Email Authentication: The Key to Securing B2B Email Marketing Success 

In October 2023, Google and Yahoo established new requirements for bulk email senders. These rules took effect in February 2024, and with huge ramifications for B2B email marketers. 

The goal is simple: to reduce the volume of malicious and spam emails that reach user mailboxes. Google trialed this with Gmail users in 2023, and the volume of unauthenticated messages dropped by 75%. For B2B email marketers, ensuring the security and deliverability of your messages has never become more paramount. 

What is Email Authentication? 

Email authentication is the process of verifying the identity of the sender of an email message. It helps ensure that the email is coming from a legitimate source and not from a spoofed or impersonated address. In an age where trust and credibility are essential for building and maintaining strong business relationships, email authentication serves as a helpful tool to position your brand as trustworthy, help with content reach, and boost lead conversions. 

Why is Email Authentication Vital for Success in Email Marketing? 

Email marketing plays a central role in nurturing leads, fostering relationships, and driving business growth. However, the proliferation of email-based scams, phishing attempts, and other cybersecurity threats has made it imperative for B2B marketers to prioritize email authentication.  

Those working in marketing and sales are likely familiar with user experience (UX) and customer experience (CX). Email authentication tackles the root cause of malicious, misleading, and spammy content, which negatively impacts marketing prospects and internal employees alike. 

• Enhance Brand Reputation: Email authentication helps establish your brand as a trustworthy sender, protecting your company’s reputation and building stronger trust with your B2B audience. 
• Improve Email Deliverability: Email authentication protocols, such as SPF, DKIM, and DMARC, can significantly improve the chances of your emails reaching the intended recipients’ inboxes, rather than being flagged as spam or rejected altogether. 
• Mitigate Phishing and Spoofing Attacks: By verifying the identity of the sender, email authentication helps prevent cyber criminals from impersonating your brand and using your domain to conduct phishing or spoofing attacks, which can be detrimental to your business. 
• Comply with Industry Regulations: Many industries have specific regulations or guidelines around email security and authentication, such as the CAN-SPAM Act in the United States. Implementing email authentication helps to ensure your B2B email marketing practices are compliant with these regulations. 

What are the Benefits of Email Authentication? 

• Crack Down on Spoofing: Attackers are up against a brick wall if they want to forge email addresses or spoof identities, thanks to authentication via SPF DKIM and DMARC. 
• Higher Email Deliverability, Less Spam, and Rejection: Email authentication increases the delivery rate to user inboxes; authenticated emails are highly likely to pass spam, spoofing, and phishing security checks. 
• High Trust via Domain and Identity Validation: The inclusion of mailed-by and signed-by information in the email header proves that the domain and identity are valid, and prevents “isn’t authenticated” question mark alerts from appearing as the sender image. 
• Prevent Hijacking and Phishing to Protect Brand Reputation: Authentication and validation checks prevent unauthorized or malicious use of your email domain, as seen with phishing and social engineering. 
• Harden Security Against Malware Attacks: DMARC policies allow you to quarantine or reject emails with invalid SPF and DKIM information, or when the encryption method does not meet security requirements, alongside chained authentication via ARC when forwarding emails to preserve message integrity. 
• Increase Visibility and Control: Network administrators can configure daily DMARC aggregate reports from mail servers, and whitelist or blacklist by IP address to prevent spoofing and phishing  – metrics include pass and fail rates for SPF and DKIM checks, the email source, authentication status, and DMARC policy actions such as reject, quarantine, or deliver. 
• Essential for Compliance: After February 2024, failure to comply with the new guidelines will reduce deliverability rates, increase the volume of messages routed to spam folders, and reduce the reputation and level of trust for bulk email senders. 
• Improve CX and UX via Less Spam and Junk Emails: Customers hate to receive useless spam emails; they distract from important tasks and waste time—nobody wants this! DMARC with SPF and DKIM is the path to more relevant and legitimate emails, which improves the customer and user experience for everyone. 
• Enable Advanced Email Features Like BIMI: BIMI stands for brand indicators for message identification. To publish a BIMI record, you must configure DMARC policies that handle quarantine and rejection actions. The outcome is visual indicators in the recipient mailbox, such as verified brand logos and verified mark certificates (VMC) issued by a certificate authority (CA). The validated brand logo is stored as a scalable vector graphic (SVG) file in the domain DNS record. 

How Does Email Authentication Work? 

As a high-level overview, email authentication is a framework of protocols and mechanisms that validate the identity of senders and protect against spoofing and phishing. How do these individual protocols and mechanisms work together as a system? 

