SPF, DKIM, DMARC: 3 Keys of Email Authentication

I have gone on and on about email authentication in the blogs I posted earlier, but I failed to tell you why it is one of my favorite techniques ever when it comes to email marketing. Well, here’s why.

Preventing email fraud? Check.
Boosting deliverability? Check.
Continuous delivery? All check.

I could tell you, that this is what email authentication is in a nutshell, but I’d be lying because it is so much more! There’s so much to know about this technique and I am here to help you out.

As an email marketer, I am sure you must have heard people tell you to follow the most organic trends. Trends that are not only healthy but also equally beneficial. This is one of those practices that we highly recommend you get started with if you haven’t already.

The three pillars of email authentication SPF, DKIM, and DMARC may come off as complicated, but they are going to be your most valuable companions in your email marketing journey. Let’s dive in!


    1/ Email Authentication: The Two W’s – What And Why?

    If you’re already a professional email marketer who has worked with email authentication, then I would ask you to skip to the second subtopic, however, a little recap can always be healthy.

    For beginners, take email authentication as the catalyst that is going to turn the number of your emails landing in spam into almost negligible! Confused? Well, this technique is simply a set of methods via which the receiving server can verify that your email isn’t forged. Say goodbye to spoofing and phishing scams, legitimacy is your new motto!

    Here’s why it’s high time that you prioritize email authentication:

    • The continuous use of email as a pillar for scams, frauds, and phishing is concerning.
    • Only email authentication can help you pass the robust measures taken by Internet Service Providers.
    • Lacking email authentication could be the downfall of your email deliverability.
    • The quality of your list and your content’s strength would be useless if you haven’t opted for email authentication.
    • Without authentication, fraudulent third parties can easily convert the source of emails to move past the spam filters.

    I would go on and on about why you need to prioritize this technique, but you get the gist, don’t you?

    2/ How To Authenticate Your Domain?

    I have seen internet marketers struggle with this process in the beginning stages. Hell! I used to be one of those novice marketers, but with time and experience my domain’s authentication has been perfected- and I am here to tell you how!

    1. Use consistent sender addresses: Consistency with the from addresses and friendly from names are of utmost importance. It might sound tempting to make your customers open your emails out of curiosity, but trust and safety go a long way. The constant changing of names or addresses could lead to trust issues among your recipients.
    2. Authenticate your IP addresses with the help of Sender Policy Framework.
    3. Align DKIM signatures for your emails.
    4. Protect email spoofing with DMARC authentication.
    5. After you’re done with the above steps, BIMI (Brand Indicators for Message Identification) can act as a cherry on top of the cake by strengthening the inbox trust experience for your recipients.

    Worry not, we will be discussing point number 2, 3, and 4 in detail in the following section.

    3/ SPF – Sender Policy Framework

    In literal terms, SPF stands for Sender Policy Framework and compares the email sender’s actual IP address to a list of IP addresses authorized by the ISP to send emails from that domain. In layman’s terms, when you send an email message, the receiving system will evaluate to see if there is an SPF record published. This establishes the legitimacy of your domain.

    In my experience with email marketing, I have realized that SPF is one of the best channels against spoofing and phishing scams. Moreover, establishing SPF is a great way to win over your recipient’s trust. Sender authentication protocols were created to secure against forgery of email sender identities, either in the envelope or in the header.

    Let me give you an example via a very simple real-world simulation:

    Recipient A receives two marketing emails from brand A and brand B, brand A has established a viable SPF authentication whereas brand B hasn’t done anything of the sort.
    Now, the recipient as an individual won’t have a hand in whatever happens next, but their server will.
    The server will accept the messages of brand A due to its authentic status thus boosting its deliverability. But the recipient server will reject the emails of brand B or it will send the mails to the spam folder due to its suspicious nature.

    Some of the most extravagant companies around the globe use SFP, including Google, Comcast, Verizon, Live.com, and Cox.net. What are you waiting for?

    A word of caution: SPF by itself is inadequate in how effectively it ends domain spoofing. Instead, when combined with DKIM and DMARC technology, you get vigorous spoofing protection.

    4/ DKIM – Domain Keys Identified Email

    Think of DKIM as your official government-issued identity document. To be simpler, it verifies your identity. When you send out an email, the server attaches DKIM to your mail which is later verified by the receiving server.

    Your priority goal shouldn’t be profiting. Yes, it is the ultimate target however the initial goal should be prioritizing the authenticity, safety, and legitimacy of your marketing campaign.

