Google, the world’s biggest email provider, on February 9, 2016, announced that it will make email safer for receivers.
This will help its one billion monthly active Gmail users distinguish between good and malicious messages by showing them whether a sender’s identity can be trusted and whether an email could have been tampered with or viewed in transit.
The two changes are implemented immediately:
1. If you receive a message from, or are about to send a message to, someone whose email service doesn’t support TLS encryption, you’ll see a broken lock icon in the message.
2. If you receive a message that can’t be authenticated, you’ll see a question mark in place of the sender’s profile photo, corporate logo, or avatar.
What does this mean for marketers?
Gmail’s new features draw a direct link between email authentication and user engagement—a link which has a big impact on marketers. If marketers are not diligent about encrypting and authenticating their emails the right way, their email campaigns could take a big hit, resulting in the loss of leads, conversions, and, ultimately, business.
Google has warned users that if they see the broken padlock or question mark icons, they should be hesitant about replying to or clicking on links within the message. The news media has also issued warnings to consumers. In the future, emails that bear these warning tags could fall into the spam folder or worse, be rejected by mailbox providers all together.
The solution lies in DMARC.
What is DMARC and Email Authentication?
SPF and DKIM are two popular standards amongst others. We wrote a simple guide about how SPF functions here.
What is SPF?
In short, there is a sender of email and there is the IP that is claiming to send the email. Its possible that the sender is faking an email. So email providers like Gmail will look at the email, see who the sender is, go to the IP and “ask” the IP if the sender is authorized to send. Gmail validates if the IP is an authorised/permitted sending ip and acknowledges with a “pass”
What is DKIM?
Domain-Keys-Identified-Mail system goes a step above. A simple 5 step process of DKIM will be this way:
1. The sender does some additions and subtractions on the binary ones and zeroes of the email contents and creates a code called as “hash”.
2. This “hash” is then encrypted with a secret key. This encrypted code is sent with the email.
3. The email providers like Gmail, look at the email and also create a “hash” or code.
4. Gmail then see who the website/domain is and ask the website/domain for a “key” (hence the word “domain-keys”). The encrypted code sent in the email is unlocked with this key.
5. If the unlocked code which is also the original “hash” and the “hash” computed by Gmail is same then Gmail can be sure that all is well. If not, then there is a possibility that someone has either tampered with the email or the email is not really sent by the website.
Another important aspect of the DKIM is the signing domain. This has to match with the sender.
If SPF and DKIM fail, why not just junk the email?
Well, email systems are complex. Say you run a website called Save The Tiger. You would like your office emails on ‘mycompany.com’ email address but want the world to see ‘save-the-tiger.com’ emails. You used Juvlon.com service to send out a nice HTML email to your readers. So the sender now became Juvlon.com. Also imagine that you came across a good deal from a prominent newspaper and they decide to send email about save-the-tiger to their readers. The email form name comes as ‘save-the-tiger’ but the sender is the newspaper. And what if you wanted to run a campaign in the USA for generating funds to save the tiger? You get the drift, that there could be many senders. How would you know that someone was actually using your from name to collect donations on a separate website from unsuspecting people? How will Gmail know which email to trust and which to junk?
So what is this thing called DMARC?
It is one more step above DKIM. Lets say both SPF and DKIM fail for an email then what is Gmail to do? Junk it? And how to inform the concerned website? DMARC solves this step.
With DMARC a website can declare that it is using SPF and/or DKIM. The website can now tell Gmail what to do if neither of those authentication methods passes – such as junk or reject the email. With DMARC Gmail can now send an email to the website owner every time the email authentication fails. Ah! Thats good news, isn’t it?
So what does one have to do for all this?
Just like SPF and DKIM, with DMARC you have to publish a record in your (website) DNS entry. They are all text records.
How do they look?
SPF record looks like this:
“v=spf1 mx include:juvlon.com ~all”
What Gmail reads from this: if the email sender is save-the-tiger.com accept the email (obviously) and if its from juvlon.com accept it as well. Everything else please treat with suspicion.
DKIM record looks like this:
What Gmail reads from this: I have to get the “keys” from save-the-tiger.com and the unlock the secret code in b= field.
DMARC record looks like this:
What Gmail reads from this: If you don’t find SPF and DKIM then reject 100% of the emails and if rejected send a mail to firstname.lastname@example.org
Write to us to know more email@example.com