SPF, DKIM, O, U, S, E…Or, here’s what those all really mean, not just the technical junk…

David Valdez

Let’s face it, the life of a marketing automation professional is one of never-ending technological change. One of the places that tends to be neglected is technical configuration: the elements sound confusing, and some of the best marketing automation professionals on earth don’t use them and don’t seem to have a problem, so they’re really not important, right? Unfortunately, while some really good marketers have managed to ignore technical requirements for a long time, 2019 was the year that the big Email providers got very serious again. I want you to go read the linked blog. Go ahead; I’ll wait.

Did you go read it? I’m serious…

Ok, hopefully you read it.

Google was not the only provider to tighten the requirements to get inbox placement. So, things that used to be somewhat optional if you were really good are now mandatory no matter how good you ever were. Google is putting 100 MILLION more emails into spam daily. You can’t just be “good enough” now; you have to play by their rules to succeed.

My Old MA Provider Didn’t Require This... so Why Does Act-On?

Not all marketing automation providers allow customers to configure things like SPF, DKIM, etc. The reason is simple: for marketing automation providers whose primary audiences are smaller, there’s a benefit to using a collective email reputation from the marketing automation provider. It’s the idea that there’s strength in numbers, and since most people don’t abuse the system, the occasional bad actor can be dealt with by policy and contract (meaning you kick out the bad actors if they don’t straighten up).

There’s a downside to this method, though. See, like anything else relying on averages, this approach brings down the top performers. If you send a lot of targeted emails, and you use good sending practices, why be average? With Act-On, you can begin to own your reputation. As you grow, not only will that work bear specific, positive fruit with inbox placement – if you get to a large enough size, you can smoothly transition into your own IP address and own every aspect of your reputation. In other words, if your marketing automation continues to grow, you’ll NEED to care about your reputation, so why not prepare now?

Sender Policy Framework (SPF)

You can read technical whitepapers if you want the deep explanation, but the simple way to look at SPF is the electronic version of a return address. It’s how you, and your email provider, can verify where a given email originates. SPF provides email marketers a way to approve the domain where their marketing emails come from. SPF proves that you are who you say you are. It’s not perfect, and it’s definitely incomplete, but it is the beginning of the chain of responsibility/ownership that ensures big email providers won’t just put your emails in spam.

 

One other necessary feature of SPF is that it permits the domain’s owners to delegate email sending responsibility to third-party entities. This is the part of SPF that relates to Act-On. Since Act-On is your marketing automation and email service provider, you want to let the email ecosystem know that Act-On is permitted to send on your behalf.

So, the SPF really is like the return address! It tells the world where the email originated - and for many types of mail, it’s a hard requirement for delivery.

DomainKeys Identified Mail (DKIM)

DKIM is a method by which email senders sign their sends in order to provide verification that the email originates where it claims to come from. To follow on with our physical email example, DKIM is the signature at the bottom of the letter. If a letter claims to be from someone you know, one of the ways you tell is by looking at the signature. Is it a real pen signature, or printed on? Do you know the person signing the letter? Used in combination with SPF, DKIM provides verification to the email world that an email send comes from where it claims, and the originator uses a cryptographic signature to ensure the chain of ownership.

Envelope-From

The envelope-from is a configuration setting for email that identifies to the email world that marketing emails will come from a specific domain/subdomain. This isn’t user-visible at all. This comes in the email header and is used by email providers to further evaluate ownership of an email. This fits into the physical email metaphor because the envelope a piece of mail comes in helps us know what kind of mail it is, and from whence it came. When you get a plain white envelope, it’s not as likely to be fun, but when the envelope is all kinds of bright and jarring, it’s less likely to be of actual interest. The Envelope-from is somewhat like the marketing automation email equivalent of an actual envelope, except the email system looks at it rather than the recipient.

Secure Sockets Layer (SSL)

SSL is core to every website and app that we use, but most of us know very little about it! First of all, did you know that no one uses actual SSL anymore? It sounds picky, but it’s important because of version numbers. The actual thing we use now is called Transport Layer Security (TLS), and it’s been rapidly evolving recently as earlier versions have been compromised. Ok…enough geek speak. How does this relate to email marketing?

While DKIM signs the whole email, individual elements in the email must also provide attestation or risk being placed in SPAM (or worse). All message contents must carry the TLS signature of the digital property they come from. For example, Act-On media files in emails include a signature originating from Act-On. As a result, if your signatures don’t all line up, your message delivery is in jeopardy! But don’t worry: Act-On issues TLS keys for customers. All that’s required of you is to define the subdomain in your corporate DNS, then submit a ticket to Act-On. We’ll issue a digital certificate for the subdomain (and handle renewal of the cert) so that you’re always current and don’t have to even think about it. And in the future, Act-On is committed to making it even easier.

Oh, and back to that SSL/TLS thing? The reason it’s particularly important just now is that TLS has been compromised twice, and the newest version, 1.2 should be the only one your company uses. Very soon, browsers will consider TLS1.1 signatures as insecure, meaning that many corporate email systems will completely reject TLS1.1 and earlier versions.

 

Distilling it Down

SPF, DKIM, Env-From, SSL/TLS…just a bunch of letters, but letters that you need to consider if you want to hit inboxes.

SPF tells the world you own your sends, and who can send for you.

DKIM digitally signs the email so that email servers can verify the origin.

Env-From tells the email world to expect marketing emails from the env-from domain.

SSL/TLS ensures every element has a proper digital signature.

Whew.

What it all really means, though, is simple. You must ensure these configurations are properly set or your email could be one of the hundreds of millions missing the inbox. And with Act-On’s help, the configs are pretty simple, too.

 

Here's a more gear-head PDF as well!

4

Comments

2 comments

  • Comment author
    Simon Baker

    I'd be interested to know if you think that if you are emailing with a sub-domain from address e.g. info@mail.abc-company.com whether you need to set up SPF and DKIM at the root domain level, the sub-domain level or both?

    0
  • Comment author
    Chris Apgar

    Hi Simon! SPF is most important on the envelope domain – in most cases you won't see a big difference from adding it to your additional from address subdomains. However, DKIM is very important on the subdomain level. DKIM is not passed down from the top level domain, so you will want to set it up on any subdomains you'll be sending from.

    0

Please sign in to leave a comment.