Email

Putting It All Together: Email Authentication Fundamentals for Access Developers

Transitioning from Outlook automation to SMTP services? Learn the fundamentals of SPF, DKIM, and DMARC to keep your Access application's emails out of spam folders.

Mike Wolfe

6 min read
Putting It All Together: Email Authentication Fundamentals for Access Developers

Email just works—until it doesn't.

For years, Access developers have relied on Outlook's COM automation to handle email delivery without worrying about the underlying mechanics. But as Microsoft pushes "New Outlook" and phases out COM automation support, we're being forced to understand what happens after we click "send."

In our previous articles, we explored how email infrastructure works and the security protocols that authenticate messages. Now it's time to bridge those concepts with practical implementation.

Transitioning from Outlook Automation to Authenticated SMTP Services

The era of easy email automation through Outlook is ending.

When using Outlook automation, your Access application leveraged Microsoft's established email infrastructure. Outlook handled authentication, security protocols, and delivery mechanics behind the scenes. Your code simply told Outlook what to send and to whom.

With services like Mailgun, the responsibility shifts to you. Your application must now:

  1. Connect directly to an SMTP server or API
  2. Format messages according to proper standards
  3. Provide authentication credentials
  4. Handle delivery status notifications
  5. Troubleshoot delivery failures

This transition requires understanding email authentication not just conceptually, but practically. If you're looking to get started quickly with Mailgun specifically, check out my Mailgun Quick Start Guide which walks through the setup process and provides sample VBA code for sending test emails using Mailgun's sandbox domain. Note that the Quick Start Guide does not cover setting up DNS records for custom domains—we'll address those concepts in this article series.

Important Caveat: This article provides an overview of email authentication concepts but is not an exhaustive guide for configuring authentication records. Incorrect DNS configuration can severely impact your or your client's domain's overall email deliverability. Whenever possible, work with your client's IT department or network administrator to implement DNS changes.

Real-World Impact of Authentication Failures on Email Delivery

Authentication failures aren't theoretical problems—they have immediate, practical consequences.

When your emails fail authentication checks, several things can happen:

  • Messages may be rejected outright (never delivered)
  • Emails might be quarantined in spam folders
  • Deliverability rates can plummet across all recipients
  • Your or your client's domain reputation could suffer long-term damage

Properly authenticated emails have significantly higher inbox placement rates than unauthenticated messages. Major email providers like Gmail and Microsoft now use authentication as a key factor in their filtering algorithms.

This isn't just about security—it's about ensuring your messages actually reach their intended recipients.

Balancing Security with Deliverability in Practice

Email authentication presents a practical balancing act.

Historically, permissive configurations might have seemed safer for ensuring delivery. Today, the opposite is true—insufficient authentication increasingly leads to delivery problems.

Major providers like Gmail, Yahoo, and Microsoft now scrutinize or outright reject messages from domains with weak authentication. Properly implemented SPF, DKIM, and DMARC aren't just security best practices—they're becoming prerequisites for reliable delivery.

The key is implementing authentication gradually:

  1. Start with monitor mode (DMARC p=none)
  2. Review reports to identify legitimate senders
  3. Adjust configurations to accommodate legitimate traffic
  4. Gradually increase enforcement as confidence grows

This balanced approach ensures you protect the domain while maintaining deliverability.

A Note on MX Records: While understanding the complete email ecosystem is valuable, Access developers automating email sending can generally ignore MX (Mail Exchange) records. These DNS records only dictate how incoming emails are routed to receiving servers, not how outgoing emails are sent. Your focus should be on SPF, DKIM, and DMARC, which directly affect your ability to send authenticated emails.

Authentication Protocols: A Brief Overview

Before diving into implementation details (which we'll cover in subsequent articles), let's review the three key authentication protocols:

SPF (Sender Policy Framework)

SPF is like a guest list for your domain's email servers. It specifies which servers are authorized to send email on behalf of your domain.

Key points about SPF:

  • Implemented as a DNS TXT record
  • Lists authorized sending servers by IP address or domain
  • Checked at the beginning of email delivery
  • Has technical limitations (especially with forwarded email)
  • Misconfiguration can break all email from a domain

DKIM (DomainKeys Identified Mail)

DKIM is like a wax seal on a medieval letter. It cryptographically signs your messages to prove they haven't been tampered with in transit.

Key points about DKIM:

  • Uses public/private key cryptography
  • The public key is published in DNS
  • The private key is used to sign outgoing messages
  • Survives email forwarding (unlike SPF)
  • Provides content integrity verification

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC is like the enforcement policy that ties SPF and DKIM together. It tells receiving servers what to do when authentication fails and provides reporting.

