You may have heard alot about SPF, DMARC, and DKIM lately. Rightly so, since February 2024, both Google and Yahoo require all their users to use SPF and DKIM authentication when sending bulk emails. [1]

Even if you’re not a bulk email sender, you might very well be struggling to keep your sent emails out of spam. And after a quick Google search, viola! Here you are, trying to separate your D-KIMs from your D-MARCs.

This article is here to guide you through the murky waters of email security protocols. I bet the first question on your mind is: “What on earth does DKIM, DMARC & SPF stand for?”. Let’s begin there.

By the way, we’ve also created a handy infographic to help you along, scroll down if you’d like to start there instead.

What are SPF, DKIM, and DMARC?

SPF, DKIM, and DMARC are the three main email security protocols that complement one another. They are methods to authenticate a mail server and prove to Internet Service Providers (ISPs) that the sender is trusted and truly authorized to send an email.

SPF: Sender Policy Framework

How does it work?

It works by allowing domain owners to specify which IP addresses are authorized to send emails on behalf of their domain. When an email is received, the recipient’s mail server checks the SPF record published in the sender’s DNS to verify if the email came from an authorized IP address.

This enables domain owners to maintain a secure and trusted communication channel with their recipients.

DKIM: DomainKeys Identified Mail

How does it work?

DKIM authentication makes sure that the content of the email has not been compromised or tampered with during the delivery.  It works by adding a digital signature to the email’s header, which is created using a private key known only to the sender. The recipient’s mail server uses a public key published in the sender’s DNS records to verify the signature.

If SPF is like the return address of a postcard or letter, DKIM is like sending that postcard or letter through Certified Mail, which further builds trust between the receiver and the sender server. Implementing SPF and DKIM authentication helps ensure that your emails are both verified and trusted and come from an authorized IP address.

A woman smiling while looking at a computer screen, perhaps diving into SPF DKIM DMARC. Courtesy of Canva/Cecilie

DMARC: Domain-based Message Authentication, Reporting, and Conformance

Wow, that’s quite the mouthful, right? Let’s stick to using DMARC for short.

How does it work?

DMARC is also referred to as “email signing.” It ties the first two email security protocols (the SPF and DKIM) together with a more consistent set of policies. For domain owners, setting up DMARC is the final step to secure their email communications fully.

It works by ensuring that both SPF and DKIM checks pass and align with the sender’s domain. If an email fails these checks, DMARC provides instructions on how to handle it (e.g., reject or quarantine) and sends reports to the domain owner about failed authentication attempts.

DMARC has three basic purposes:

  1. To verify that the sender’s email messages are protected by both DKIM and SPF protocols
  2. To inform the receiving mail server what it should do if neither of those email security protocols passes and
  3. To provide a way for the receiver server to report to the email sender that their message has failed or passed the DMARC evaluation.

Combining these three pillars of email authentication provides you or your company with the best protection necessary and protects against phishing attacks.

Did you know? Another way to ensure your emails land in the inbox is by doing what is called “email warmup.” InboxAlly helps with email warmup by gradually increasing the volume and variety of emails sent from your domain, ensuring they reach inboxes rather than spam folders. See the full list of features here.

Why should you set them up?

Simply put, if you want to improve your deliverability rates (i.e., make sure your emails land in the inbox), you’ll need to have these protocols set up. Before we get into the how, here’s some motivation for you to do so:

1. Improved sender reputation

By verifying that emails are coming from legitimate sources, these protocols help prevent email spoofing and phishing attacks. This reduces the likelihood of your domain being used for malicious activities, which can significantly harm your sender reputation.

2. Avoid blacklists

Blacklists are used to block emails from domains that are suspected of sending spam or malicious content. If your domain is not properly authenticated, it can be more easily exploited by spammers and phishers, increasing the risk of being blacklisted. Once on a blacklist, your emails are likely to be automatically rejected or sent to spam folders.

3. Improved deliverability rates

Authenticated emails are more likely to reach the recipient’s inbox rather than being flagged as spam. When email providers see that emails pass SPF, DKIM, and DMARC checks, they recognize them as coming from a legitimate and trustworthy source. This reduces the chances of your emails being filtered out or rejected, leading to higher deliverability rates.