    DKIM is the crucial security guard that your email needs to ensure that your content hasn’t been compromised or tampered with. I would specifically recommend you this protocol if you had a large list. Here’s why.

    When you send out marketing emails, email firewalls can be exceptionally harsh. For example, if you as an internet marketer send out the same marketing content to a large number of people, the content gets scanned, and it looks like a wave of spam messages. I mean, can you blame the server? My point is that email authentication is your way out.

    I have been raving on and on about the sender’s reputation and email deliverability in almost every blog I post well, DKIM is the key you’ve been looking for to establish both effectively. Combine it with the other keys of email authentication and your email campaigns are unbeatable!

    5/ DMARC – Domain-based Message Authentication

    DMARC or Domain-based Message Authentication, Reporting, and Conformance is the critical link that binds the first two keys of Email Authentication via a consistent set of policies.

    The most important thing you need to remember here is that this protocol can be set to one of three selections: NONE, QUARANTINE, and REJECT.

    • Policy = (p=none): no action taken; message delivered normally.
    • Policy = (p=quarantine): reverts the message to the spam/junk/quarantine folder.
    • Policy = (p=reject): the message stands rejected or bounced.

    Out of all the three protocols, DMARC is the most crucial. A perfectly authenticated domain combines the best efforts of all three policies.

    6/ Implementation

    1/ SPF

    Installation: The TXT record in domain DNS requires to be set, this record will comprise a bunch of valid server IPs that are allowed to send emails through the specified domain.


    v=spf1 include:93339333.mydomain.net ~all

    Sample SPF Record

    Working: Every email you send has a Return-path header linked with it. This return path is the email address to which email delivery notifications are sent concerning email bounces and spam reports. The domain of that sending server’s domain path is pulled out, and its DNS record details are taken care of.

    Now since you have inserted the SPF credentials in the domain’s TXT record. This will consist of a list of IP addresses that are recognized to send emails. If the procured email’s server IP is in the SPF record, then everything is passed on for the SPF validation.

    2/ DKIM

    Installation: First, a public key and the specified private key must be generated, and the public key hash has to be arranged in the TXT record, and the email signing has to be enabled to direct email signatures.



    DKIM Set In TXT Record with Public Key

    DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; s=fnc; d=env.mydomain.net; h=To:From:Reply-To:Subject:Message-ID:List-Unsubscribe:MIME-Version:Content-Type:Content-Transfer-Encoding:List-Unsubscribe:Date;
    bh =DEEFSFDSFWEEEfdfgdsgeERFSFMps774=; b=oDQdtCY85ckhjSDFSDFEdsfsdfdsfasedf9+sVkuMD5bpevJB4SB3+HEP0pikyDQpeLEWOeC2rwyrhDucDYctVYRr6DSFDFEdsfsdfdsfasedf9+s

    DKIM Signature In Email with Private Key

    Working: The private key which is concealed on your email server side is applied to encrypt the email signature. This encrypted signature is then directed as a header in every email sent from the email server.

    The public key hash is then collected in a DNS TXT record. This key with the private key received into the email signature is then operated to decrypt and verify the email signature by the recipient server.

    3/ DMARC


     _dmarc.mydomain.net. IN TXT "v=DMARC1\; p=none\; rua=mailto:dmarc-aggregate@mydomain.net\; ruf=mailto:dmarc-afrf@mydomain.net\; pct=100"

    Sample DMARC Record


    Add DMARC record in the domain TXT record which should look something like this.

     _dmarc.mydomain.net. IN TXT "v=DMARC1\; p=none\; rua=mailto:dmarc-aggregate@mydomain.net\; ruf=mailto:dmarc-afrf@mydomain.net\; pct=100"

    Sample DMARC Record

    The parameters that are set in this code snippet have specific functions:

    • p= DMARC Policy.
    • v=Version.
    • rua=Mailbox to which aggregate reports should be sent.
    • ruf=Mailbox that will be receiving forensic reports.
    • pct= Percentage of mail to which the domain owner would like to have its policy applied.
    • You have to define policies on how the message has to be dealt with if the validation fails.

    Working: DMARC works in concurrence with SPF and DKIM records, which means, if you want to instigate a DMARC record, you must set SPF and DKIM records in the initial stage.

    Then we set up the DMARC settings in the TXT records in your domain’s DNS settings.

    DMARC works based on accomplishing three things:

    • Email authentication.
    • Define action taken when authentication fails.
    • Enable reporting of the domain that does the spoofing.

