In light of the recent standards set by Google and Yahoo for bulk email senders, our first discussion in this series focuses on the “Authenticate Their Email” requirement. This is a crucial step towards enhancing email security and deliverability.
Why Email Authentication?
Google and Yahoo are mandating strong email authentication to protect both email recipients and senders. Proper authentication helps in combating email spoofing and phishing, ensuring the sender’s legitimacy.
Key Authentication Steps for Compliance:
Set Up DMARC: Implement a DMARC policy in your DNS. Begin with a monitor-mode policy (p=none) to track and understand your email sources. Utilize dmarcian’s free DMARC Record Wizard or the DMARC Inspector for initial setup and monitoring.
Utilize SPF and DKIM:
- SPF (Sender Policy Framework): Create an SPF record that lists all authorized email senders for your domain. This helps in preventing spammers from using your domain to send unauthorized emails.
- When setting up your SPF record, it’s important to list only the authorized email senders that use your domain in the “Return-Path.” Avoid overpopulating your SPF record based on general recommendations, especially from third-party providers who often send emails from their own domains.
- To accurately determine which senders should be included in your SPF record, review your DMARC data. This data clearly shows which domain an email provider uses for SPF, helping you make informed decisions about your SPF record entries.
- DKIM (DomainKeys Identified Mail): Enable DKIM for your domain to allow receiving servers to verify that you, the domain owner, actually sent the message. Google specifically requires a DKIM key of 1024 bits or longer, with a 2048-bit key recommended.
Ensure Alignment in DMARC:
- Your emails must pass DMARC, which can be achieved through SPF or DKIM alignment.
- For DKIM, ensure the ‘d=’ value in the email header matches your ‘From:’ domain.
- For SPF, the ‘Return-Path’ should align with your sending domain.
PTR Records for Sending IPs: Verify that each IP address used for sending emails has a corresponding PTR record in DNS, linking the IP address and the sending hostname.This is known as a Forward-confirmed reverse DNS (FCrDNS) lookup. This step is managed by the domain and email administrators of your organization.
- A PTR record, short for Pointer record, is a type of Domain Name System (DNS) record that maps an IP address to a domain name, effectively the reverse of an A or AAAA record. While A and AAAA records translate domain names to IP addresses, a PTR record does the opposite – it provides a way to associate an IP address with a domain name.
- A FCrDNS check involves 3 steps performed by the receiver.
- Reverse DNS Lookup: When an email server receives a message, it performs a reverse DNS lookup to find the domain name associated with the IP address from which the email originated.
- Forward DNS Lookup: After finding the domain name from the PTR record, the server then does a forward DNS lookup on that domain name.
- Verification: The email is considered authentic if the forward DNS lookup returns the same IP address as the original sending IP. This process confirms that the IP address and domain name are legitimately paired, adding a layer of trust.
- Most third-party services and email security providers, like Microsoft 365, already use IPs with correctly configured PTR records that pass Forward-Confirmed Reverse DNS (FCrDNS) checks. No action is needed for these. PTR record setup is mainly required for devices and servers that send emails using IPs directly assigned to customers by their ISPs.
Why It Matters:
Authenticated emails are less likely to be rejected or marked as spam, thereby protecting your organization’s reputation and improving email deliverability.
Next Steps and dmarcian’s Support:
Monitor your DMARC setup using visualization tools and adjust your sending practices as needed. Our platform provides comprehensive tools and support to navigate this authentication process.