This is part of a series about BIMI readiness. In this post we explain how DMARC works and how to get to DMARC enforcement. To catch up on previous posts see What is BIMI and how can marketers use it for email campaigns? and The benefits of BIMI – and how to get ready for it.
Last week, Google announced that it would be starting a pilot of BIMI (Brand Indicators for Message Identification) as part of 11 new security features for G Suite. While Google is in its pilot phase of supporting BIMI, Verizon Media (Yahoo Mail) already supports it, so needless to say it is a growing initiative that will soon be widely supported by most email receivers. In short, it will allow brands to deliver their logos alongside email messages to billions of email inboxes worldwide, increasing consumer engagement with those messages and boosting brand trust.
Implementing BIMI, however, isn’t quite as simple as uploading a new favicon for your website. In order to guarantee that you are BIMI-ready, your organization needs to go through a few steps first.
Quick recap: What do you need in order to be BIMI-ready?
Taken directly from the AuthIndicators Working Group’s website, you need the following to get ready for BIMI:
- Authenticate all of your emails with SPF, DKIM, and DMARC
- Ensure domain alignment (the domain used by SPF and DKIM is the same as the one used by DMARC)
- Ensure your DMARC policy is at enforcement
- This means either “p=quarantine” or “p=reject”
- No sp=none and no pct<100
- Publish a BIMI record for your domain in DNS
- Where required, obtain a Verified Mark Certificate (VMC) certifying that the logo is yours
The steps themselves are simple, but the process of getting to DMARC enforcement can be lengthy and tedious. But it’s worth it, not only to earn the marketing benefits that can be achieved, but also to protect your organization with DMARC enforcement. Organizations at DMARC enforcement have seen an average of 10% increase in their deliverability and open rates, while at the same time the rate at which their domains are spoofed (impersonated) by phishers actually declines. With the addition of BIMI there’s a potential of another 10% boost in engagement. Security and increased deliverability and engagement. What’s not to like?
The path to BIMI: SPF, DKIM, and DMARC
As a recap from our last post:
- Sender Policy Framework (SPF) is the standard that launched domain-based email authentication, letting domain owners publish a list of approved IP addresses. If a mail server with an IP address not on the approved list tries to send an email using that domain, it won’t pass SPF authentication.
- DomainKeys Identified Mail (DKIM) improves upon SPF’s protocols by using public key cryptography to authenticate individual email messages.
- Both of these standards have limitations, however. This is where Domain-based Message Authentication, Reporting, and Conformance (DMARC) comes in. In order to be fully protected your organization needs to be at a policy of quarantine or reject (and at pct=100).
Let’s dive into each of these standards.
SPF: The world’s first email authentication standard
In its most basic usage, SPF enables you to create an allow list of IP addresses that can send email using your domain, or to specify various other rules specifying which services can send as you.
When an email server receives an incoming message, it examines the domain shown in the message’s Return-Path. Using DNS, it checks to see if there’s an SPF record for that domain. If there is a record, the receiving server then checks the IP address of the mail server that sent the message to figure out if it matches the SPF rules. If there’s a match, the email passes the test and (in most cases) is delivered to the user’s inbox. If not, the receiving server will typically reject the message or add a flag to it and mark it as suspicious.
Check your SPF record status using our domain checker. Learn more about the nuances of SPF here.
SPF was the first critical standard of email authentication, but it wasn’t made for the modern era of email and had to be built upon.
That’s where DKIM comes in.
DKIM: Adding a signature for increased protection
DKIM builds on the limitations of SPF as a security protocol, and is a stronger method of authentication. It typically survives forwarding (so messages that have been forwarded through a mailing list, for instance, can still authenticate properly) and you can be assured that the message has not been tampered with in transit.
DKIM uses public/private key cryptography to sign email messages and so that receivers can verify that the email came from the domain that the DKIM key is associated with. To add a DKIM signature, a domain owner creates a cryptographic public-private key pair, and places the public key in a DNS record at a location specified by the message’s DKIM header, which includes a domain name and a “selector.”
The server sending an email digitally signs the message using the private key (that only the sender has access to). Receiving servers use DNS to retrieve the public key found at the indicated domain and selector, then use that key to decrypt the signature and validate that there’s a match – indicating the message hasn’t been tampered with and can continue on its journey. To learn more about DKIM check out our detailed page.
But DKIM wasn’t built to protect against fraud or spoofing.
DMARC: Raising the bar for email security
Neither SPF or DKIM authenticate the sender using the “From:” field that users see. The policy specified in a DMARC record will require that the DKIM key’s domain (or the domain shown in the Return-Path verified by SPF) matches the domain shown in the “From:” address. This ensures that the visible From: address contains an authenticated domain, and it is also known as “alignment.” DMARC is the strongest email authentication protocol to date, and it’s becoming more widely adopted every day.
How does DMARC work?
When an email is received for delivery:
- The receiver checks authentication of the message using both SPF and DKIM
- The receiver then validates DMARC alignment for the message:
- if SPF authentication passed, and the domain checked matches the domain in the visible From, then DMARC passes and/or
- if DKIM authentication passed, and the domain checked matches the domain in the visible From, then DMARC passes
- Otherwise, DMARC fails
- If the email fails DMARC, receivers take action based on the policy specified in the domain owner’s DMARC record:
- do nothing (p=none)
- send it to spam (p=quarantine)
- reject/delete it (p=reject)
Check out your organization’s DMARC status in real-time here.
How it all comes together so you can be BIMI-ready
In order to implement – and reap the benefits of – BIMI, an organization needs to have DMARC configured and set to an enforcement policy, meaning email recipients will reject (block from delivery) or quarantine (move to a spam folder) any messages from senders who are not authorized to send on your behalf.
(You will also need a BIMI logo in the correct SVG format, and for some mailbox providers, like the Gmail pilot, you’ll also need a VMC to authenticate the logo file.)
DMARC is the strictest authentication protocol and it is an ongoing process to achieve and then maintain enforcement. There are implementation challenges which prevent a lot of organizations from getting to enforcement – the most crippling of which is a lack of visibility into the sending activity on an organization’s domain.
At Valimail, we believe that DMARC visibility should be available to everyone at no cost. Get our free visibility tool, DMARC Monitor, today to get to DMARC enforcement so that you can be ready for BIMI.
For a detailed guide on email authentication and the steps to get to DMARC enforcement, download our email authentication handbook.