Sender Policy Framework (SPF) 

SPF is an email authentication standard that verifies whether an email server is permitted to send emails on behalf of a domain. Publishing an SPF record in your domain’s DNS settings allows you to create a list of approved IP addresses or hostnames that are permitted to send emails from your domain. This helps to prevent email spoofing and improves the deliverability of your B2B email campaigns. 

The SPF record sits in a DNS zone as a TXT record and contains IP addresses and subnets authorized to send emails. 

The recipient’s mail server cross-references this SPF record to see if the sender’s IP address is in the whitelist. If yes, the email is delivered to the inbox. If not, the email may be rejected, quarantined, or sent to spam. 

Here’s an example code for an SPF record, along with parameters: 

v=spf1 ip4:192.168.0.1 include:example.com -all 

• v=spf1 –> this refers to SPF version 1 
• ip4:192.168.0.1 -> the target IPv4 (ip4) or IPv6 (ip6) address 
• include:example.com -> includes additional SPF record values from specified domain 
• -all -> this is known as a hard fail policy; the final verdict on what action is taken with any email that does not match the SPF criteria.

Domain-Keys Identified Mail (DKIM) 

DKIM is a cryptographic email authentication method that adds a digital signature to outgoing emails. This signature is generated using a private key associated with your domain and can be verified by the recipient’s email server using a public key. DKIM helps to ensure the integrity of the email content and prevents message tampering, further strengthening the credibility of your B2B email communications. 

DKIM uses public-key cryptography to sign emails and verify message integrity. As an email travels through ESP networks, the recipient mail server uses DKIM values to validate the email signature: 

1. When sending an email, the mail server adds a DKIM cryptographic signature header 

2. The domain owner must also publish this key in a publicly accessible DKIM TXT record 

3. The recipient mail server validates that DKIM DNS values match the email header DKIM values 

4. A match means the sender is real, and a mismatch could indicate spoofing or phishing. 

Here’s an example code for a DKIM record, along with parameters: 

default._domainkey.example.com IN TXT “v=DKIM1; k=rsa; p=publicKey” 

• default -> this is the DKIM selector 
• v=DKIM1 -> the DKIM version 
• k=rsa -> the encryption key type 
• p=publicKey -> the DKIM public key value for DNS validation 

Domain-Based Authentication, Reporting, and Conformance (DMARC) 

DMARC is a protocol that builds upon SPF and DKIM, providing a comprehensive framework for email authentication and reporting. With DMARC, you can specify how your domain’s emails should be handled by recipient email servers, such as rejecting or quarantining emails that fail authentication checks. DMARC also provides valuable reporting capabilities, allowing you to monitor and analyze the delivery of your B2B email campaigns

DMARC is a substrate for policies and reporting. 

It functions as a central control mechanism for inbound and outbound email traffic, using SPF and DKIM checks to control the flow and delivery of emails: 

1. DMARC policies are set in public DNS TXT records 

2. The recipient mail server evaluates SPF and DKIM values 

3. Based on values, refer to the DMARC policy for what actions to take 

4. A failed check triggers an action, such as quarantine, none, or reject 

Bulk email senders may want to start with only None actions in DMARC. This enables DMARC failure reporting without manipulating email flows to gather insight. 

DMARC aggregate and forensic reports contain: 

• Authentication logs for each email message 
• The sender and recipient mail server responses 
• Actions taken 

Here’s an example code for a DMARC policy record, along with parameters: 

_dmarc.example.com IN TXT “v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected]; fo=1” 

• v=DMARC1 -> the DMARC version 
• p=reject -> the handling policy for failed emails 
• rua -> target email to send Aggregate reports 
• ruf -> target email to send Forensic reports 
• fo -> Forensic reporting options

Brand Indicators for Message Identification 

BIMI enables brands to store SVG vector logos in DNS records, and display the logo in the recipient mailbox if the email passes DMARC checks. 

BIMI is only available when you configure quarantine and reject actions in the DMARC policy. 

1. First, obtain a verified mark certificate (VMC) from a certificate authority (CA) like Comodo, DigiCert, or GeoTrust 

2. Host the VMC file on a publicly accessible HTTPS URL 

3. Then, add the VMC file URL to a DNS BIMI TXT record 

4. Finally, publish the BIMI record 

Here’s an example code for a BIMI record, along with parameters: 

default._bimi.example.com IN TXT “v=BIMI1; l=https://example.com/logo.svg; a=https://example.com/vmc.pem” 

• default._bimi.example.com -> this refers to the BIMI record subdomain (example.com), selector (default), and record indicator (_bimi) 
• IN TXT -> BIMI is in a TXT DNS record identifier 
• v=BIMI1 -> this is BIMI standard version 1 
• l=https://example.com/logo.svg -> the SVG URL for your logo must be public and HTTPS enabled 
• a=https://example.com/vmc.pem (optional) -> this points to an optional URL that contains the VMC certificate for security purposes 

 Authenticated Received Chain (ARC) 

ARC uses cryptographic email headers to preserve authentication results during transmission – such as forwarding through downstream email exchange servers and mailing lists. 