A woman celebrates with raised arms while sitting at a desk with a laptop where SPF, DKIM, DMARC was successfully implemented.Courtesy of Canva/Syda

How to Set Them Up:

How to set up an SPF Record

An SPF record is a line of plain text that includes a list of tags and values.

Step 1: Gather all IP addresses used to send emails from your domain. If your company owns many domains, list all the sending domains.

Step 2: Create the SPF record

  • All SPF records start with v=spf1 followed by the list of IP addresses.
    Here’s an example: v=spf1 ip2:1.2.3.4 ip3:2.3.4.5
  • Once you’ve listed all IP addresses, end it with an -all tag
    Here’s what it looks like now: v=spf1 ip2:1.2.3.4 ip3:2.3.4.5 -all

Step 3: Publish your SPF to the DNS (Domain Name System). You’ll need to log on to your host provider, open the DNS manager and create a new txt record. This process varies with each provider, so perhaps its best to contact them for more info.

Step 4: Test it out using a SPF record checker.

How to set up DKIM

Step 1: Generate a domain key — Use your email service provider’s (ESP) tools to generate a DKIM key pair (private and public keys). This process varies depending on the ESP; consult their documentation for specific instructions.

Step 2: Log in to your DNS hosting provider’s control panel (e.g., GoDaddy, Cloudflare, etc.). Navigate to the DNS management section for your domain.

Step 3: Generate and save the DKIM-Signature

These are simplified instructions, as how you set up DKIM will depend on your operating system and DNS provider. We recommend searching for more specific instructions applicable to your setup.

How to set up DMARC

Step 1: Generate a DMARC Record

Step 2: Decide on the policy you want to implement: none, quarantine, or reject.

The basic syntax for a DMARC record looks like this:

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com; ruf=mailto:forensic-reports@yourdomain.com

Step 3: Create a TXT Record in DNS:

  • Log in to your DNS hosting provider (e.g., GoDaddy, Cloudflare, etc.).
  • Navigate to the DNS management section for your domain.
  • Add a new TXT record.

Step 4: Enter the DMARC Record Details:

  • Name: Enter _dmarc as the host name.
  • Type: Select TXT as the record type.
  • Value: Paste the generated DMARC record into the value field.

Step 5: Specify Policy and Reporting Options:

  • Policy (p): Define the action for emails that fail DMARC checks (none, quarantine, or reject).
  • Aggregate Reports (rua): Provide an email address to receive aggregate reports about DMARC failures.
  • Forensic Reports (ruf): Provide an email address to receive detailed failure reports (optional).

Step 6: Publish the DMARC Record:

  • Save the new TXT record in your DNS settings.
  • It may take some time for the DNS changes to propagate.

Conclusion

Okay, there you go. If you can now successfully explain the difference between SPF, DKIM & DMARC, you’ve earned yourself a coffee break. You’re one step closer to saying goodbye to all your spam worries.

Why not take it one step further with InboxAlly? Our email deliverability tool is easy to use (i.e., not as complicated as email authentication protocols) and is a great way to send mass emails and increase open rates without the fear of lending in spam folders.

FAQs Aout SPF, DKIM & DMARC

How do SPF, DKIM, and DMARC work together?

SPF specifies which IP addresses can send emails on behalf of your domain, DKIM ensures the email content is trusted and unaltered, and DMARC ties both protocols together to enforce a consistent email authentication policy. It provides a way to enforce and monitor the use of SPF and DKIM, specifying how receiving mail servers should handle emails that fail authentication checks.

What are the benefits of setting up SPF, DKIM, and DMARC?

Setting up these protocols helps improve email deliverability, avoid spam folders, prevent phishing attacks, keep your domain off blacklists, and enhance your domain’s reputation. By ensuring that your emails are authenticated and trusted by recipients, these protocols increase the likelihood of your emails reaching the inbox rather than being filtered as spam.

Additionally, they provide valuable feedback through DMARC reports, helping you monitor and address any issues with email authentication, further strengthening your email security.

Am I required to set up SPF, DKIM & DMARC policies?

While SPF, DKIM, and DMARC are not universally mandated by law, they are becoming essential due to industry requirements. Effective February 2024, Google and Yahoo will require bulk email senders to implement these email authentication protocols to improve security and deliverability.

infographic explainging spf dkim dmarc