What’s the Difference Between SPF and DKIM?
The inception of modern email was both exciting and problematic. We don’t have to tell you the kind of positive impact email has had on society, but it came with a lot of security risks as well.
Email in the early days had limited mechanisms to support security and sender verification. Practically all viruses, spam, and scams that spread through email did so by simply falsifying sender information. It was a big problem – one that’s gotten better with time but is still an ongoing battle today.
Thankfully, we now have DKIM and SPF to shield us from hackers, fraudsters, and con artists trolling the web for weak security standards. At their core, DKIM and SPF are simply authentication standards. Standards that, when properly set up, give you confidence that you’re secure from domain hacking and fraud and equally important they ensure inbox delivery of email.
Now that you know why they matter, let’s dive a little deeper to explain the nuances of both SPF and DKIM, as well as how they differ.
What Is DKIM?
DKIM stands for DomainKeys Identified Mail which, as mentioned above, is simply an authentication method explicitly designed to detect when a sender email address has been forged. Forging sender emails is a process known as email spoofing, which is used frequently in email spam and phishing scams. DKIM acts like a gatekeeper to validate the authenticity of email messages.
As each email is sent, it’s signed with a private key, which is validated by the receiving email server or Internet Service Provider (ISP) using a public key called the Domain Name System (DNS). The DNS translates domain names into IP addresses, which is a fancy way of saying it allows you to use your web browser to locate websites and receive emails. Its chief responsibility is ensuring that the email message was not altered during transit. Email altering mid-transit is a genuine problem that occurs more often than you might think.
For example, if you were sending an attachment with your bank account and routing number and didn’t use the correct security protocols, it could be intercepted by a fraudster. Once intercepted, this hacker could insert their own account and routing number and send it back on its way to the intended recipient. The recipient would still think it came from you and will pay the incorrect bank account instead.
With DKIM, the unique private key used to sign emails is stored exclusively on your email server and must be kept secret and secure. If nefarious individuals got their hands on your secret key, they’d have no problem forging your DKIM signatures and using them for fraudulent activities.
Later in the sending and receiving process, ISPs verify the integrity of messages by fetching the corresponding public key from a specific DKIM record stored in your DNS. The cryptography behind the scenes here is the same used in SSL, which guarantees that only messages signed with your special private key are going to pass the public key check.
Another lesser-known benefit that DKIM offers is that ISPs, like Gmail, can use this information to build a reputation score for your domain. If you’ve got top-notch sending practices such as high engagement, low spam, and minimal bounces, you’ll get a higher score, which improves your trust and reputation with ISPs. If you’ve scored low with poor practices, it’s less likely your emails will be delivered correctly, almost guaranteeing that they’ll end up in that lowly spam folder nobody checks.
What Is SPF?
Sender Policy Framework, or SPF, is a way that ISPs such as Gmail and Yahoo can verify that a particular mail server is authorized to send emails for a domain. It’s a whitelist: a list of things considered to be trustworthy or acceptable for services allowed to send emails on your behalf. Similar to DKIM, SPF functions via DNS.
For example, let’s say you use a service like Mailshake to send out marketing emails. You’d then insert a DNS record that includes Mailshake’s mail servers as a whitelisted trusted source to send emails on behalf of your domain.
SPF is critical to verifying who’s allowed to send emails on behalf of your domain and directly impacts your email delivery. Not only do you need it for email marketing and your company email accounts, but it’s also essential for support services such as Helpscout, Zendesk, or anyone else sending emails on your behalf.
What’s the Difference Between SPF and DKIM?
It’s not all that hard for a hacker to figure out how to send email from your domain. To protect yourself from such malicious activity you’ll want to set up both SPF and DKIM.
DKIM is a set of keys that tell IPs you’re the original sender and nobody fraudulently intercepted your email. SPF is a special list, a whitelist, that includes everyone who is authorized to send messages on your behalf. If you’re curious to see this all in action, you can verify whether an email is properly signed with DKIM or passing SPF by checking out the email headers. In Gmail, you can see this by using the “Show Original” option under settings, and at the top you should (hopefully) see PASS next to SPF and DKIM.
In summary, not setting up SPF and DKIM will only waste your company’s time, money, and resources since you’re increasing the chance that your emails will go undelivered. Not to mention you expose yourself to all sorts of fraudulent activity.
Sure, you could always send emails asking people to whitelist you. However, expecting companies to “fix it on their side” and whitelist you will only lead to heartache because most reputable companies will block any messages sent without that additional security and verification that DKIM and SPF provide.
If all this is a bit over your head, don’t worry. What’s important now is that you understand why DKIM and SPF matter and how taking 5 minutes to ensure they’re deployed properly can protect you, boost your reputation with ISPs, and ensure better email deliverability.
In what other ways are you protecting yourself from fraudulent activity? Share your go-to tools and resources in the comments below: