Whatever email provider you use, whether it be Gmail, Outlook or Yahoo, part if its job is to protect you from emails that are potentially harmful or at the very least not authentic. Typically, this means checking the authenticity of the sender, so when an email hits your email server, the client will ask itself three key questions:
“Is this email from who it says it’s from?”
“How do I check that?”
“What do I do if it’s not?”
For a minute, I’d like you to imagine that you receive an email from a friend of yours which says: “Hey you, I know we haven’t seen each other in a while but why don’t we meet for a coffee and catch up soon. How about in the middle of the woods at midnight?”
Now, I don’t know about you, but if I got a message like that I’d want to check that my eccentric friend really did want to meet for coffee in the woods, and that their phone hadn’t been stolen. The first three thoughts I’d have would be:
Is this the sort of behaviour I’d expect from this friend?
How to I check it’s really them?
How do I deal with this if it’s not them?
As email marketers, we are particularly interested in how the email client goes about checking if the email is authentic, as it can really impact whether we’re able to get into customer inboxes. As per our first three questions, you’ll see that they take a fairly similar route to us humans in deducing if the message is authentic.
So How Does An Email Provider Work Out An Email Is Legit?
First, the receiving mail server looks for specific items of information in your email and in the DNS records, (domain name system – basically the phone book of the web), of your domain to try to determine whether the email is legitimate, safe for its users to receive and whether the email is being sent from an authorised source.
It will then look for something called an SPF (Sender Policy Framework) record, which basically means the mail server is making sure that the email has come from a place (IP) that it’s allowed to come from. So for example, if you’re sending an email from firstname.lastname@example.org from an IP such as 18.104.22.168 you would need to make sure that an SPF record was set up that allowed emails coming from that IP to send from that email address. This prevents those tricksters from using spoofed email addresses and fooling us all! If the email is sent from a sending host or IP that is not in the SPF record, the receiving mail server can determine that the email is not coming from an authorised IP, and that the email could be illegitimate in nature.
The next thing the server looks for is DKIM (Domain Keys Identified Mail) – a method of authentication that is based on adding an encrypted signature to your emails. Now this isn’t just the normal email signature that goes at the end your email, it’s a special signature found in the email header. Once you have DKIM in place in the DNS records of your domain, your emails will be much better positioned to reach the inbox and you will also be helping protect yourself and your users against spam and phishing attempts.
Here’s a quick summary of how that all works:
DKIM records are put in place and verified – all emails will have a DKIM encrypted signature added to the email header upon sending
This encrypted signature is generated based on the DKIM key that you have added to the DNS records of your domain, and includes a hash string based on elements of the specific email being sent. This means that each individual email you send will carry a unique DKIM signature
The receiving mail server can then decrypt the DKIM signature using the public key that is hosted in your DNS records
It will also simultaneously generate a new hash string based on the same elements of the email that were used when the email was sent
If the decrypted signature matches the newly generated hash string then the email successfully passes DKIM authentication
Basically, what that all means is the server can do these two key things:
Safely determine that the owner of the domain where the DKIM key is located was responsible for sending the email
See that the contents of the email were not modified in transit between the sender and the recipient
So, essentially what your mail server has done is checked you are who you say you are (SPF), no-one has stolen your identity (DKIM) … determining that your friend really does want to meet you for midnight woodland coffee.
With all the steps being taken to ensure email is coming from where and who it says it is, it’s more important than ever as marketers to prioritise authentication actions. By putting email authentication in place you are mitigating the potential for email fraud targeting your brand whilst simultaneously helping your emails reach your customers.
Of course, there are other factors which will determine whether your emails are actually reaching your subscribers inboxes such as spammy subject lines, but from a technical perspective, making sure your emails are passing authentication is key.
If your email campaigns are not already authenticated, the time has come to make it happen!