    When an email is sent to the recipient server, it checks that the said DMARC record will have the parameters that were discussed above. The DMARC examines the following things:

    • Ip address validation in the SPF record.
    • Validation of DKIM signature.
    • Then it tests domain alignment that consists of the following checks:
      – In the SPF record, the message’s ‘from’ domain and its Return-Path domain must be matching.

    If the validation fails, then based on the policy outlined in the DMARC record crucial action is taken and a report is created and sent to the respective email id’s set in the DMARC record for the reports.

    Wrap Up

    This is the best I could have shown you how vital email authentication is. Your next email marketing campaign demands the implementation of all the protocols ASAP, do it today!

    These procedures are a sum of words that can overwhelm you quickly. If you need any help with the execution, connect with our team of experts at Growth Chime.

    I promise you that you’ll deliverability issues will be negligible once you implement these methods.

    So, are you already on your way to authenticating your domain?


    1. How frequently do the DKIM keys rotate?
      You need to agree on a frequency that works best for your business by weighing your risk path, your email program’s complex nature, the resources required to update the keys, and your security policies. 30 days is the average period recommended.
    2. Why are emails still having alignment failures with SPF and DKIM although it has been configured correctly?
      If Bounce Management and Email Security Compliance settings are authorized in the organization’s deliverability system, the return path in the header varies to a Variable Envelope Return Path (VERP) address. This can cause the alignment to be unsuccessful as in theory that the return path must be from the customer’s domain.
    3. Is DMARC only for large companies?
      No, I recommend it to every email marketer. Since DMARC policies are published in the public DNS, anyone can use DMARC.
    4. Do I need to change the DNS to use DKIM?
      Yes, you will need to generate a DKIM Key from your email software and add it to your domain’s DNS to allow the authentication of DKIM.
    5. Can I have multiple SPF records on a single domain?
      No, you must not. Having too many SPF records on a single domain will lead the SPF to return an error for all emails sent from that domain.

    9 Proven Tips to Improve Email Delivery

    Email marketing is right in the center of the hotspot today. In the broadest sense, every email that reaches a potential client is considered marketing via email. Because you have chosen to click on this blog, we believe that you already know about it – but to brief you, email deliverability is the metric scale that is defined by your true potential to get your marketing emails successfully in your customer’s inbox.

    Attracting opt-in subscribers can do wonders for your email deliverability. Make your emails reach your potential customer with quality content. Develop a high sender reputation with IP warming, custom domain, sender id, and proper domain authentication. Avoid domain being blacklisted by spam traps.

    Your strategy here plays a key role in your email campaigns. Opens, clicks, bounces, unsubscribes, and spam reports – identifying the trends in every metric is essential when it comes to your campaign. We will be discussing nine tested full-proof tips to improve your email delivery.


    We’ve short-listed the most effective ways to boost your email deliverability. Remember! Your emails are useless if they do not reach your potential customer. The smartest and most efficient ways are sometimes right in front of you, you just never notice them. Let us get back to the basics and remind you how growth is always rooted at the foundation of your email trends.

    1/ Custom Sending Domain

    An email address with a custom domain helps you create a professional image for your brand. Moreover, it boosts your business’ credibility. Consumers look for an email and a website domain name to match. Neglecting to keep up with this gives rise to unnecessary questions. Can the business be trusted? are they too tight-fisted to obtain a domain email? are they just too lazy? You cannot risk the credibility of your brand. Having a proper website on your email-sending domain gives off a great first impression and regardless of what you might believe, the first impression does matter.

    Having an active website reduces the chances of your emails being flagged by spam filters. It also helps in improving business communication confidentiality. Using generic domains often leads to your emails ending up in the spam folder. Hence, it is relevant that you invest in a proper website domain before you jump-start your email campaigns.

    2/ Use Subdomains

    A subdomain is a supplementary piece of your root domain. It is that part of your domain that is added as a prefix to your main domain. For instance, grow@example.growthchime.com. Here, “example” is the subdomain. Although a subdomain is known to be linked to your root domain, it has a distinct identity of its own.

    The key element here is maintaining a high sender reputation. The known email service providers, namely, Google, Yahoo, etc have been wired to keep tabs on your domains and associate a sender reputation with them. When your sender reputation is low, you are highly likely to encounter email deliverability issues. Internet Service Providers (ISPs) and Email Service Providers (ESPs) may naturally start rejecting the bulk quantity of your emails because your domain does not meet their basic reputation standards.

