SPF, DKIM, DMARC: 3 Keys of Email Authentication

I have gone on and on about email authentication in the blogs I posted earlier, but I failed to tell you why it is one of my favorite techniques ever when it comes to email marketing. Well, here’s why.

Preventing email fraud? Check.
Boosting deliverability? Check.
Continuous delivery? All check.

I could tell you, that this is what email authentication is in a nutshell, but I’d be lying because it is so much more! There’s so much to know about this technique and I am here to help you out.

As an email marketer, I am sure you must have heard people tell you to follow the most organic trends. Trends that are not only healthy but also equally beneficial. This is one of those practices that we highly recommend you get started with if you haven’t already.

The three pillars of email authentication SPF, DKIM, and DMARC may come off as complicated, but they are going to be your most valuable companions in your email marketing journey. Let’s dive in!


    1/ Email Authentication: The Two W’s – What And Why?

    If you’re already a professional email marketer who has worked with email authentication, then I would ask you to skip to the second subtopic, however, a little recap can always be healthy.

    For beginners, take email authentication as the catalyst that is going to turn the number of your emails landing in spam into almost negligible! Confused? Well, this technique is simply a set of methods via which the receiving server can verify that your email isn’t forged. Say goodbye to spoofing and phishing scams, legitimacy is your new motto!

    Here’s why it’s high time that you prioritize email authentication:

    • The continuous use of email as a pillar for scams, frauds, and phishing is concerning.
    • Only email authentication can help you pass the robust measures taken by Internet Service Providers.
    • Lacking email authentication could be the downfall of your email deliverability.
    • The quality of your list and your content’s strength would be useless if you haven’t opted for email authentication.
    • Without authentication, fraudulent third parties can easily convert the source of emails to move past the spam filters.

    I would go on and on about why you need to prioritize this technique, but you get the gist, don’t you?

    2/ How To Authenticate Your Domain?

    I have seen internet marketers struggle with this process in the beginning stages. Hell! I used to be one of those novice marketers, but with time and experience my domain’s authentication has been perfected- and I am here to tell you how!

    1. Use consistent sender addresses: Consistency with the from addresses and friendly from names are of utmost importance. It might sound tempting to make your customers open your emails out of curiosity, but trust and safety go a long way. The constant changing of names or addresses could lead to trust issues among your recipients.
    2. Authenticate your IP addresses with the help of Sender Policy Framework.
    3. Align DKIM signatures for your emails.
    4. Protect email spoofing with DMARC authentication.
    5. After you’re done with the above steps, BIMI (Brand Indicators for Message Identification) can act as a cherry on top of the cake by strengthening the inbox trust experience for your recipients.

    Worry not, we will be discussing point number 2, 3, and 4 in detail in the following section.

    3/ SPF – Sender Policy Framework

    In literal terms, SPF stands for Sender Policy Framework and compares the email sender’s actual IP address to a list of IP addresses authorized by the ISP to send emails from that domain. In layman’s terms, when you send an email message, the receiving system will evaluate to see if there is an SPF record published. This establishes the legitimacy of your domain.

    In my experience with email marketing, I have realized that SPF is one of the best channels against spoofing and phishing scams. Moreover, establishing SPF is a great way to win over your recipient’s trust. Sender authentication protocols were created to secure against forgery of email sender identities, either in the envelope or in the header.

    Let me give you an example via a very simple real-world simulation:

    Recipient A receives two marketing emails from brand A and brand B, brand A has established a viable SPF authentication whereas brand B hasn’t done anything of the sort.
    Now, the recipient as an individual won’t have a hand in whatever happens next, but their server will.
    The server will accept the messages of brand A due to its authentic status thus boosting its deliverability. But the recipient server will reject the emails of brand B or it will send the mails to the spam folder due to its suspicious nature.

    Some of the most extravagant companies around the globe use SFP, including Google, Comcast, Verizon, Live.com, and Cox.net. What are you waiting for?

    A word of caution: SPF by itself is inadequate in how effectively it ends domain spoofing. Instead, when combined with DKIM and DMARC technology, you get vigorous spoofing protection.

    4/ DKIM – Domain Keys Identified Email

    Think of DKIM as your official government-issued identity document. To be simpler, it verifies your identity. When you send out an email, the server attaches DKIM to your mail which is later verified by the receiving server.

    Your priority goal shouldn’t be profiting. Yes, it is the ultimate target however the initial goal should be prioritizing the authenticity, safety, and legitimacy of your marketing campaign.

    DKIM is the crucial security guard that your email needs to ensure that your content hasn’t been compromised or tampered with. I would specifically recommend you this protocol if you had a large list. Here’s why.

    When you send out marketing emails, email firewalls can be exceptionally harsh. For example, if you as an internet marketer send out the same marketing content to a large number of people, the content gets scanned, and it looks like a wave of spam messages. I mean, can you blame the server? My point is that email authentication is your way out.

    I have been raving on and on about the sender’s reputation and email deliverability in almost every blog I post well, DKIM is the key you’ve been looking for to establish both effectively. Combine it with the other keys of email authentication and your email campaigns are unbeatable!

    5/ DMARC – Domain-based Message Authentication

    DMARC or Domain-based Message Authentication, Reporting, and Conformance is the critical link that binds the first two keys of Email Authentication via a consistent set of policies.

    The most important thing you need to remember here is that this protocol can be set to one of three selections: NONE, QUARANTINE, and REJECT.

