Sender ID, SPF and DKIM

6 minute read

As a legitimate email marketer, Sender ID, SPF and DKIM should be of interest to you. It’s a big subject but here’s a quick guide.

First, all are fundamentally verification concepts, designed to establish you as a legitimate sender of genuine email communications. Think of the topic as an anti-forgery process. Why? because at base level SMTP allows any computer to send email from any source address – an open door for spammers, forgers and phishers.

SPF

SPF (Sender Policy Framework) and Sender ID are two slightly different ways that servers receiving email can verify that the person sending the message is allowed to send emails from that domain name.  There is some excuse to be confused as at first glance they look similar. The difference is in exactly what they validate and what level of the e-mail system they are related to.

Sender ID and SPF

SPF (Sender Policy Framework) validates the originating email address of a message. This is not always the same as the ‘from’ address as it relates to the actual server sending the message. SPF has been widely adopted by the major ESPs such as Gmail, Hotmail, AOL and Yahoo.

Sender ID validates the actual ‘from’ address of the email – essentially it a way to identify the legitimacy of an email sender, that is to identify the visible sender of the message. Sender ID was originally developed by Microsoft as a defence against spam emails. Authenticating the sender was designed as a quick (if not watertight) way of helping mail receivers to filter against unsolicited communications.

Sender ID may not be dead but update of Sender ID among ESPs have been low – that’s why we recommend using SPF. By the way, you have to control the domain name to set the SPF or Sender ID. As such you cannot send out emails from free email addresses (hotmail.com etc.) through systems like Sign-Up.to.

SPF has a similar objective but addresses it in a slightly different way. An SPF record is a small piece of text that is stored in the DNS record of your domain name. This text explains which servers are allowed to send email on your behalf. When a system receives email from you, it looks up this record and checks it against the details of the server that sent your message. As only the owner of a domain name can alter its DNS record, this is a fairly secure way to manage this information.

SPF affects everyone who sends marketing emails. SPF adds an extra layer of security to email. It makes it much more difficult to send email from forged addresses, a favourite trick of spammers and scammers. By adopting SPF, legitimate email can be more easily separated from junk.

Major ESPs like Hotmail and Gmail use SPF to screen emails. If an email is received which does not have an SPF record set then it is highly likely to end up in the junk/spam folder, and may even not be delivered at all. If an email is received from an address with an SPF record but from a system that is not listed in the record, it is sent to the junk/spam folder or not delivered at all.

If you are sending email from an email marketing system like Sign-Up.to you need to ensure that the system is listed in the SPF record for your domain name, as this will help to maximise the delivery rate of your campaign.

And DKIM?

DKIM is in some respects the next level. It’s like an encrypted digital fingerprint or signature which can be used to verify the credentials of email traffic.  DKIM works by using a private domain key to encrypt your domain’s outgoing mail headers, and adding a public version of the key to the domain’s DNS records. Comparison of the decrypted original and received headers can then be used to check that all is well – that your email comes from your domain and that it hasn’t been changed along the way.

Which to use?

Any action designed to improve security and deliverability is going to be a good action to take but it’s not really an either/or decision. Because Sender ID and SPF address slightly different issues we’d generally recommend both are applied. As an additional digital signature we also recommend using DKIM too.

Find more on Sender ID and SPF here

Find more on DKIM here