SPF, DKIM, DMARC: The 3 Pillars of Email Authentication

Communications Strategy // Email authentication is built on SPF, DKIM, & DMARC. These technical, essential terms will help you master email authentication and maintain brand reputation.

Brad Gurley
Follow Us

If you’re an email marketer, you’ve probably heard acronyms like “SPF,” “DKIM,” and “DMARC” being tossed around with little explanation. People might assume you automatically understand these terms, but the truth is that many marketers’ grasp of these concepts is vague, at best.

The good news is that SPF, DKIM, and DMARC can work together for you like a triple rainbow of email authentication, and that’s why we want you to have a thorough understanding of them. The explanations are technical, but these are three fundamental concepts to understand about email authentication.

We’ll provide you with a brief and insightful look at each of these protocols, then you’ll be able to start tossing these acronyms around like the pros. First things first…

What is email authentication, and why is it so important?

Email authentication helps to improve the delivery and credibility of your marketing emails by implementing protocols that verify your domain as the sender of your messages.

Using authentication won’t guarantee that your mail reaches the inbox (that’s where you need to focus on improving your email deliverability), but it preserves your brand reputation while making sure you have the best possible chance of having your messages reach their intended destination.

Read on to find out how to ensure you’re achieving the gold standard of email authentication.

SPF, DKIM, and DMARC: 3 Technical, but Essential, Explanations

SPF: Sender Policy Framework

SPF, Sender Policy Framework, is a way for recipients to confirm the identity of the sender of an incoming email.

By creating an SPF record, you can designate which mail servers are authorized to send mail on your behalf. This is especially useful if you have a hosted email solution (Office365, Google Apps, etc.) or if you use an ESP like Higher Logic.

Here’s a brief synopsis of the process:

1. The sender adds a record to the DNS settings.

a. The record is for the domain used in their FROM: address (e.g. if I send from [email protected], add the record to higherlogic.com). This record includes all IP addresses (mail servers) that are authorized to send mail on behalf of this domain. A typical SPF record will look something like this:
v=spf1 ip4: ip4: ip4: include:magnetmail.net ~all

2. The receiving server checks the DNS records.

a. When the mail is sent, the receiving server checks the DNS records for the domain in the FROM: field. If the IP address is listed in that record (as seen above), the message passes SPF.

3. If SPF exists, but the IP address isn’t in the record, it’s a hard fail.

a. If the SPF record exists, but the IP address of the sending mail server isn’t in the record, it’s considered a “hard-fail.” This can often cause mail to be rejected or routed to the spam folder.

4. If no SPF record exists, it’s a soft fail.

a. If no SPF record exists at all, this is considered a “soft-fail.” These are most likely to cause messages to be routed to spam but can lead to a message being rejected as well.

DKIM: DomainKeys Identified Mail

DKIM, short for DomainKeys Identified Mail, also allows for the identification of “spoofed” emails but using a slightly different process. Instead of a single DNS record that keys off the FROM: address, DKIM employs two encryption keys: one public and one private.

The private key is housed in a secure location that can only be accessed by the owner of the domain. This private key is used to create an encrypted signature that is added to every message sent from that domain. Using the signature, the receiver of the message can check against the public DKIM key, which is stored in a public-facing DNS record. If the records “match,” the mail could only have been sent by the person with access to the private key, aka the domain owner.

DMARC: Domain-based Message Authentication, Reporting, & Conformance

While SPF and DKIM can be used as stand-alone methods, DMARC must rely on either SPF or DKIM to provide the authentication.

DMARC (Domain-based Message Authentication, Reporting, & Conformance) builds on those technologies by providing directions to the receiver on what to do if a message from your domain is not properly authenticated.

Like SPF and DKIM, DMARC also requires a specific DNS record to be entered for the domain you wish to use in your FROM: address. This record can include several values, but only two are required:

  • (v) tells the receiving server to check DMARC
  • (p) gives instructions on what to do if authentication fails.

The values for p can include:

  • p=none, which tells the receiving server to take no specific action if authentication fails.
  • p=quarantine, which tells the receiving server to treat unauthenticated mail suspiciously. This could mean routing the mail to spam/junk, or adding a flag indicating the mail is not trusted.
  • p=reject, which tells the receiving server to reject any mail that does not pass SPF and/or DKIM authentication.

In addition to the required tags advising how to handle unauthenticated mail, DMARC also provides a reporting component that can be very useful for most organizations. By enabling the reporting features of DMARC, your organization can receive reports indicating all mail that is being sent with your domain in the FROM: address. This can help identify spoofed or falsified mail patterns as well as tracking down other business divisions or partners that may be legitimately sending mail on your behalf without authentication.

Where Should You Start with Email Authentication?

The first step is to talk to your email support team about how to ensure you’re authenticating your emails. In addition, there are lots of great tools available on the web, including a number of SPF wizards and DKIM key generators to guide you through the process of creating a record you can copy and paste into your domain management console.

However you go about it, we strongly recommend you authenticate your messages with SPF, DKIM, and DMARC. You’ll be able to acronym like the best of them, while keeping your brand’s reputation safe and secure.

Improving your emails can feel overwhelming, especially if you’ve only got basic tools at your disposal. But using marketing automation? Automation is an advanced tool that can take your email campaigns to the next level, without tons of manual work.

Download the Engagement Trends Report 2020

Brad Gurley

Director of Deliverability, MessageGears

Brad is the Director of Deliverability at MessageGears. He has over 15 years experience in email marketing with focus on deliverability and ISP relations, as well as extensive knowledge of email standards and best practices, deliverability monitoring, and consultation. He is a frequent presenter and contributor of blog content, and is active in email delivery industry organizations.

Follow Us