Behind the Scenes with Email Authentication

by Sophie Daniline - November 29, 2018
Behind the Scenes with Email Authentication

Earlier this year, Nicola gave you insights into how best to get your emails into people’s inboxes

If you’re anything like me, you like to know exactly how everything works under the bonnet, especially when it comes to email. 

With that in mind, here’s exactly what’s going on when you authenticate your emails through Pardot:

When you send an email, the receiving mail server has an important job to do: protect the user of that account from potentially harmful (or at the very least inauthentic) messages.

To do this, the mail server is going to ask a key question:

Is this email from who it says it’s from and how do I know?

As email marketers, it’s incredibly useful to see how this process works, as it can have a huge impact on our emails landing in inboxes.

To find this out, the receiving mail server looks for specific items of information in your email and in the DNS records, (domain name system – essentially the phone book of the web), of your domain.

In doing this, it is trying to determine whether the email is legitimate, safe for its users to receive and whether the email is being sent from an authorised source.

But what exactly is it looking for?

SPF Records

The first thing it will look for is a SPF, or ‘Sender Policy Framework’ record, which basically means the mail server is making sure that the email has come from an IP address that it’s allowed to come from.

For example, if you’re sending an email from email@nebulaconsulting.co.uk from an IP such as 84.126.18.127, you would need to make sure that an SPF record was set up.

This allows emails coming from that IP to send from that email address.

This prevents email spammers from using spoofed email addresses and getting inauthentic messages delivered to you.

If the email is sent from a sending host or IP that is not in the SPF record, the receiving mail server can determine that the email is not coming from an authorised IP, and mark it as illegitimate.

DKIM Records

The next thing it looks for is DKIM (Domain Keys Identified Mail). 

This is an authentication method based on encrypting your emails with a signature.

This is unlike the standard signature that goes at the end your email; it’s a special signature found in the email header.

Once you have put DKIM in place, your emails will be much better positioned to reach the inbox.

You will also be helping protect yourself and your users against spam and phishing attempts.

The technical process

  • DKIM records are placed and verified – upon sending, all emails will then have a DKIM encrypted signature added to the email header
  • This encrypted signature is generated based on the DKIM key that you have added to the DNS records of your domain. It includes a hash string based on elements of the specific email being sent. Thus, each individual email you send will carry a unique DKIM signature
  • The receiving mail server then decrypts the DKIM signature using the public key that is hosted in your DNS records
  • It will also simultaneously generate a new hash string based on the same elements of the email that were used when the email was sent
  • If the decrypted signature matches the newly generated hash string then the email successfully passes DKIM authentication

The server can now safely determine that the owner of the domain where the DKIM key is located was responsible for sending the email.

It can also now see that the contents of your email were not modified in transit between the sender and the recipient.

What does that mean?

In basic terms this means that your server has checked that you are who you say you are (SPF) and that no-one has stolen your identity (DKIM).

By enabling email authentication, you are mitigating the potential for email fraud, and helping deliverability.

As Nicola mentioned previously, there are other factors that can impact how successfully your emails land in inboxes, however from a technical standpoint, ensuring your emails are passing authentication is key (pun intended).

You can find all technical documentation here.

Related Content


Get In Touch

Whatever the size and sector of your business, we can help you to succeed throughout the customer journey, designing, creating and looking after the right CRM solution for your organisation