systems recognize your email as legitimate email.
SPF and DKIM both help validate that the email message is from the actual, legit source. DMARC is used on top of SPF and DKIM. DMARC assists by providing a set of instructions to receiving email servers with what to do if they receive an unauthenticated email.
Sender Policy Framework (SPF)
SPF gives the receiver of an email information on how legitimate the sender’s email is. SPF or Sender Policy Framework is an authentication protocol that lists IP addresses in a DNS TXT record. This DNS record is authorized to send an email on behalf of domains. Simply put, SPF defines a process of finding out whether a mail server is authorized to deliver email for a sending domain in DNS.
With SPF, spam is reduced, and phishing messages from spoofed domains will be flagged and discarded based on the domain included in the sender address of the email.
A SPF record is a one-line DNS TXT record that contains the IP addresses of authorized email servers and the domain or subdomain for which those servers are authorized to send an email. Mail servers that receive an email message can check it against the SPF record before passing it on to the recipient’s inbox.
DomainKeys Identified Mail (DKIM)
DKIM or DomainKeys Identified Mail enables domain owners to automatically “sign” emails from their domain, much like the signature on a check that helps to confirm who wrote the check. DKIM is a digital signature that uses cryptography to mathematically verify that an email came from the domain.
Additionally, DKIM authentication enables domain owners to specify different signing keys for use by different email service providers. For instance, this could look like a message getting sent internally to an organization (such as different branches or subsidiaries). It could also look like commercial email service providers sending emails on behalf of the domain owner.
A DKIM record stores the domain’s public key, and the mail servers receiving emails from the domain can check this record to obtain the public key. The private key is kept secret by the sender, who signs the email’s header with this key. The mail servers receiving this email can verify that the sender’s private key was used by applying the public key.
Why DKIM Is Important To Combat Spoofing
DKIM is very important for your organization because spoofing emails from trusted domains is a common technique for phishing campaigns. Fortunately, DKIM makes it harder to spoof emails from these trusted domains.
Domain-based Message Authentication Reporting and Conformance (DMARC)
DMARC tells a receiving email server what to do when given the results after checking SPF and DKIM. A domain’s DMARC can be set in a variety of ways. It can instruct mail servers to quarantine emails that fail SPF or DKIM (or both!). It can also reject such emails or deliver them.
DMARC policies are stored in DMARC records. A DMARC record contains instructions to send reports to domain administrators about which emails are passing and which ones are failing the checks. DMARC uses an encrypted key pair (one public in DNS and one private) to add a digital signature to every email message.
A receiving email server uses this DKIM signature to both validate the authenticity of the sender and to identify if the message was changed or altered during transit. DKIM-signed messages provide Mailbox Providers (MBPs) with trust that the message is authentic and is not being spoofed.
Why SPF, DKIM, and DMARC Are Important For Your Business
Enabling email authentication helps your email get delivered. However, it also helps to protect your brand’s reputation by limiting the chances that an unauthorized sender can hijack your domain without your consent or knowledge. Together, DKIM, SPF, and DMARC are great tools for reducing the threat of spam, phishing, and other email attacks. These three components will greatly help to protect against spoofed phishing emails.
Make Sure DMARC, DKIM, and SPF Are Properly Set Up
It is essential to make sure that DMARC, DKIM, and SPF have to be set up in the domain’s DNS settings. Administrators contact the DNS provider/web hosting provider, who then provides tools to enable them to upload and edit DNS records.
However, the process of setting up these records can be time-consuming.
Additionally, policies that are too strict or too relaxed negatively impact on a domain. You don’t have to be an expert on email authentication. But it is important that businesses understand how they can prevent fraudulent emails from getting sent out from their email address.