# Email Authentication (SPF, DKIM, DMARC & BIMI)

## About Email Authentication

Email authentication is the first aspect senders should consider when they start sending emails. **Email authentication is required by mailbox providers**, and crucial for verifying sender identity and minimizing email spoofing risks.

When sending emails, ensure you have correctly implemented the following technical measures:

* Sender Policy Framework (SPF)
* DomainKeys Identified Mail (DKIM)
* Domain-based Message Authentication, Reporting, and Conformance (DMARC)

While this is not related to email authentication, we also recommend implementing:

* MX records, to specify the servers responsible for receiving email
* Brand Indicators for Message Identification (BIMI)

{% hint style="info" %}
As part of Batch default implementation, every sender must use SPF, DKIM and DMARC.
{% endhint %}

## Email Security & Transport

All emails sent through Batch are transmitted using **TLS (Transport Layer Security) encryption.**

This means your email content are automatically protected with industry-standard encryption while traveling between servers, safeguarding your communications from interception.

{% hint style="info" %}
**TLS is enabled by default** and requires no additional configuration on your part. Your emails are secured from the moment they leave our platform.
{% endhint %}

## Sender Policy Framework (SPF) <a href="#h_b5a4f400b9" id="h_b5a4f400b9"></a>

SPF is used for sending IP validation. SPF is designed to stop spammers from sending emails that falsely appear to come from your domain.

To implement SPF, you need to create and publish an SPF record for your domain, listing all authorized email servers.

<figure><img src="https://509463063-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfiAYaWDWqtFZeXxyg67F%2Fuploads%2FRsLrdyYtnM2M6eBirVwy%2Fdeliverability_spf_211025.png?alt=media&#x26;token=084c4052-bd2e-46e0-98d9-d8e5e513c11f" alt="Sender Policy Framework (SPF) example"><figcaption></figcaption></figure>

## DomainKeys Identified Mail (DKIM) <a href="#h_811ed150e8" id="h_811ed150e8"></a>

DKIM enables inbox providers to verify the email is authentic and hasn't been modified during the delivery.

DKIM is an email authentication method that helps protect against email spoofing and phishing attacks. It allows an organization to verify the authenticity of an email message, enabling recipients to confirm that the message was indeed sent by the domain owner.

<figure><img src="https://509463063-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfiAYaWDWqtFZeXxyg67F%2Fuploads%2FL7ph5xWcKgooZ2Nc0Xea%2Fdeliverability_dkim_211025.png?alt=media&#x26;token=3e095d07-2af6-40d0-9807-0728cd25d541" alt="DomainKeys Identified Mail (DKIM) example"><figcaption></figcaption></figure>

{% hint style="info" %}
Batch uses by default a 2048-bit DKIM key and DKIM over-signing. Our team can generate a stronger DKIM key upon request.
{% endhint %}

## Domain-based Message Authentication, Reporting, and Conformance (DMARC) <a href="#h_24149f652a" id="h_24149f652a"></a>

DMARC helps prevent email spoofing and phishing by allowing domain owners to set policies that dictate how receiving servers should manage emails that fail SPF or DKIM checks, such as quarantining or rejecting them.

Additionally, DMARC provides domain owners with reports on email delivery and authentication, aiding in the monitoring and enhancement of email security.

<figure><img src="https://509463063-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfiAYaWDWqtFZeXxyg67F%2Fuploads%2F2ymzwWoF7gIcGt8YBgGD%2Fdeliverability_dmarc_211025.png?alt=media&#x26;token=c2205aff-224f-48aa-baef-807a39b8b707" alt="Domain-based Message Authentication, Reporting, and Conformance (DMARC) example"><figcaption></figcaption></figure>

{% hint style="info" %}
We strongly recommend you set up **DMARC reports**. This will allow you to monitor emails sent using your domain and to identify senders trying to impersonate your domain.
{% endhint %}

## Optional Setup <a href="#h_9a1409e53e" id="h_9a1409e53e"></a>

### → Specify the Servers Responsible for Receiving Email <a href="#h_969e94b372" id="h_969e94b372"></a>

Some inbox providers may require the presence of a **Mail Exchange (MX)** record to accept emails. An MX record is a type of DNS record that specifies the mail servers **responsible for receiving email messages** on behalf of a domain.

<figure><img src="https://509463063-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfiAYaWDWqtFZeXxyg67F%2Fuploads%2FGD7RW0MEuA60eTUxeTqb%2Fdeliverability_mx_211025.png?alt=media&#x26;token=403a0f45-d6a2-426c-8482-f80127ff8944" alt="MX setup example"><figcaption></figcaption></figure>

You can use the MX records Batch implementation team provides by default as part of the onboarding process, or use your own if you want to process the responses in a specific tool you are already using (e.g., a ticketing tool, etc.).

#### → Brand Indicators for Message Identification (BIMI) <a href="#h_a7be8177be" id="h_a7be8177be"></a>

[Brand Indicators for Message Identification (BIMI)](https://bimigroup.org/) is an email specification that allows authenticated senders to display their logos within supporting email clients, improving brand recognition.

<figure><img src="https://509463063-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FfiAYaWDWqtFZeXxyg67F%2Fuploads%2Fa84eEHeqsZsYaM5i3zSs%2Fdeliverability_bimi_310325.png?alt=media&#x26;token=2a70dce8-477a-4b00-ac7e-22e0a96c2843" alt="BIMI implementation example"><figcaption></figcaption></figure>

BIMI adds value for brands that want to stand out in the recipient's inbox or that are more likely to be targeted by phishing campaigns (e.g., finance, insurance, etc.). Note that BIMI implementation is optional and not all email providers currently support it.

{% hint style="info" %}
Implementing BIMI is possible with Batch. It requires additional costs to get a renewable Verified Mark Certificate.
{% endhint %}