2024 Guide to Email Authentication: SPF, DKIM, DMARC, and BIMI Explained – Part 1

Ever wondered how mailbox providers such as Gmail and Yahoo distinguish legitimate senders from potential spammers or scammers? The key lies in email authentication protocols.

Email fraud, particularly through tactics like email spoofing, poses a significant challenge. Ensuring the safety of email recipients is paramount to mailbox providers, and it should be a priority for us as email senders as well.

As an email marketer, building trust with subscribers is essential, and maintaining the integrity of the email channel is crucial for fostering meaningful connections between brands and customers. Beginning in 2024, implementing email authentication protocols will be mandatory for senders aiming to reach users on major platforms like Gmail and Yahoo Mail.

However, navigating through terms such as SPF, DKIM, DMARC, and BIMI, alongside other acronyms like SMTP and MTAs, can feel like wading through a bowl of alphabet soup. But fear not! This guide is here to illuminate the essentials and guide you towards setting up email authentication protocols effectively.

Email authentication protocols quietly work behind the scenes, acting as unsung heroes to verify the identity of senders before their emails land in inboxes. By implementing these verification methods, not only do senders demonstrate responsibility, but they also enhance email deliverability.

Though the technical intricacies of these protocols may seem daunting, with acronyms reminiscent of a bowl of Alpha-Bits cereal, let’s begin by unraveling the basics.

Email Authentication Explained

Email authentication is a crucial process employed to ensure the integrity of email messages, guarding against fakery and forgery before they reach their intended recipients. Operating in the background, email authentication protocols are utilized by mail servers on the receiving end to validate crucial sender information, particularly the identity listed in the “from” field and other pertinent data within the email header.

These protocols serve multiple functions, including verifying that emails have not been tampered with during transit and providing directives to mail servers regarding the treatment of messages that fail authentication.

By safeguarding against spam and phishing attacks, particularly those stemming from email spoofing, email authentication protocols play a vital role in protecting users.

Here’s a concise overview of the primary protocols and specifications associated with email authentication:

  • Sender Policy Framework (SPF): This protocol maintains a list of approved sources authorized to send emails on behalf of your domain.
  • DomainKeys Identified Mail (DKIM): DKIM utilizes a blend of public and encrypted keys to authenticate the identity of a sender before a receiving mail server accepts the message for delivery.
  • Domain-based Message Authentication, Reporting, and Conformance (DMARC): DMARC serves as a specification that verifies SPF and DKIM alignment before providing instructions to receiving mail servers on how to handle authentication failures. Additionally, DMARC furnishes senders with reports on email traffic.
  • Brand Indicators for Message Identification (BIMI): BIMI is an email specification enabling senders to display a verified logo at the inbox level when DMARC enforcement is in place.

These email authentication protocols and specifications are encapsulated within DNS TXT records, which mailbox providers and receiving mail servers reference when determining whether to accept messages for delivery and how to classify them, whether as spam or as eligible for delivery to users’ inboxes.

2024 Email Authentication Protocol Requirements Explained

In 2024, the landscape of email authentication protocol requirements shifted significantly, notably with announcements from Gmail and Yahoo regarding new mandates for bulk senders. One of the most substantial changes introduced was the mandatory adoption of email authentication protocols.
Previously, Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC) were strongly recommended but not obligatory. However, the tides have turned. As of 2024, all senders are required to employ some form of email authentication. Specifically, bulk senders—typically those dispatching thousands of emails daily—are mandated to implement all three authentication methods.

Yet, even for non-bulk senders, integrating SPF, DKIM, and DMARC into their email infrastructure is a prudent decision. Mailbox providers are ramping up efforts to combat issues such as spoofing and spam proliferation, underlining the importance of robust authentication measures.

A survey conducted by Sinch Mailgun for its exclusive report, “The State of Email Deliverability 2023,” revealed alarming findings. A notable portion of senders were found to be not utilizing SPF, DKIM, and DMARC, while many others remained uncertain about the authentication status of their emails.

According to the survey conducted by Sinch Mailgun, the findings regarding the implementation of email authentication protocols among senders are as follows:

  • SPF Usage:
    • Yes: 55.4%
    • No: 12.8%
    • Unsure: 31.8%
  • DKIM Usage:
    • Yes: 58.5%
    • No: 11.1%
    • Unsure: 30.4%
  • DMARC Usage:
    • Yes: 42.5%
    • No: 18.7%
    • Unsure: 38.8%

These statistics underscore a significant portion of senders who have yet to fully implement SPF, DKIM, and DMARC. Notably, a considerable number of respondents remain uncertain about their email authentication practices. These figures emphasize the urgent need for senders to prioritize the adoption of robust email authentication protocols to enhance deliverability and mitigate potential security risks.

How Email Authentication Works

Email authentication is a crucial process that verifies the origin of an email and confirms domain ownership for the message transfer agents (MTAs) involved in its transmission or modification.
In essence, when an email is sent, it originates from a specific domain or subdomain. Email authentication protocols consist of rules embedded within DNS (domain name system) records for these sending domains. To authenticate an email, the sending mail server and the receiving mail server engage in a dialogue, cross-referencing protocols in the DNS to validate the sender’s identity.

Though each protocol operates uniquely, the general process unfolds as follows:

  • Establishing Authentication Rules: The sender or domain owner defines rules for authenticating emails sent from or on behalf of its domains.
  • Configuring Sending Servers: The sender configures its sending email servers and publishes the authentication rules within the DNS records.
  • Authentication by Receiving Servers: Upon receipt, the receiving email servers authenticate incoming messages from the sender by applying the published rules.
  • Action by Receiving Servers: Subsequently, the receiving email servers adhere to the published rules and proceed to either deliver, quarantine, or reject the message based on authentication outcomes.

Beyond confirming legitimate senders, email authentication protocols also play a pivotal role in establishing IP address and domain reputation. This enables the more efficient identification of malicious senders, thereby enhancing email security measures.

Conclusion

The foundation of email communication lies in the Simple Mail Transfer Protocol (SMTP), which facilitates the exchange of messages. However, SMTP lacks built-in mechanisms for validating the identity of senders, rendering it vulnerable to abuse by spammers and phishing attempts.


To address these vulnerabilities, email authentication protocols emerged in the early 2000s, aiming to bolster the security of SMTP and combat the proliferation of email spam. Among the earliest and most widely adopted protocols were Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). Subsequently, Domain-based Message Authentication, Reporting, and Conformance (DMARC) emerged as a policy framework to augment and standardize SPF and DKIM. More recently, Brand Indicators for Message Identification (BIMI) has emerged as a novel email specification.


These authentication protocols establish a standardized approach for email services such as Gmail, Outlook, Yahoo, and Apple Mail to verify sender identities, eliminating the need for disparate, proprietary authentication methods.