It’s a complementary authentication method when changes by intermediary servers result in spam or rejection. 

ARC is a verifiable chain of custody if intermediary changes lead to invalid SPF and DKIM values, preventing reject or spam actions via DMARC policies. 

Here’s an example code for ARC records, along with parameters: 

ARC-Seal: i=1; a=rsa-sha256; d=example.com; s=arcselector; t=1625241521; cv=none; b=signaturedata 

ARC-Message-Signature: i=1; a=rsa-sha256; d=example.com; s=arcselector; t=1625241521; h=from:to:subject:date; bh=hashofbody; b=signaturedata 

ARC-Authentication-Results: i=1; mx.example.com; dkim=pass header.d=example.org; spf=pass smtp.mailfrom=example.org; dmarc=pass header.from=example.org 

• i -> the hop instance number, how many times has this message been forwarded 
• a -> the encryption key algorithm 
• d -> the source domain for ARC headers 
• s -> this selects which key to generate the signature with 
• t -> a signature generation timestamp 
• cv -> the chain validation status (none, pass, fail) 

What is the Difference Between Email Authentication and Verification? 

Authentication and verification are two distinct processes under the umbrella of email security and management. 

It’s important to understand the distinction between email authentication and verification. While email authentication focuses on verifying the sender’s identity and the legitimacy of the email message, email verification confirms the existence and deliverability of an email address. 

Email verification can be a valuable complement to your email authentication efforts, as it helps to ensure the accuracy and quality of your B2B email marketing lists. By regularly verifying the email addresses in your database, you can minimize the risk of bounced emails, improve your sender reputation, and enhance the overall effectiveness of your B2B email marketing campaigns. 

How are objectives different? 

• Email Authentication: Authentication aims to verify the authenticity and integrity of messages and sender domains. 

• Email Verification: This refers to a simpler process – is the target email address, person, or company real and capable of receiving emails? 

How is the focus and context different? 

• Email Authentication: Authentication checks whether the email origin and contents are legitimate. 

• Email Verification: Verification checks if the email was sent from the domain claimed, and its contents have not been altered during transmission. 

What actions are involved in each process? 

• Email Authentication: Authentication relies on SPF and DKIM records to validate emails, and DMARC to enforce actions based on validation results. 

• Email Verification: Verification would check the message syntax, sender domain, and SMTP routing data to verify the email exists and is reachable. 

What is the intended outcome? 

• Email Authentication: Authentication ensures that the current email comes from a trusted source and its integrity is not compromised. 

• Email Verification: To find out if [email protected] is a valid, deliverable email address by analyzing syntax, domain, and mailbox data. 

  This simple explanation of email authentication versus verification summarizes the differences: 

1. Authentication is a data screening process – is this data what it says it is? 

2. Verification is a data validation process – does this data exist? 

How to Implement Email Verification in Your B2B Email Marketing Strategy? 

To implement email verification in your B2B email marketing strategy, consider the following steps: 

• Establish a Regular Email Verification Routine: Implement a consistent schedule for verifying your email list, such as monthly or quarterly, to ensure the accuracy and deliverability of your B2B email campaigns. 

• Utilize Email Verification Tools: Leverage specialized email verification tools or services that can quickly and efficiently validate the email addresses in your database, identifying and removing any invalid or undeliverable addresses. 

• Incorporate Email Verification into Your List-Building Practices: Implement email verification as part of your lead capture and list-building processes, ensuring that new email addresses are validated before being added to your B2B email marketing lists. 

• Monitor and Analyze Email Verification Results: Regularly review the results of your email verification efforts, tracking metrics such as the number of valid and invalid email addresses, bounce rates, and overall list health. Use this data to optimize your B2B email marketing strategies and improve the effectiveness of your campaigns. 

Before you look at email authentication, don’t make the mistake of ignoring email verification. 

Email verification goes hand in hand with authentication. It helps to cleanse and maintain hygiene standards for mailing lists and customer relationship management (CRM) datasets.  

DemandScience has the antidote to messy customer data with its Intelligent Email Verification solution. It offers a full suite of benefits for B2B email marketers and sales agents: 

1. A user-friendly visual online dashboard 

2. Shareable PDF reports containing detailed user insights and verification results 

3. Real-time and batch API access for serverless integration into your IT ecosystem 

4. Unique email network infrastructure verification technology built for B2B 

5. Greater precision, outreach, and cost efficiency for bulk email campaigns 

---

Get in touch with DemandScience today. We handle verification, so you can focus on delivering for your customers.