Subsections of email authentication basics
<spf> declare your smtp servers
spf explained
SPF is the abbreviation of Sender Policy Framework, an email authentication standard,
that lets you declare which are the smtp servers authorized to send emails for your domain.
It allows you to confirm the sender’s address and its relationship with the server that sent out the message.
If emails are sent with your sender domain, the recipient can identify if it has been sent from one smtp server that you recognize.
It’s recommended to configure it, because some recipients may reject your messages if spf is not set at all.
how to make spf work
There are two different approaches:
- a “soft” one (~all tag), that generates a “softfail” error if the message has been sent by a non declared server
- a “hard” one (-all tag), that generates a “fail” error if the message has been sent by a non declared server
The “soft” setup will produce less/no rejection by the recipients.
The “hard” one will cause some messages to be rejected if the server has not been declared or in some cases when the email has been redirected or sent through a mailing list.
The “hard” setup provides the destination mail server with more faculty to decide whether to accept the message or not, this is the approach that we suggest.
SPF setup requires to know exactly which servers you use to send out email messages.
With RealSender, the TXT record of your domain (example.com) should contain the string
a:example.realsender.com and look like this:
example.com TXT "v=spf1 a:example.realsender.com ~all"
With HighSender, the TXT record of your domain (example.com) should contain the string
include:spf.realsender.com and look like this:
example.com TXT "v=spf1 include:spf.realsender.com ~all"
These tools will help you validate the configuration:
www.kitterman.com/spf/validate.html *
retrieves SPF records for the specified domain name and determines if the record is valid
spf check online
validates your email SPF settings sending an email message
* = external website link, will open in a new page
spf downsides
Even if everything is set correctly, the message verification may fail
if the email has been redirected (forwarded) or sent through a mailing list.
In these cases, to keep the email authentication consistent,
configure the dkim signature domain to be aligned with the sender’s From address.
See: email authentication advanced » <dkim> alignment for dmarc.
last updated on September 3, 2020
<spf> check online
<spf> check online
- send an email message to:
spf@tester.realsender.com
- check online the SPF validation results:
(it will take a minute to appear)
https://tester.realsender.com/spf
RealSender SPF check online will add a subject prefix, if the message has not been authenticated correctly:
!! spf-fail !! the smtp server is not listed among the authorized ones
and the email should be rejected or discarded
!! spf-softfail !! the smtp server is not listed among the authorized ones
but this case should be treated as a "softfail"
!! spf-neutral !! the SPF record specifies explicitly that nothing can be said about validity
!! spf-none !! the sender domain contains no information to authenticate the email
Sometimes the information recorded at domain level is not correct/understandable.
!! spf-permerror !! a permanent error has occurred (eg. badly formatted SPF record)
!! spf-temperror !! a transient error has occurred
SPF check is made against the “Mail-From” email address, that is hidden in the email headers.
Only the “From” email address is visible. If their root domains are different, this warning is displayed:
!! spf-diff !! the "Mail-From" and the "From" root domains are different
If the message passes both SPF check AND SPF alignment check for DMARC (relaxed alignment), you will get:
|OK| spf-pass your email passes SPF check + SPF alignment check
If only one, SPF OR DKIM, passes the alignment check for DMARC (relaxed alignment),
the message is still considered “OK” (trusted) and the ~ (tilde) symbol is added at the beginning:
|~OK| spf-pass your email passes SPF check (not the alignment) + DKIM alignment check
Request a free trial
<dkim> seal the email content
dkim explained
DKIM is the acronim of DomainKeys Identified Mail, an email authentication standard,
designed to guarantee that the email (including the attachments) has not been modified since the “signature” was affixed.
It achieves this by affixing a digital signature, linked to a domain name, to each outgoing email message.
Two keys are used: a “public” and a “private” key:
- the “public” key, is published in the TXT record of the signing domain
- the “private” key, is saved whithin the smtp server and used to “sign” the email messages
While sending a message, the smtp server generates an “encrypted hash signature”, based on the email message contents and the private key.
The recipient system can verify the signature in the email header, comparing it with the email content and the sender’s “public” key.
how to make dkim work
DKIM signatures are not immediately visible to end-users, they are added and verified by the email infrastructure.
RealSender smtp servers sign all outgoing email messages with the dkim signature.
RealSender initially signs all outgoing messages with its own domain connected to the smtp server,
no setup is needed on the user/administrator side.
To get the “dkim domain alignment for dmarc”,
the message must be signed with the same domain of the sender.
With RealSender, you should add two CNAME records
in the dns settings of your domain (example.com), like these ones:
key1._domainkey.example.com CNAME key1._domainkey.yourcompany.realsender.com
key2._domainkey.example.com CNAME key2._domainkey.yourcompany.realsender.com
This tool will help you validate the configuration:
toolbox.googleapps.com *
* = external website link, will open in a new page
dkim downsides
A dkim sealed message can’t be modified, but it still can be read by anyone.
A signed message that does not pass the verification, usually gets rejected.
If no changes have been made along the way from sender to recipient, this should not happen.
We’ve experienced rare cases, all related with lines lenght (it must be max 990 characters).
Some applications send the content all in one line or transmit a very long line within the html.
On these occasions the dkim signature gets corrupted, causing the “dkim=fail” check result.
last updated on August 25, 2020
<dkim> check online
<dkim> check online
- send an email message to:
dkim@tester.realsender.com
- check online the DKIM validation results:
(it will take a minute to appear)
https://tester.realsender.com/dkim
RealSender DKIM check online will add a subject prefix, if the message has not been signed correctly:
!! dkim-none !! no DKIM-Signature headers (valid or invalid) were found
!! dkim-fail !! a valid DKIM-Signature header was found, but the signature
does not contain a correct value for the message
Sometimes it’s not possible to execute the check:
!! dkim-invalid !! there is a problem in the signature itself or the public key record.
I.e. the signature could not be processed
!! dkim-temperror !! some error was found which is likely transient in nature,
such as a temporary inability to retrieve a public key
When the message has been signed using a different domain, a “diff” alert will be added to the subject.
This warning will NOT be displayed if the sender passes the SPF check and SPF alignment for dmarc:
!! dkim-diff !! the message has NOT been signed by the sender's domain
If the message passes both DKIM check AND DKIM alignment check for DMARC (relaxed alignment), you will get:
|OK| dkim-pass your email passes DKIM check + DKIM alignment check
If only one, DKIM OR SPF, passes the alignment check for DMARC (relaxed alignment),
the message is still considered “OK” (trusted) and the ~ (tilde) symbol is added at the beginning:
|~OK| dkim-pass your email passes DKIM check (not the alignment) + SPF alignment check
Request a free trial