Key points about DMARC:

  • Relies on SPF and/or DKIM
  • Provides visibility through aggregate reports
  • Allows for gradual policy implementation
  • Helps protect against domain spoofing
  • Becoming increasingly important for deliverability

Implementation Order and Relative Importance

If you're implementing email authentication for the first time, here's the recommended approach based on importance and risk:

  1. SPF: Highest priority but highest risk. Start here, but proceed with extreme caution.
  2. DKIM: Almost as important as SPF, but lower risk to implement. This should be your second step.
  3. DMARC: Start in monitoring mode (p=none) to gain visibility without enforcement. This is your third step.

The main reason for recommending SPF first, despite its higher risk, is that it's the most widely checked and historically established authentication protocol. Most receiving mail servers check SPF first and give it significant weight in their filtering decisions.

SPF directly addresses the most common form of email spoofing - where someone sends from a server not authorized by the domain owner. Without SPF, your domain is essentially saying "we don't specify who can send on our behalf," which is increasingly problematic in today's security-conscious email ecosystem.

Testing Tools and Resources for Verifying Proper Email Configuration

Before sending production emails, verify your configuration with these tools:

  1. SPF Record Validator: MXToolbox SPF Lookup
    • Checks syntax and validates your SPF record
  2. DKIM Validator: DKIM Core Validator
    • Sends a test email to verify DKIM signatures
  3. DMARC Analyzer: DMARC Inspector
    • Validates your DMARC record syntax
  4. Email Deliverability Test: Mail-Tester
    • Provides a comprehensive deliverability score
  5. DNS Propagation Checker: DNSChecker
    • Verifies your DNS changes have propagated globally

These tools help identify configuration issues before they affect real emails.

Working with IT Departments and DNS Administrators

As an Access developer, you may not have direct control over your client's DNS settings—and that's often for the best. Here's how to effectively collaborate with IT departments:

  1. Understand Your Role: Your job is to identify what authentication records are needed, not necessarily to implement them directly.
  2. Provide Specific Requests: Instead of asking for "DNS access," provide the exact records needed (e.g., "Please add this TXT record for DKIM authentication").
  3. Explain the Purpose: Briefly explain why these records are necessary for your application's email functionality.
  4. Respect Their Processes: DNS changes often require change management procedures and approval. Be patient.
  5. Offer Testing Assistance: Volunteer to help verify the changes once implemented using the testing tools mentioned above.

This collaborative approach respects domain sovereignty while ensuring your application's needs are met.

When Access Developers Become the IT Department

Many Access developers find themselves wearing multiple hats for small business clients.

For smaller organizations without dedicated IT staff, you may be asked to implement DNS changes directly. This responsibility shouldn't be taken lightly—DNS changes affect all email for the domain, not just your application's messages.

Think of DNS configuration like residential electrical work. With proper knowledge and caution, you can safely make changes yourself. But approach it carelessly, and you risk "burning down the house"—in this case, completely disrupting your client's email communication.

If you find yourself in this position:

  1. Document Everything: Before making any changes, document the current DNS configuration as a backup.
  2. Use Minimum TTL Values: When first implementing records, use short Time-To-Live values (e.g., 300 seconds) to allow for quick corrections if something goes wrong.
  3. Make One Change at a Time: Implement SPF first, verify it works, then move to DKIM, and so on. This makes troubleshooting easier.
  4. Schedule Changes Strategically: Implement changes during off-hours when email disruption would have minimal impact.
  5. Have a Rollback Plan: Know exactly how to revert your changes if problems arise.
  6. Set Expectations: Make sure your client understands there may be a brief period of adjustment as the changes propagate.

Remember that while you can make these changes, the ultimate responsibility for the domain remains with your client. Get written approval before implementing changes, and make sure they understand both the benefits and risks involved.

Warning: If you're uncertain about making DNS changes, it's better to engage a qualified IT professional. The cost of professional assistance is far less than the potential business impact of email disruption.

Conclusion

The transition from Outlook automation to authenticated SMTP services represents a significant shift for Access developers. While it requires more technical understanding, proper email authentication ultimately leads to better deliverability.

In our next article, we'll dive deep into SPF implementation—the critical first step in email authentication. We'll cover the technical details, common pitfalls, and best practices for safely implementing SPF without breaking existing email services.

Remember that email authentication isn't just about security—it's about establishing trust in an increasingly suspicious digital ecosystem. As email providers continue to strengthen their filtering algorithms, proper authentication will become even more critical for successful delivery.

Acknowledgements
  • Article title generated with the help of Claude-3.7-Sonnet
  • Article excerpt generated with the help of Claude-3.7-Sonnet
  • Initial draft generated with the help of Claude-3.7-Sonnet
  • Cover image generated by Imagen3

Never miss an article.

Sign up to receive a Sunday morning email with links and recaps of the seven articles published that week.
(I'll never sell your email. Unsubscribe any time.)


All original code samples by Mike Wolfe are licensed under CC BY 4.0