SPF, DKIM, and DMARC: What They Are and Why You Should Care

When you send an email messages, the recipient mail server verifies the SPF record published in your domain DNS. This record contains the IP addresses or hostnames of servers allowed to send emails for your domain, which then help prevent email spoofing.

Here’s the step-by-step process:

1. The receiving server receives an email claiming to be from your domain. 
2. The server will proceed to checking the SPF record in DNS.
3. It compares the sender’s IP address against the authorized list in your SPF record.
4. If the IP matches an authorized server, the email has passed SPF. The recipient server treats the email as more trustworthy and is more likely to deliver it to the inbox.
5. If the IP is not listed, the SPF check fails, signaling possible spoofing. Emails that fail SPF mean the server may mark the email as spam, reject it outright, or apply other policies based on DMARC rules. This reduces the chance your message reaches the recipient.

Common SPF setup challenges

• Incorrect syntax: Just one typo can render the entire SPF record unusable, causing legitimate emails to fail checks.
• Missing authorized servers: Forgetting to include third-party services (like email marketing platforms or CRMs) can cause their emails to fail SPF.
• Too many DNS lookups: An SPF check only permits a maximum of 10 lookups in DNS. If your record includes many external services, you may hit this limit, causing SPF to fail. To avoid hitting the limit, consider using SPF flattening tools to simplify your records.

🔖 Related Reading: The Definitive Guide to SPF in Email

What is DKIM (DomainKeys Identified Mail)?

An email authentication system called DKIM essentially attaches a digital signature to outgoing emails, and is widely used. How is it different from SPF?

• SPF authenticates the sending server
• DKIM ensures that the content of your email hasn’t been tampered with during transit.

It allows the recipient to verify that the email was really sent from your domain and wasn’t modified after you sent it. This establishes confidence for both email providers and subscribers, safeguarding your brand reputation and increasing deliverability.

How DKIM key works

DKIM is based on a pair of cryptographic keys—one private and one public:

• Your mail server uses a private key to sign an outgoing email with a unique digital signature.
• The recipient’s mail server looks up the DKIM public key that you published in your domain’s DNS records and uses it to check the signature.

If the signature matches and verifies correctly, it means the email is authentic and unaltered.

What DKIM signatures look like

DKIM adds a field in the email header that looks like:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yourdomain.com; s=selector1; …

The d= tag specifies the signing domain, and the s= tag identifies the selector used to find the public key in DNS.

Common DKIM setup challenges

• Generating keys: The process for generating and taking care of your public/private key-pair can be intimidating for new users.
• DNS record configuration: Adding the right public key in the form of a TXT record to DNS needs to be precise.
• Key rotation: Regularly updating keys (key rotation) is important for security but can lead to signature failures if not handled incorrectly.
• Selector management: Using more than one selector to manage keys in the different servers or services can be

🔖 Additional resources:

• What is DKIM? How to set it?
• How to Set Up DKIM for Google Workspace
• Everything You Need to Know About DKIM Selector: What Is It and How to Find It?

What is DMARC (Domain-based Message Authentication, Reporting, and Conformance)?

DMARC builds on SPF and DKIM to describe how mail receivers should handle unauthenticated mail. It’s a policy that is sent with an email that tells receiving servers how to act with an email if SPF and DKIM checks pass or fail.

DMARC provides reports that can tell you which IP addresses are sending mail on your behalf, whether the authentication passed or failed, and if someone is trying to send mail using your domain without permission. This information should be used by you to determine misconfigurations, unauthorized senders, or phishing attacks so you may take appropriate action.

In simple terms, a DMARC allows domain owners to protect your domain from spoofing and phishing by enforcing authentication and offering insights into your email traffic.

How DMARC works

DMARC essentially involves publishing a DNS TXT record that includes:

• The policy to apply when emails fail authentication (none, quarantine, or reject)
• Where to send reports about authentication results
• Optional settings like alignment requirements for SPF and DKIM

Policy options explained:

• none: No processing is performed on failed emails, just reports. Helpful for surveillance prior to implementation
• quarantine: Messages that don’t pass checks are identified as suspicious and frequently sent to spam folders
• reject: Emails failing DMARC are rejected outright by the receiving server

Receiving servers check incoming emails against the domain’s DMARC policies. Based on the policy and results of SPF and DKIM, they decide whether to deliver, quarantine, or reject the message.

Common DMARC setup challenges

• Policy enforcement: Moving too quickly to strict policies (quarantine/reject) can cause legitimate emails to be blocked if SPF/DKIM aren’t properly aligned.
• Report management: DMARC reports are technical and voluminous, requiring tools or expertise to analyze effectively.
• Alignment configuration: Ensuring SPF and DKIM alignment (matching the domain in the “From” header) is crucial but can be complex.

How SPF, DKIM, and DMARC work together to improve email security

SPF, DKIM, and DMARC are the three pillars of email authentication. They are not standalone solutions—they form a powerful trio that works together to secure your email, avoid email spoofing, and improve deliverability.

When all three protocols are properly set up, here’s what happens:

• Your emails are significantly less likely to be considered spam or bounced.
• You secure your domain against spoofing and phishing attacks.
• ISPs and recipients are convinced that you and your email are trustworthy.
• Your brand’s reputation is still good and your email campaigns land in more inboxes.

How Warmy.io simplifies email authentication

Setting up and managing SPF, DKIM, and DMARC can be complex, especially if you’re not a technical expert. That’s why Warmy.io offers an integrated suite of tools designed to make email authentication straightforward and hassle-free.

Authentication monitoring and tracking

Warmy’s free email deliverability test is recommended for senders who want to get an idea on their inbox placement currently. It can quickly check if your emails are landing on its intended recipient and shows the percentage of emails that ends in spam, promotions, inbox, and unreceived across major email providers. By taking this test, senders can get an idea of where they stand and what factors are affecting their deliverability.

Combined with the Domain Health Hub, senders can have access to these insights:

• Comprehensive DNS status checks to easily validate SPF, DKIM, DMARC, rDNS, MX, and A records for stronger authentication & security.
• Learn if your domain or IP is listed on any blacklists so you can proceed with the delisting process.
• Authentication verification: Assess your email reputation and verifies your email authentication settings such as SPF, DKIM, and DMARC.
• A domain health score based on factors like authentication, blacklist status, and inbox placement tests. 
• Weekly or monthly tracking of deliverability metrics

Free tools for setting up your SPF and DMARC records

Warmy’s Free SPF Record Generator helps with:

• Automatically generating the correct SPF record based on your email service providers.
• Optimizing SPF structure to prevent lookup failures.
• Ensuring compliance with best practices to avoid SPF misconfigurations.