Simplified Guide to Email Authentication: SPF, DKIM, and DMARC
This guide breaks down the essentials of email authentication—SPF, DKIM, and DMARC—explaining how each protocol works, why they matter for email security and deliverability, and how to set them up properly.
SPF (Sender Policy Framework)
What is SPF?
SPF helps protect your domain from spoofing by letting you specify which mail servers are allowed to send on your behalf. It works by adding a special DNS TXT record that lists approved IP addresses.
When an email is sent, the receiving server checks this list. If the sender matches, the email passes SPF; otherwise, it may be flagged as suspicious or rejected.
How SPF Works
- Initiation: The receiving server checks the sender domain in the email header.
- DNS Lookup: It fetches the SPF record from your domain’s DNS.
- Verification: It compares the sender's IP with what's listed.
- Decision: Match = pass; no match = fail.
SPF Record Components
- v=spf1: Declares the SPF version.
- Mechanisms: Rules like a (domain’s A record), mx (MX servers), or ip4/ip6 (specific IPs).
- Modifiers: E.g., -all (strict policy rejecting unauthorized sources). ~all (Emails sent from unauthorized servers will be marked as "suspicious", but they may still end up in the inbox.)
Example SPF Record
- v=spf1 include:_spf.example.com include:_spf.anotherprovider.com -all
How to Set It Up
https://support.google.com/a/answer/33786?hl=en&src=supportwidget0&authuser=0
1.List all email service providers (ESPs). (e.g., Google Workspace (only))
- v=spf1 include:_spf.google.com ~all
2.Sign in to your domain host. Go to the page where you update DNS TXT records for your domain. Add or update the TXT record with this information (refer to the documentation for your domain):
Field name | Value to enter |
|---|---|
Type | The record type is TXT |
Host (Name, Hostname, or Alias) | If the host is the same domain (not subdomain) you are adding the TXT record to, enter the @ symbol. Otherwise, the value should be example.com (replace example.com with the domain name). |
Value | Enter the SPF record If you send email with Google Workspace only, enter: v=spf1 include:_spf.google.com ~all Some domains require you to enclose the SPF record string in quotes. Check the help documentation for your domain host. |
3.Test and validate using SPF check tools (https://mxtoolbox.com/spf.aspx). It can take up to 48 hours for SPF authentication to start working
Note:
Problem: A domain name can only have one SPF record. If there are multiple records, the recipient will directly determine that it is invalid.
Solution: Merge all the rules into one record and separate them with spaces.
❌ Incorrect way:
- v=spf1 include:_spf.google.com ~all
- v=spf1 include:secureserver.net ~all
✅Correct way:
- v=spf1 include:_spf.google.com include:secureserver.net ~all
DKIM (DomainKeys Identified Mail)
What is DKIM?
DKIM protects against email tampering. It adds a cryptographic signature to each outgoing email so receiving servers can confirm it came from you and wasn’t modified in transit.
How DKIM Works
- Signing: Your email provider signs outgoing messages using a private key.
- DNS Record: The recipient retrieves the public key from the sender’s DNS to verify the signature.
- Validation: A valid signature confirms authenticity; an invalid one suggests tampering.
Key Components
- Private Key: Securely stored by the sender to sign emails.
- Public Key: Published in DNS for recipients to validate signatures.
Example DKIM Record
- v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...
How to Set It Up
If you use Google workspace, you can read this article to get DKIM
1.Generate DKIM keys for each email service provider (e.g., Google Workspace).
2.Add TXT records to your DNS (e.g.,selector._domainkey.mydomain.com).
3.Allow 48 hours for DNS propagation.
DMARC (Domain-based Message Authentication, Reporting & Conformance)
What is DMARC?
DMARC builds on SPF and DKIM by defining what to do when authentication fails and enables reporting. It enforces alignment between the “From” header and authenticated domains.
DMARC Policies
- p=none: Monitor traffic without action (ideal for initial setup).
- p=quarantine: Route failed emails to spam/junk folders.
- p=reject: Block failed emails entirely.
Reporting
- Aggregate (rua) and forensic (ruf) reports provide insights into authentication results and potential abuse.
Example DMARC Record
- v=DMARC1; p=none; rua=mailto:dmarc-reports@mydomain.com;
How to Set It Up
If you use Google workspace, you can read this article to get DMARC
https://support.google.com/a/answer/2466580?hl=en&ref_topic=9061731&sjid=931875668854513338-NC&authuser=0
- Create a DMARC TXT record in DNS.
- Start with p=none to monitor, then escalate to stricter policies.
- Analyze reports to refine SPF/DKIM configurations.
Conclusion
Correctly configuring SPF, DKIM, and DMARC is essential to protect your domain, improve email deliverability, and reduce the risk of phishing or spoofing.
By taking the time to authenticate your emails, you ensure your messages reach inboxes—and not spam folders.
