When considering email authentication, its impact on deliverability is a little more complicated today than it was just a year ago. Now, since major mailbox providers (MBPs) Google and Yahoo require a DMARC record, a lack of appropriate authentication can have real and direct consequences.
But let’s not get ahead of ourselves! Email authentication can be a complex topic, especially when looking at it through a performance lens, so let’s talk through what it is and why it’s important to be on top of it as soon as possible.
What is Email Authentication?
We’ll make this short and sweet! Email authentication is a set of technical standards allowing email recipients (like an MBP) to associate a message with a domain.
If the associated domain is reputable, it provides a greater level of trust in that message. A more trustworthy message is more apt to be delivered, so authentication is an important piece of the deliverability puzzle.
There are two major standards to know and use:
SPF
We have a blog dedicated to the finer points of sender policy framework (SPF), so we won’t do too much here. The important part is, SPF prevents sender address forgery, allowing senders to publish a list of IP addresses or server names authorized to send on their behalf.
If the record passes inspection, MBPs will deliver the mail. If a message takes an indirect path, like if it’s forwarded, the SPF record will fail. If it doesn’t pass, MBPs may still choose to deliver the mail. Why? Because indirect mail flows are a substantial portion of all email traffic, blocking all SPF failures would likely bounce more false positives than true spam. SPF failures are not treated as standalone signals for spam.
Since SPF is more prone to failure, it is the lesser preferred of the two authentication protocols (SPF and DKIM.)
Speaking of DKIM…
DKIM
Domainkeys Identified Mail (DKIM) is a tool to help receivers determine if a message was tampered with during transit. It is very similar to SPF, but a key difference is DKIM will not break if a message is forwarded, so it’s a more reliable form of authentication. So, if John Doe forwards your mail to his husband Jake, Jake’s receiving MBP will still be able to verify a DKIM record. If it’s only authenticated with SPF, the MBP might bounce the mail because it can’t verify it wasn’t altered.
How Does Authentication Affect Deliverability?
This answer is a little nuanced. Just because a sender uses authentication does not mean they immediately get preferential treatment.
A sender can use SPF and DKIM and their mail can still be rejected by a mailbox provider. So, the records themselves do not impact sender reputation. Instead, the records influence MBP decision-making, which then impacts deliverability.
For this reason, we do include authentication as a component of our StreamScore so our senders can easily see if authentication is present on their domains. However, we don’t use authentication as a reason to increase or decrease a StreamScore for the reason above: You can send authenticated mail but still not reach the inbox.
A little confused? Totally normal. Here’s a good way to look at it.
Email Authentication Builds Credit
Let’s say you walk into a car dealership to finance a new ride. They’ll want to look at your credit history before loaning you any money. If you don’t have any history of being reliable, like paying your bills on time and in full, you won’t get that loan.
Email authentication works similarly. Sending email without authenticating makes it impossible for MBPs to attribute good behavior to your domain. Even if you’re a Grade A sender, MBPs can’t give you credit for your responsible behavior because they can’t tie it to your domain without authentication.
If your email service provider (ESP) authenticates all of the mail coming from their servers on your behalf, it may increase your email’s chances of reaching the inbox, but your good behavior gives your ESP the credit boost, not you. You can pay on time every month with your own money, but if your parent is the only signature on your auto loan, the activity is attributed to them. It’s their loan, after all.
The ESP is like your parent. They’ll let you use their good name so MBPs are more willing to deliver your mail, but until you co-sign (aka add authentication to your domain) your own “credit history” isn’t benefitting from your diligent practices.
Without any domain cred, you’re at the mercy of other factors like IP reputation. If you’re on a shared IP with a ton of bad actors (which you shouldn’t be, because you should choose an email service provider who can help properly segment mail), and you’re not using authentication, you can’t prove your behavior isn’t contributing to the poor reputation.
However, if you’re using your own DKIM signature, they will be able to identify you as an individual sender, connecting your safe mail to your safe domain and ultimately give you credit for…well, being safe.
Your Credit Affects Your Performance
What happens if you have abysmal credit, but you ask for a loan? Sorry, guy, you’re denied. Again, email works similarly.
If your mail shows up at an MBP’s door and asks to be delivered but you have no authentication to prove you’re legit, they might reject the mail. Without authentication, mailbox providers have to use a plethora of other signals that are often convoluted and lead to inconsistent inbox placement results for the senders.
Since Google and Yahoo are demanding senders use DMARC, which is a protocol built on top of authentication that passes inspection, unauthenticated or incorrectly authenticated mail will start to be rejected simply based on their standards of practice.
It definitely doesn’t take rocket science to understand what happens to your email performance if two of the largest MBPs stop delivering your mail to their users.
Diagnosing a Correlation Between Performance and Email Authentication
There are a couple ways to do this, and we’ll start with the easiest way. Remember how we said we use authentication as a component of our StreamScore, but it doesn’t exactly ding the number you’ll see?
Authentication is used to provide you context. Since our SocketLabs Spotlight reporting platform is rich in context, this is a simple way to draw some parallels between your practices and your performance.
Our best example is the simplest: If you have a low StreamScore and you click into it for more detail, you’ll see whether or not your mail is authenticated. If it isn’t, you can start your redemption tour by properly authenticating. If you are authenticating your mail, you can click around more in different areas to follow where the path takes you.
Not a SocketLabs customer? It’s a little trickier to draw the line between performance and authentication.
Now, with Google and Yahoo’s recent moves, if you start noticing a downturn in delivery rates or increase in bounce reports, you should verify you’re properly authenticated. You should also check your authentication if you’ve got other negative signals coming in, like a dip in opens. It could indicate higher spam placement than you’d like, and that could also be authentication related.
Really, a very easy first step in investigating deliverability issues is simply ensuring you’re sending authenticated mail. It does make a difference, especially in today’s stricter MBP environment.
Our Authentication Advice
Do it.
Honestly, it sounds kind of like a joke, but it isn’t. We always recommend you authenticate as much as possible, like having an SPF record, a DKIM record, and a DMARC policy at enforcement.
Because we’ve always found authentication to be a must-have, we built the process right into our set-up steps. If you send via SocketLabs, we prompt you at the very beginning of your sending relationship with us to create and install SPF and DKIM records. We generate them for you, and we give you instructions for publishing them on your DNS. Easy peasy.
If you send with another ESP, here are a few resources you can use to help make sure you’re up to snuff. This guide to DKIM signing is a great place to start to help you set up what you need to build your own “credit.”
If you need additional help or have questions, never hesitate to reach out.