Updated February 22, 2021
Email authentication gives mailbox providers (like Gmail or Outlook) confidence that the messages they see from senders are authentic, not messages sent by a bad actor. The more trust a mailbox provider has in the legitimacy of the messages you send, the more likely the provider will deliver the message to the inbox. Making full use of the email authentication tools is a best practice for email senders as spammers have become very clever at disguising malicious emails under the veil of a trusted brand.
By pretending to send email from your domain, known as phishing, spammers are tricking your customers into giving away their passwords, account information, and other personally identifiable information for their own financial gain. Not only is this a bad experience for your customers, as counterfeiting your brand will also decrease overall trust in your brand and messages.
In today’s world, email authentication is a must for legitimate businesses to secure their online reputations and maintain customer trust in their brand. Although authentication can be difficult, any web application that sends email needs to put it at the top of its list of best practices. Here’s how:
1. Use consistent sender addresses
Be consistent with the addresses and kind of names you use. It can be tempting to have subscribers open a message out of curiosity, but trusting a message starts with a recipient easily recognizing the sender as a brand they trust. By constantly changing names and addresses, your recipients can be trained to be more prone to phishing.
Similarly, avoid using cousin domains or domains that are minor deviations from your default brand’s domain, as this will also undermine trust in your messages and train recipients to be more vulnerable to phishing attacks. For example, if your domain is example.com, then you should avoid using a domain similar to exampleplemail.com.
2. Authenticate your IP addresses with SPF
SPF stands for Sender Policy Framework and compares the actual IP address of the email sender with a list of IP addresses that are authorized to send email from this domain. The SPF record is added to a sender’s Domain Name System (DNS) and contains a list of authorized IP addresses. For senders who use SendGrid’s automated security, we take care of the SPF record for you. Learn all about SPF records in our article, Sender Policy Framework (SPF): A layer of protection in the email infrastructure.
3. Configure DKIM signatures for your messages
DomainKeys Identified Mail (DKIM) is an authentication standard that cryptographically signs the messages you send so that receiving servers can be sure that the message has not been modified in transit. If you Set up an authenticated domain With SendGrid, we use this domain to sign your messages. For more information on DKIM authentication, see our article. Using DKIM to Prevent Domain Spoofing.
4. Protect your domain with DMARC authentication
Domain-Based Message Authentication, Reporting, and Compliance (DMARC) is a protocol that uses SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to prevent phishers from spoofing messages.
A DMARC record is published with your DNS records and requires SPF and DKIM propagation. In addition, the sender address domain and the domain used to authenticate the message must match. The DMARC record enables the domain owner to both instruct receiving servers what to do with spoofed messages (e.g. block them completely or put them in the spam folder) and receive forensic reports of failed messages and potential spoofing the domain. We have a great post on how to implement DMARC.
Another important part of DMARC is surveillance. SendGrid has partnered with Valimail to offer free DMARC monitoring to our customers. We even created a joint guide to protecting your sender identity, authenticating your email and reducing phishing. Download the guide to learn more.
5. Prepare for BIMI
Branded Indicators for Message Identification (BIMI) are an added goodness on the authentication cake that will give your recipients an even better inbox experience of trust. While it’s not yet in the wild, senders with a good reputation for sending, DMARC in place and enforcement, and a published BIMI record can put their brand’s logo in their inboxes for quick and easy access for subscribers identify their message as trustworthy.
In terms of authentication, BIMI is the only visual cue a typical email user can use to identify the source and authenticity of a message. Check out ours Blog post on BIMI for more informations.
When it comes to authenticating your email, keep in mind that the positive effects are much broader than just managing your reputation as it is sent. Anything you can do to build trust with your recipients and keep your brand from being faked will ultimately result in happier, more engaged subscribers. And remember, SendGrid customers always can Contact our email deliverability experts for help if necessary.