In a recent episode of Stimulus Tech Talk, CEO Nathan Whittacre shed light on the critical components of email deliverability: DKIM, SPF, and DMARC. In this article, we'll delve deeper into these vital aspects, demystifying their significance and providing actionable insights to enhance your email security and deliverability.
What are the Key Components of Email Deliverability?
In today's world email inboxes are full of email messages. From personal, to professional, to marketing, and of course to junk and spam, it can be difficult to figure out what's important. Email providers are cracking down on unwanted email messages making it through to our inboxes. There are some important updates and rules businesses and email marketers need to know about getting their information out to their customers and prospects.
Understanding DKIM:
DKIM, or DomainKeys Identified Mail, serves as a robust mechanism to verify the authenticity of email senders. Nathan likens it to a digital signature for emails, ensuring that messages originate from legitimate sources. By encrypting information using public and private keys, DKIM safeguards against spoofing and phishing attacks, bolstering email security significantly.
Deciphering SPF:
Sender Policy Framework (SPF) complements DKIM by specifying which servers are authorized to send emails on behalf of your domain. Unlike DKIM, SPF doesn't involve encryption but focuses on validating the sender's IP address or server name. While SPF is valuable, its limitations in handling extensive records have led to the development of more advanced solutions like DKIM.
Unveiling DMARC:
Domain-based Message Authentication Reporting and Conformance (DMARC) emerges as a comprehensive protocol to combat email impersonation and abuse. Acting as a policy framework, DMARC empowers domain owners to dictate actions for unauthorized emails, such as rejection or quarantine. This proactive approach ensures greater control over email traffic and fortifies the integrity of your domain.
Why Do Businesses Need to Update Their Email Settings Now?
Nathan underscores the criticality of promptly addressing these email authentication protocols. With major providers like Google and Yahoo tightening their policies, non-compliance could result in email deliverability issues, affecting crucial communications and marketing efforts. Hence, businesses must prioritize the setup of DKIM, SPF, and DMARC to safeguard their email infrastructure.
What Steps Do Business Need to Take to Update Their DKIM, SPF, and DMARC Settings?
To navigate the complexities of DKIM, SPF, and DMARC setup, Nathan recommends a systematic approach:
-
- Conduct an inventory of all systems and services sending emails on behalf of your domain.
-
- Collaborate with IT, web developers, and relevant stakeholders to ensure proper configuration.
-
- Initiate DMARC setup with an "allow" policy initially, gradually transitioning to stricter settings post-inventory.
-
- Seek expert guidance from reliable providers like Stimulus Technologies to streamline the implementation process effectively.
What Businesses Need to Know About Email Deliverability
In an era plagued by cyber threats and email fraud, prioritizing email deliverability is paramount for businesses of all sizes. By embracing DKIM, SPF, and DMARC, organizations can fortify their email infrastructure, mitigate risks, and enhance trustworthiness in online communications. As the digital landscape evolves, proactive measures to safeguard email integrity will remain indispensable, ensuring seamless communication and bolstering cybersecurity defenses.
Need help with your email settings? Schedule a 10-minute call with us to see how Stimulus Technologies can help.
Stimulus Tech Talk: Elevating Email Security: Compliance Essentials with DKIM, DMARC, and SPF - transcript
SUMMARY KEYWORDS
spf, emails, messages, set, server, sending, domain, service, record, mail, company, domain name, technologies, deliverability, provider, stimulus, ensure, blocked, software, dns
SPEAKERS
Sherry Lipp, Intro, Nathan Whittacre
Intro 00:00
You're listening to Stimulus Tech Talk. A conversation based podcast created by stimulus technologies covers a range of topics related to business and technology.
Sherry Lipp 00:13
Welcome to Stimulus Tech Talk, I am Sherry Lipp marketing manager at Stimulus Technologies. And I'm here today with Stimulus Technologies CEO Nathan Whittacre and we are going to be talking about email deliverability. And more specifically DKM, SPF and DMARC. And if you don't know what those stands for, you're about to find out and welcome Nathan.
Nathan Whittacre 00:34
Yeah, from deliverability. DKIM. Yeah, SPF. Sounds like we're going on a wild goose chase here.
Sherry Lipp 00:45
Yes. So let's get started. Kind of like what these are. And if we want to just start with DKM first, or go through all three, we can do that right off the bat.
Nathan Whittacre 00:59
Sure. So I mean, everybody hates getting spam. And even worse than getting spam is getting phishing attacks, or mail spoofing. And so the idea behind all three of these things is to prevent your email address being from being used by malicious attackers to send out emails impersonating you. So that's the primary basis behind all three of these is to ensure that the servers that are sending emails on the internet are legitimately allowed to send out those emails. And so they so talking about DKIM, I'll give you an incidence. And I guess we'll have to, we got to go back a minute and talk about some technology, because I'm going to use some acronyms here. Beyond DKIM, and SPF and DMARC. To to understand how this works, so it on the internet, computers really only understand what are called IP addresses, they only understand numbers, a set of numbers that allow other computers to find that themselves or other computers to find other computers on the internet. And it's like an address, but there's, it's just all numbers. us as humans, we're not going to remember an address, you know, one, nine 2.16 8.1 dot 24 for Google, or, you know, two 4.37, 77, 8 dot 42, for Yahoo, or whatever it may be, we don't remember numbers that well, we just remember names. And so there's a mechanism on the internet to translate those numbers over to names and vice versa. And that's called DNS or domain name service. And each company that buys a domain name, which is like Google, or stimulustech.com, or, you know, whatever service.com or dotnet, or.org, that is a domain. And there's a server that exists that has a listing of translations from the, the letters, the name to the numbers. And so if you go to www.google.com, it translates over to a set of numbers that your computer knows how to go to. But there's a lot of cool things that we can also do in there to allow other services to work on the internet. And some of these are security related. Some of these are, you know, configuration related. So, you know, for example, I have a VoIP phone on my desk over here. And I can plug that phone in just out of the box and it discovers a little bit of information going to the DNS servers to be able to register and configure itself and communicate properly. So there's lots of things that DNS is used for beyond just translating the name to the number. So DKIM, SPF and DMARC are all related to the DNS, the domain name service information. So DKIM stands for Domain Keys Identified Mail. You know, us as computer guys, we like try to come up with acronyms that might not make sense. But basically what it is, is it's a way for the servers that are going to send out mail to identify themselves properly to the receiver of that mail through what are called encryption keys. And so what happens is is if if you sign up for let's say HubSpot or Salesforce or some type of CRM to send out mail or email for you to be able to use your domain name to be able to use, you know, XYZcompany.com. The sender is going to give you a public key, they're going to give you a key that anybody can see. And that needs to go in your domain name service records. And then what they're going to do is they're going to encrypt some information, when they send out the email, using their private key, something that that server only knows. And then when the receiving server receives that mail, they're going to go and say, go to the DNS server, get the public key that's available for anybody. And that public key is the only one that can decrypt that information to verify that that email really came from the server that sent it. And why that's important is if, you know, Bad Chimp, not Mail Chimp, but bad chimp wants to send out emails using your domain name, and they want to spoof your domain name or or use your domain to send out these mail. And they send it without that proper, private public key information, the receiving server is going to say, oh, no, I'm not going to accept it. Because I can't use that public key to decrypt that message anymore. And I can't verify Bad Chimp is really, you know, MailChimp, and I'm not going to accept that message. And so that's what DKIM does is it allows that private public key exchange, to ultimately in 100%, verify that the sending server is allowed to send mail for your domain to the rest of the world. So there's DKiM, that was a long explanation for for four letters.
Sherry Lipp 07:00
Yes. Yeah. And so it is, I mean, it sounds complicated, but it's telling, it's telling to, you know, you're using a third party bill, Senator, that it's that it's you, because you want to send it as your domain. And so we're gonna be talking about later on, we'll be talking about the steps, you know, to take to make sure you're updated. But you know, right now, we're going through the, the importance of it. So DKIM is for deliverability. And then SPF works with phishing, right?
Nathan Whittacre 07:36
If you look up SPF, you're gonna get something about sunscreen, that's not what we're talking about. This is an SPF 50. But if you don't have a setup, right, if you get burned, so let's say I guess the same concept, right? So SPF is Is it maybe a little bit older technology, it's been around for a while. Same thing, it's a record that goes on your DNS server, that gives authorization for a server to send mail for you. So it's similar to DKIM. It doesn't have the encryption component as part of it. But it identifies either an IP address, like what I metioned before, or a specific name of a server that's allowed to send for your domain. And it also includes some information in there that says what to do. If it's not in the list, the server that's trying to send is not in the list. And it could be just ignored, I don't care. It could be I only accept from the servers don't accept from anything else. So there's, there's some settings in there. Now the problem with SPF is it's, it's all got to be contained in one record. And what we've ran into is, as companies have grown in size over time, you know, they're buying, you know, this service to send out credit card statements, they're sending using this service to send out mass emails, they're sending, you know, they're using this service for their general emails, they're, you know, they have like lots of other services. And SPF became too much information in one record to store and so that's why DKM was really developed as to provide kind of an enhanced system, using encryption to be able to authenticate the mail servers that are being set for from so SPF is still very important and your primary server should still be in there. But decam is kind of an extension and, you know, additional layer of protection over SPF,
Sherry Lipp 09:51
So you would be using both?
