Published:
October 1, 2023
During our alpha release to customers, we ran into an issue that brought everything to a halt: our emails were ending up in their spam folders, whether we sent them from Google Workspace or through APIs. As we operate in the B2B space in healthcare, our customers use stringent spam rules in their corporate email servers. We assumed that Google handles managing the reputation of our domain as an email provider. The realization struck hard: our domain reputation was on the line. Determined to find a solution, I delved deep into the intricacies of email authentication. The result? An enlightening journey through SPF, DMARC, and DKIM.
1. The Overlooked Importance of Emails in Startups
Product development, funding, and market validation often overshadow the significance of a robust email system in a startup's early stages. You get a new domain, set up Google Workspace, set up a Sendgrid API account, and assume everything is taken care of. But think of emails not just as communication tools; they're the face of your brand. Email is the first communication touchpoint with your customer or your customer’s customer when sending product notifications. For insighthealth.ai, every email flagged as 'spam' was a potential partnership or sales opportunity lost, pushing us to delve into the depths of email authentication.
2. Diving Deep into SPF, DMARC, and DKIM: The Technicalities
To truly grasp the essence of email authentication, it's crucial to unpack the technologies behind SPF, DMARC, and DKIM. These are not mere jargon; they are the pillars of email security and deliverability. They act as gatekeepers, ensuring that emails from your domain are not only delivered but also trusted by recipients. These records are added as TXT records where you host your domain in the DNS section. Some email providers take care of this for you by just adding CNAME in the DNS record.
SPF (Sender Policy Framework) Record
SPF acts as the first line of defense in email authentication. By creating a list of servers and IP addresses authorized to send emails on behalf of a domain, SPF ensures that phishing attacks and email spoofing are minimized. When an email is received, the receiving server checks the SPF record to verify that the email has come from one of the authorized servers or IP addresses. If the check fails, the email can be flagged as suspicious. This protective mechanism is vital in today's digital landscape, where email spoofing is a common technique used by malicious actors to deceive recipients.
Technical Insight: The SPF record is integrated into the domain's DNS as a TXT record. It outlines which IP addresses or hostnames are sanctioned to send emails representing the domain. An illustrative SPF record might resemble the following:
`v=spf1 ip4:192.0.2.0/24 ip4:198.51.100.123 a -all`
DKIM (DomainKeys Identified Mail) Record
DKIM offers an additional layer of email security by employing cryptographic techniques. It ensures the email's content remains unaltered from its origin to its destination, maintaining the message's integrity. By attaching a digital signature to the email headers, DKIM provides a method for receivers to verify that the email was indeed sent from the claimed domain and hasn't been tampered with during transit.
Technical Insight: The DKIM process uses a pair of cryptographic keys – a private key for signing the email and a public key, which is placed in the domain's DNS for receivers to validate the signature. A representative DKIM record might appear as follows:
`v=DKIM1; k=rsa; p=MIG...`.
Through this mechanism, both senders and receivers have a mutual assurance of the email's authenticity and integrity.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) Record
Building on SPF and DKIM's foundations, DMARC is the sentinel that dictates how unauthenticated emails should be handled, all while keeping the sender informed about delivery status.
Technical Insight: DMARC policies are specified using a TXT record in the domain's DNS. The record might look like this:
`v=DMARC1; p=reject; rua=mailto:report@domain.com`
Here, `p=reject` is a policy that tells receivers to reject unauthenticated emails, while `rua` specifies where the reports should be sent.
Receiving DMARC Reports: Once DMARC is set up, domain owners can receive aggregated and forensic reports that provide insights into email traffic and potential authentication issues. These reports are sent in XML format to the email address specified in the DMARC record (e.g., `rua=mailto:report@domain.com`).
Aggregate Reports: These reports provide a broad overview of the email traffic, showing which IPs are sending mail on behalf of your domain, whether they passed or failed SPF/DKIM authentication, and how they align with the DMARC policy. By analyzing these reports, domain owners can identify legitimate sources of email that may be misconfigured, as well as potential malicious activity.
Forensic Reports: These are more detailed reports sent in real time for individual email failures. They can include headers, body, and attachment information, giving domain owners a clearer picture of potential spoofing or phishing attempts.
What to Look For in DMARC Reports:
1. Volume Anomalies: A sudden spike in email volume from unfamiliar sources can indicate malicious activity or spoofing attempts.
2. Authentication Failures: Many emails failing SPF or DKIM checks from known sources may suggest configuration issues that need rectification.
3. Geographical Discrepancies: If emails from your domain frequently come from unexpected geographical locations, it's worth investigating.
4. Unfamiliar User-Agents: If unfamiliar email clients or user-agents appear frequently in reports, it might indicate spamming tools or scripts.
Monitoring and analyzing DMARC reports can help startups swiftly identify and rectify issues, ensuring optimal email deliverability and minimizing potential security threats.
The reports are sent as XML attachments over emails. If you would like to monitor and get alerted on these reports with ease, tools are available such as DMARC Report, Easy DMARC, etc.
BIMI (Brand Indicators for Message Identification)
BIMI is an emerging email specification that allows brands to display a designated logo next to their emails in the recipient's inbox, often visualized as a checkmark. This not only boosts brand recognition but also reassures users of the email's legitimacy. Implementing BIMI involves having a validated DMARC record in place and then adding a BIMI record in the domain's DNS, which points to the brand's logo. However, it's worth noting that obtaining and setting up BIMI can be expensive. The costs are associated with the necessary verification processes, maintaining the stringent security standards required, and potential fees for visual certification. Yet, for brands seeking that extra layer of trust and visibility in their email communications, BIMI can be a valuable investment.
We chose not to implement BIMI at this point, given the use case we have and the cost associated with setting up BIMI.
3. The Role of Email API Providers: Spotlight on Sendgrid
As startups scramble to streamline their email systems, providers like Sendgrid emerge as saviors. Sendgrid, and similar platforms simplify the SPF, DMARC, and DKIM setup process by allowing users to add CNAME records to their domain.
Technical Insight: Instead of manually managing TXT records, Sendgrid provides CNAME records that point to their servers. This delegates the email authentication process to Sendgrid, ensuring optimal setup and maintenance.
Our co-founder & CEO, Jaimal Soni, founding engineer Abhinav Ittekot and I worked at Twilio before Insight Health. We got the opportunity to work alongside incredible colleagues at Twilio Sendgrid.
Shoutout to our friends at the Twilio Sendgrid team for building awesome email APIs and deliverability insights. Sendgrid is dope!
4. The Startup Learning Curve: A Personal Reflection
Startups, including insighthealth.ai, often face a steep learning curve when setting up new domains and email delivery. But, as with any challenge, it provided an invaluable learning opportunity. We soon recognized the need to invest in understanding and implementing proper email security and authentication measures right from the get-go.
Adding these records has dramatically improved our email deliverability via Google Workspace and Sendgrid API. Following are some latest metrics on our email deliverability.
DMARC report
Source: DMARC Reporting - Insight Health Account
Sendgrid API Report
5. Conclusion
Emails, though often overlooked, are paramount in shaping a startup's image. They are the silent brand ambassadors, and their seamless delivery is non-negotiable. Drawing from my experience with insighthealth.ai, I cannot emphasize the importance of SPF, DMARC, and DKIM. Moreover, I strongly recommend startups prioritize domain whitelisting for enhanced email deliverability. With the plethora of tools and services available, there's no excuse for startups to neglect this vital aspect of their digital presence.
Hit me up at saran@insighthealth.ai if you have any questions.