Do your emails always get there?

How do you know if your emails arrive and are seen by the person you sent the email to? Well the bottom line is you’re are never really sure until you get some sort of reply. There is so much spam and fraudulent email being flung out over the internet that service providers often catch legitimate emails in their nets in an attempt to block deceitful and criminal emails.

Halt who goes there!

Not only do service providers attempt to pluck dodgy emails out of the ether and prevent them from arriving in your inbox but email clients themselves such as Gmail can divert emails by default to your spam folder if the email ticks all the “looks like spam” boxes.

Every device that is able to communicate over the internet has what’s called an IP address a bit like a telephone number. Domain names (That’s the part of the email address after the “@” sign eg bbc.co.uk, ibm.com or gmail.com) also have an IP address that they are linked to. In order to find out an IP address you can lookup the domain name and retrieve the IP address a bit like looking up a business name in the yellow pages and finding out the telephone number.

The process of looking up IP addresses is performed by something called DNS (Domain Name Service). Domain Name Service providers are dotted around the internet at special IP addresses akin to having copies of the Yellow Pages available to thumb through in public places.

The forensics of an email

When you create and send an email there are what’s called header records placed in an invisible top portion of the email “envelope” to record things like the domain and IP address of the device where the email was created and sent from along with the obvious like the senders and recipients email addresses.

In order to analyse the authenticity of an email and its right of passage internet service providers will score the message on a set of differing criteria such as the IP address of the sending device, the domain portion of the email from address and the entire from address itself, the content of the email e.g. does it contain profanity or a computer virus tucked away in an attachment or has it got loads of dodgy website links inside it.

The Price is Right

Email scoring helps in filtering out unwanted or potentially harmful emails, protecting users from phishing attacks, malware, and other cyber threats. It plays a crucial role in maintaining email security and ensuring the integrity of communication channels.

Depending on the score that is awarded to an email will define if that email is going to be delivered or not and if it will turn up in your inbox or spam folder. In most cases an email that scores above “5” will be classed as spam and will be knocked off the conveyor belt never to be delivered.

Passport control

In an attempt to give emails the ability to travel through the jungle of wires and routers and servers that make up the internet the powers that be (in this case a committee of people who are responsible for the protocols that all email clients and email service providers must adhere to in order to send and receive emails) devised a type of electronic passport that an email can carry in order to make it easier to traverse the border controls and authenticate the passage of an email allowing it to arrive safely in your inbox.

This process of email authentication is addressed by some scary acronyms being SPF, DKIM and DMARC which even more frighteningly stands for Sender Policy Framework, DomainKeys Identified Mail, and Domain-based Message Authentication, Reporting, and Conformance, phew!!!

If I were to be totally honest I would say that it really should be the job of your email service providers to create your email passport or authentication configuration entries automatically for you. Or at least have a friendly, easy to follow user interface or wizzard that leads you by the hand through the setup maze and out the other end. But alas most ISP’s leave you to fend for yourself.

Now please stay with me on this one as although it sounds daunting and looks even more terrifying the process of creating this electronic email passport is doable and will greatly improve the chances of your emails reaching their intended recipients inbox.

Simplistically the SPF and DKIM records are like entries in your passport and the DMARC record tells the passport control office what it should be looking for in your SPF entry and or DKIM entry.

Adding SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) entries to a domain’s DNS records is essential for enhancing email security, authenticity, and deliverability. Having a DMARC record and passing the SPF and or DKIM checks means you get less points scored against you.

The SPF record

SPF record is a DNS entry that you add to your domain and it specifies which mail servers are authorized to send emails on behalf of your domain. This is where the device IP addresses come in. By defining authorized sending sources, SPF helps prevent email spoofing and phishing attacks where hackers try and fake emails from your domain to do nefarious things. When receiving servers check SPF records, they can verify the authenticity of the sender’s domain, reducing the likelihood of emails being marked as spam or rejected.

The data required for creating an SPF record typically includes the list of IP addresses or domain names of the authorized sending servers. This list may include the IP addresses of the domain’s own mail servers, as well as any third-party services or providers authorized to send emails on behalf of the domain. The SPF record may also include mechanisms such as “include” or “a” to reference other domains or specify all IP addresses within a domain’s DNS records as authorized senders. Additionally, SPF records may include modifiers such as “all” to define the default policy for handling emails from unauthorized servers.

The DKIM record

DKIM adds a digital signature to outgoing emails, allowing receiving servers to verify that the messages were sent by an authorized sender and have not been tampered with during transit. DKIM uses cryptographic keys stored in DNS records to sign outgoing emails, providing an additional layer of email authentication and ensuring message integrity. DKIM is a little bit more complicated to setup.

Creating an email DKIM (DomainKeys Identified Mail) DNS record involves generating cryptographic keys and publishing them in the domain’s DNS settings. Cryptographic keys are digital codes used to encrypt and decrypt data, ensuring secure communication and protection against unauthorized access. The data required for creating a DKIM record includes a selector prefix, which is used to specify the specific key used for signing outgoing emails, and the public key itself. The public key is generated by the email sender’s server and is used by email receivers to verify the authenticity of digitally signed emails. The DKIM record also contains information about the cryptographic algorithm used for signing the emails, such as RSA or ECDSA.

Configure your email server or email sending software to use the private key for signing outgoing emails with DKIM signatures. Ensure that the private key is securely stored and only accessible to authorized personnel or processes.

The DMARC record

The DMARC entry builds upon SPF and DKIM by providing domain owners with greater control over email authentication policies. DMARC allows domain owners to specify how receiving servers should handle emails that fail SPF and or DKIM authentication checks. With DMARC, domain owners can instruct receiving servers to quarantine or reject suspicious emails, protecting their brand reputation and enhancing email deliverability.

If you use Gmail or Microsoft 365 then you have access to some wizards that will take you through how to setup the relevant DNS entries.

However if you use an ISP to host your domain then you will need to enter the DNS entries manually. The first step will be to logon into the domain management area where your ISP allows you to update DNS records. This maybe called cPanel or Customer Portal.

You will be presented with a list of the domains which you are in charge of. Select the domain that you send email from and want to create the email authentication settings for. When the domain DNS screen is displayed scroll down to the part where you can add and change text or “TXT” record entries.

Now you have to create the string of text that you need to enter into each “TXT” record in order to add them to your domain. An easy way to create the SPF, DKIM and DMARC records is to use a service like EasyDMARC or MXToolbox (A10 Computers is in no way affiliated to and is not paid any money by EasyDMARC or MXTools). Once you have created the strings then enter them in the host name/subdomain and text columns as shown below.

Now you need to send some test emails to make sure that your emails are getting to their destination correctly and monitor the DMARC reports that you receive to make sure that emails are not being flagged wrongly as spam and being rejected.

Leave a Reply

Your email address will not be published. Required fields are marked *