Nathan Whittacre 10:01
And
Sherry Lipp 10:04
And then DMARC, what is its role in all of this. So
Nathan Whittacre 10:08
So DMARC is something, again, a newer record, it's I stands for Domain-based Message Authentication Reporting and Conformance. That's a mouthful. But basically, it's a record in your DNS server that tells the receiving server what to do if a server sends you and does not have an SPF, or DKIM record. So going back to my example of Bad Chimp from before, if Bad Chimp tries to send a mail, message, email message using your domain, and the receiving server, gets that email. And there's no record and SPF or DKM, for bad DMARC says, and tells that receiving server what to do with it, it could be one of three things, it could be reject it, don't accept that message. It could be accept it, but quarantine it, you know, put it in the junk mailbox, or it could be allow it through. So it gives your administrators your system administrators for your IT services, the ability to define what to do in the event, that the receiver gets a message from a bad chip, or you know, an unconfigured system. You know, obviously, the you know, the first thought is, is well, we want to block everything because I don't want my emails spoofed. But the problem is, is a lot of services, you know, have not come up to speed on setting up DKIM or adding records into SPF. And so there's a potentiality that if all this is a done right that your credit card processor that sending out statements, or your CRM isn't going to be able to deliver email.
Sherry Lipp 12:11
Okay. So one of the reasons we're talking about this is that we need, there's some updates that either need to be made or maybe depending on your listening, this maybe should have already been made. So how do businesses know where they're at with these?
Nathan Whittacre 12:28
So the first thing to do is, and this is complicated, so you need to get your IT and your web developers involved in both of these things are all of this I there is software out there that will analyze your your domains, and see if you have DKIM, SPF and DMARC records set. So a quick check, there's a software site called MX toolbox that will quickly tell you if you have any of the setup. Now the issue is is if if you have it set up, or if you don't have it set up is it set up correctly. Because I mentioned before, if you want to set DMARC to say reject all messages, if you know DKIM or SPF is not set correctly, you're you might have a software package that supposedly sending out emails that now we're going to get rejected and you want that. So part of this process is to do an analysis of everything that you would use to send out messages, and make sure that those are set up correctly. And as there are software tools that will go and analyze an email that's being sent from your domain and give you an idea. It's not 100% foolproof, but it'll give you a very good idea. If if you need additional settings if you need to go out and set up DKIM for you know, your MailChimp service or you know, for your credit card processor or for your, you know, maybe an alerting system or something like that, that you have set up. So it takes a moment to do an inventory of every piece of software you have in your company that might be sending out email on your behalf. And so you need to get involved with you know, everybody in your team that might have purchased them software might have implemented something and ensure that all those are set up correctly. So this takes a minute to get set up. This isn't something that like you know, put a quick ticket in with your IT guy Hey, make sure I have demark DKIM and SPF set up and they're going to just take care of it for you. It's it's going to be work between the two. And I know what you're going to ask me next is why is this important now right?
Sherry Lipp 14:59
Exactly.
Nathan Whittacre 15:00
Yeah. So why is it important now? A few of the biggest email receivers and providers, Google and Yahoo, have notified the world that as of February 1, that unless DMARC is set up properly, that they will no longer accept emails for senders that send over 5000 emails to Gmail or Yahoo accounts in a month. So if you are doing any type of marketing at all, I am sure that you're probably sending somewhere in that range of 5000 or more email messages, even a small business might be sending more messages than that. And you know, also think about credit card receipts and, and other things that your business may be sending out. To, to your clients. Those might not be delivered properly, if you don't have all this information set up properly in your systems. And if you don't, don't do anything, it might just all get blocked, you might not be able to send messages at all to Gmail or Yahoo. And I think in the IT industry, were thinking this is a first step. You know, this is a, you know, notice to everybody say, Okay, we set the threshold pretty high 5000 is, is a significant amount of email messages. And they're all they're saying right now is just get things configured, you don't have to block anything, you can just put a DMARC record in your DNS server that says allow everything through. But I think everybody's feelings right now in the industry is, other receivers like Microsoft are going to get, you know, going to implement the same policies, and they're probably going to get restrictor more restrictive about it, they're gonna say, you know, okay, you have to have DKIM, SPF and DMARC records set up, and you have to have it set to at least quarantine, or maybe fully block the messages because everybody's tired of getting phishing emails, everybody's tired of getting too much spam in their mailboxes. And the providers are just getting frustrated and figured and trying to figure out a way to prevent this from happening. And so we're just thinking that this is a first step to ensuring that, especially illegitimate messages don't get through anymore. So right now, it's probably a pretty high threshold. For most companies, this might not be an issue right away. But they're giving us time to, to figure this out and resolve it for, you know, all, you know, all these domains, everybody that's sending out emails, and then at some point, you know, they're probably going to get tighter on their policies.
Sherry Lipp 17:55
So people should not just ignore these updates and hope that it just fixes itself. And well, so what what steps, you know, besides taking inventory of what might be sending, email should people do and it's not just sending, it's like, it could be automated, like if you have a form on your website that automatically send an email, once people fill out the form. So there's a lot to think about.
Nathan Whittacre 18:17
Yeah, so we've been going through this for our company and our clients. And it's been a lot I mean, there's, oftentimes, there's things that might have been configured 510 years ago, that you don't even think about anymore, that might be sending messages that you want to be sent out. I think Sherry brought up a great example, it could be your website, it I brought up, you know, credit card receipts is a big one, too, you know, if you're, if you're some type of retail store, or you know, or some type of business, you might be sending out quite a few retail, or credit card receipts. And those might get rejected. So it's, it's really going through all your systems and finding out okay, where are you sending emails from? And then contacting those companies to see if they have the ability to set DKIM because that that would be our preference, isn't it provider is to have DKIM set because that is the most secure way to ensure that spoofing doesn't happen. Some companies can't do DKIM they might only be able to give you an IP address that they send from. And so that's where you would have to implement SPF for that provider or for that service. So it is time consuming and it's it requires not just your IT people to be involved, but it's going to probably your marketing people, your accounting people, if you have anybody in operations that have requested some software, set some software up, you know, get them involved and find out you know what software they're using. And then if they're sending any type of emails ensuring that you know, either DKIM or SPF is set up. The first thing to do though, I think You know, to ensure deliverability is to set your DMARC record, have your IT people set your DMARC record. Right now, as at, probably, if you haven't done any of this inventory, set it as everything is allowed to be delivered. Because if you don't, then a lot of messages are gonna get blocked. And then once you've done this inventory, you know, change that DMARC record to be set as quarantine, and then move potentially to the restrictive of blocked so that in the future, you know, your domain is most the most protected it can be. So that's, that's kind of our steps is, you know, just have your whoever's handling your DNS records, which could be your IT company, it could be your web hosting company, make sure they have DMARC set as allowed, if you've already done this inventory, have them set it to quarantined. And then that will ensure that your emails can go out and give you you know, if you set it to allowed, it gives you time to go through this whole process to get DKIM and SPF set up properly.
Sherry Lipp 21:10
Alright, so people, obviously our clients can reach out to us and then people who have questions can definitely reach out to Stimulus Technologies about this. And any final thoughts on what people should do here Nathan?
Nathan Whittacre 21:25
I think this was one of those instances that I've written down in the book as you really need. In the CEOs Digital Survival Guide, I talked a lot about you need a trail guide to walk you through this process. I don't know of anybody unless you're very IT savvy, that can do this on their own. So this is something that you're going to need to talk to experts about. Because this is complicated. And to get set up, right, it isn't something easy to get set. So we're happy to help, especially if you're one of our clients, you know, this is a process that we're going to be going through for you. And with you. It is you know, potentially a big project, depending on how many systems you have. And if you're not one of our clients, we're happy to consult with you on it and help you with this process. Or you can contact you know, your internal IT provider or your your hosting provider who's doing that. But there's there's a collaboration that has to happen between all these parties to make this work right. And we're happy to be your trial guide through that process.
Sherry Lipp 22:31
All right. Well, thanks so much, Nathan, and thanks everybody for listening.