    • Policy = (p=none): no action taken; message delivered normally.
    • Policy = (p=quarantine): reverts the message to the spam/junk/quarantine folder.
    • Policy = (p=reject): the message stands rejected or bounced.

    Out of all the three protocols, DMARC is the most crucial. A perfectly authenticated domain combines the best efforts of all three policies.

    6/ Implementation

    1/ SPF

    Installation: The TXT record in domain DNS requires to be set, this record will comprise a bunch of valid server IPs that are allowed to send emails through the specified domain.


    v=spf1 include:93339333.mydomain.net ~all

    Sample SPF Record

    Working: Every email you send has a Return-path header linked with it. This return path is the email address to which email delivery notifications are sent concerning email bounces and spam reports. The domain of that sending server’s domain path is pulled out, and its DNS record details are taken care of.

    Now since you have inserted the SPF credentials in the domain’s TXT record. This will consist of a list of IP addresses that are recognized to send emails. If the procured email’s server IP is in the SPF record, then everything is passed on for the SPF validation.

    2/ DKIM

    Installation: First, a public key and the specified private key must be generated, and the public key hash has to be arranged in the TXT record, and the email signing has to be enabled to direct email signatures.



    DKIM Set In TXT Record with Public Key

    DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=fnc; d=env.mydomain.net; h=To:From:Reply-To:Subject:Message-ID:List-Unsubscribe:MIME-Version:Content-Type:Content-Transfer-Encoding:List-Unsubscribe:Date;
    bh =DEEFSFDSFWEEEfdfgdsgeERFSFMps774=; b=oDQdtCY85ckhjSDFSDFEdsfsdfdsfasedf9+sVkuMD5bpevJB4SB3+HEP0pikyDQpeLEWOeC2rwyrhDucDYctVYRr6DSFDFEdsfsdfdsfasedf9+s

    DKIM Signature In Email with Private Key

    Working: The private key which is concealed on your email server side is applied to encrypt the email signature. This encrypted signature is then directed as a header in every email sent from the email server.

    The public key hash is then collected in a DNS TXT record. This key with the private key received into the email signature is then operated to decrypt and verify the email signature by the recipient server.

    3/ DMARC


     _dmarc.mydomain.net. IN TXT "v=DMARC1\; p=none\; rua=mailto:dmarc-aggregate@mydomain.net\; ruf=mailto:dmarc-afrf@mydomain.net\; pct=100"

    Sample DMARC Record


    Add DMARC record in the domain TXT record which should look something like this.

     _dmarc.mydomain.net. IN TXT "v=DMARC1\; p=none\; rua=mailto:dmarc-aggregate@mydomain.net\; ruf=mailto:dmarc-afrf@mydomain.net\; pct=100"

    Sample DMARC Record

    The parameters that are set in this code snippet have specific functions:

    • p= DMARC Policy.
    • v=Version.
    • rua=Mailbox to which aggregate reports should be sent.
    • ruf=Mailbox that will be receiving forensic reports.
    • pct= Percentage of mail to which the domain owner would like to have its policy applied.
    • You have to define policies on how the message has to be dealt with if the validation fails.

    Working: DMARC works in concurrence with SPF and DKIM records, which means, if you want to instigate a DMARC record, you must set SPF and DKIM records in the initial stage.

    Then we set up the DMARC settings in the TXT records in your domain’s DNS settings.

    DMARC works based on accomplishing three things:

    • Email authentication.
    • Define action taken when authentication fails.
    • Enable reporting of the domain that does the spoofing.

    When an email is sent to the recipient server, it checks that the said DMARC record will have the parameters that were discussed above. The DMARC examines the following things:

    • Ip address validation in the SPF record.
    • Validation of DKIM signature.
    • Then it tests domain alignment that consists of the following checks:
      – In the SPF record, the message’s ‘from’ domain and its Return-Path domain must be matching.

    If the validation fails, then based on the policy outlined in the DMARC record crucial action is taken and a report is created and sent to the respective email id’s set in the DMARC record for the reports.

    Wrap Up

    This is the best I could have shown you how vital email authentication is. Your next email marketing campaign demands the implementation of all the protocols ASAP, do it today!

    These procedures are a sum of words that can overwhelm you quickly. If you need any help with the execution, connect with our team of experts at Growth Chime.

    I promise you that you’ll deliverability issues will be negligible once you implement these methods.

    So, are you already on your way to authenticating your domain?


    1. How frequently do the DKIM keys rotate?
      You need to agree on a frequency that works best for your business by weighing your risk path, your email program’s complex nature, the resources required to update the keys, and your security policies. 30 days is the average period recommended.
    2. Why are emails still having alignment failures with SPF and DKIM although it has been configured correctly?
      If Bounce Management and Email Security Compliance settings are authorized in the organization’s deliverability system, the return path in the header varies to a Variable Envelope Return Path (VERP) address. This can cause the alignment to be unsuccessful as in theory that the return path must be from the customer’s domain.
    3. Is DMARC only for large companies?
      No, I recommend it to every email marketer. Since DMARC policies are published in the public DNS, anyone can use DMARC.
    4. Do I need to change the DNS to use DKIM?
      Yes, you will need to generate a DKIM Key from your email software and add it to your domain’s DNS to allow the authentication of DKIM.
    5. Can I have multiple SPF records on a single domain?
      No, you must not. Having too many SPF records on a single domain will lead the SPF to return an error for all emails sent from that domain.

    Comments are closed.