As of February 2024, domain authentication is more strictly enforced by Google and Yahoo. To avoid potential deliverability issues, DKIM and DMARC authentication must be set up for your sender email address domain.
What is DKIM?
DomainKeys Identified Mail (DKIM) is a form of email authentication that helps verify that an email’s sender address is legitimate and is not being spoofed by a third party. Inboxes typically view DKIM-signed emails as more trustworthy, which can help reduce bounces and improve deliverability. Many major inbox providers now require DKIM and DMARC authentication, at minimum, for anyone sending through an email service provider (ESP).
For a step-by-step guide on how to set up DKIM in your account, see this article. For more information about DKIM and tiered accounts, see this article. For information about authentication in general and sending requirements, see this article. If your IT team has security concerns about setting up DKIM, please refer to this article.
How email works
In order to understand how DKIM works and why it’s important, we need to know a little bit about how email works in general.
When someone sends an email, their computer or mobile device moves that email from the device to a server, using the network that the device is currently connected to. For example, if your device is connected to your organization’s wifi network, then it will use that wifi to move the email from your computer to your organization’s email server.
A server is essentially a powerful computer that can communicate with multiple devices on a network. Servers have the “brains” of a computer, but don’t always have a screen or a user interface; typically your IT team will use special code to communicate with the server and tell it how to operate. Many servers can also interact with other servers that are outside of their immediate network.
Returning to the example above, once your computer has moved the email to your organization’s email server, the server then needs to route the email to the correct destination. If the email was sent internally to a colleague, the server might immediately deliver it to their inbox and the email might never leave your organization’s network. However, if the email was sent to an external contact, then it will need to leave your organization’s network in order to be delivered. In this case, your organization’s email server will determine the appropriate receiving server and send the email there.
So every email follows this general path: from your device to the sending server, from the sending server to the receiving server, and from the receiving server to the recipient’s inbox.
Email headers
There’s more to an email than we can immediately see in our inboxes. In order to make sure that the email reaches the correct destination, inbox providers attach a packet of information, called a header, to every email that gets sent. Some of the information that’s included in a header is the sender email address, the sending server, the receiving email address, the receiving server, the email subject, and any authentication results.
Emails can also move between several servers before they are delivered, so the header will record information about each of those servers too. Additionally, each server that interacts with an email during the sending and receiving process will read that email’s header in order to route the email correctly and make sure that it’s safe.
Alignment
When someone sends an email from their own inbox, the sending email address and the sending server will be “aligned” in the header. Alignment means that the domain of the sending email address and the domain that owns the sending server match. If the domain of the sending email address and the domain that owns the sending server do not match, that email is considered unaligned.
For example, if someone opens their Gmail inbox, types an email, and clicks Send, that email will be moved to one of Gmail’s email servers and then sent to its destination from there. When the receiving server reads the header, it will see that the email was sent from an @gmail.com email address and from a server owned by Google. As a result, the receiving server will consider the sending domain and sending server in alignment.
Aligned emails are typically viewed as more trustworthy by receiving servers and inboxes.
Alignment is important because when someone sends an email through our system, it is always sent by our servers. As a result, the sending domain and sending server will automatically be unaligned for all emails sent through us, because the header will show that the sender email uses your organization’s domain but the sending server belongs to us. To many inboxes and receiving servers, this makes it look like we are impersonating or “spoofing” your domain and will often lead to bounces.
DKIM creates alignment
When you set up DKIM in your email marketing account, it creates alignment between the sending domain and the sending server, even though the header will still show them as different domains. Essentially, DKIM acts like a digital signature by adding information to the header that tells inboxes that your organization has given us permission to send emails on your domain’s behalf.
The DKIM alignment, also called authentication, provides an extra layer of security to your messages and makes it more difficult to spoof your domain. As a result, inboxes and receiving servers will have more confidence in the trustworthiness of your emails which should lead to fewer bounces, especially if you’re sending to inbox providers who require DKIM, such as Gmail and Yahoo.
You can only set up DKIM for a domain that you or your organization own. It is impossible to set up DKIM for a free email address, such as Gmail, Yahoo, etc.
This is one reason why you should not use a free email address as your sender email. Best practice is to use a domain that belongs to you and to set up DKIM authentication for it. If you don’t own a domain, or don’t know what that means, check out our Domain names and registrars article.
DMARC policies
Domain-based Message Authentication, Reporting and Conformance (DMARC) policies are a form of authentication that commonly works in tandem with DKIM. DMARC policies are created and controlled outside of your email marketing account and function as a “lock” for a particular domain. When an organization has added a DMARC policy to their domain, it typically means that no one can send unauthenticated or unaligned emails using that domain; if someone tries to use that domain to send an unauthenticated email, it will result in a DMARC failure and that email will usually hard bounce or get sent to the recipient’s junk folder.
DMARC is now required by many major inbox providers, so you’ll need to set it up before sending any emails from your email marketing account. For more information about DMARC, including one way to set it up, check out our DMARC and SPF setup article.
It is vital that you set up DKIM in your account and all your subaccounts, if applicable, before you create a DMARC policy on your domain. DKIM acts as the key for DMARC’s lock; without DKIM set up, every email you send from your email marketing account will fail DMARC and will either hard bounce or get sent to junk.