    However, the good news is that it is much easier to manage your email reputation if you are using a subdomain when sending out marketing emails. When your subdomain gets a bad reputation, you are at the liberty of switching to a new one while still being linked to your root domain. This method has known to ensure the protection of your root domain from reputation problems. On the other hand, your customers will keep receiving emails from a domain they trust.

    3/ Proper Domain Authentication

    Email domain authentication is the process of verifying the sending origin or domain of an email—in essence, proving to ESPs that your emails are truly coming from you and not from a spam origin. A significant emphasis is being shed on the fact that your emails landing in the spam folder could drastically reduce your open rates and other engagement metrics, damage your sender reputation—ultimately causing future deliverability problems—and could even cause your recipients to develop a poor image about your brand.

    By authenticating your email sending domain, you can maintain a strong sender reputation and avoid the common disaster of ’email spoofing’, a tactic used in spam and phishing attacks that comprises a third-party taking charge of your email domain and deceitfully sending emails on your behalf. Therefore, avoiding your campaigns from ending up in the spam folders to crucial to the success of your email deliverability rates — and domain authentication is one of the most powerful ways to help you get the work done.

    4/ IP Address Warming

    Another key element to building a good sender reputation is via IP warming. For starters, gradually increasing the volume of emails sent from a new dedicated IP address on a predetermined schedule is called IP warming. For example, some campaigners set their predetermined schedule to achieve a monthly email sending goal.

    By warming up your IP address, both ISPs and ESPs can thoroughly assess your subject matter. Your content and your IP address will be judged as to whether they are secure, have high engagement, and subsequently, analyze your sending behavior. Now, since your email sending IP address is trusted, more of your emails reach your recipients’ inboxes without being blocked, bounced, ignored, or filtered into a user’s email spam box. When you have successfully done IP warming and built a sender’s reputation, your business email and IP address will be trusted by ISPs and ESPs, thus improving your email deliverability rate.

    5/ Sender Reputation

    We have been raving about the sender’s reputation up until now. Email sender reputation is a combination of IP and Domain reputation, and it may be called the ultimate key to the success of your email marketing campaigns.

    Spam complaints, spam traps, soft and hard bounces, unsubscribes, engagement rates, and more factors can easily lead to the downfall of your sender’s reputation. If a lot of people opted out (via unsubscribes or, worse, spam reports) or did not care to even open your emails, your reputation will be low. If you, however, have a healthy, engaged list that you developed organically, the odds of having your emails delivered are high.

    While IP warming and domain authentication remain on top of our list, there are other methods to improve your sender reputation as well. Relying on double opt-in, i.e., asking each subscriber to confirm their subscription is always a clever idea. The only way to have an organically healthy list is to have people who really want to be on it. While some ESPs will automatically remove hard bounces right away, all the other bounces – you need to take care of them on your own. It is always the factors that seem insignificant that might hit your sender reputation.

    6/ Increase Opt-In Subscribers

    We’ve talked about this in our sender reputation point, but we did not give you a ‘how’! So, how can you increase your opt-in subscribers? This is where website pop-ups and re-engagements come into play. Implement pop-ups on the pages where people presumably end up, such as your homepage and your most popular blog post pages. Pop-ups are a good, organic way to get more subscribers via opt-in.

    Re-engaging cold prospects serves two purposes: one, it can reignite the relationship and spark more engagement moving forward. Two, it helps you remain compliant and avoid wasting time by emailing people who are not interested in what you are selling. If you are looking to increase your opt-in subscribers on a large scale, then you can also market at conferences and tradeshows. Lastly, you can also include a check box for people to opt-in to your email marketing when they are engaging with other content on your site.

    7/ Consistency

    Email marketing is not a one-time rodeo, it is a long-time process. Having a consistent schedule on your calendar is of utmost importance when it comes to your campaign. Being consistent shows your willingness to commit to your own brand. Your potential prospects will not agree with your ideologies at once, it takes time, and consistency is the key. If a customer or prospect does not understand the benefits of what you are selling, they are unlikely to invest or buy from you.

    Consistent email plans save both time and money. It boosts sales and enhances the customer-buyer relationship. A brand needs to build trust in the minds of its potential customer before it can get promising leads, being consistent always works. Thus, having a fixed schedule for your email marketing may show a promising rise in your email deliverability metrics.

    8/ Quality & Relevant Content

    Your emails will not reap much unless you are sending out quality content. Your content needs to have substance and preciseness, with a little touch of your own brand. Remember, customization might just be the key you are looking for. Secondly, your content needs to be synced to your recipient’s needs. Your opt-in subscriber will stay if you give them a reason to. Knowing your audience and producing their preferred choice of content can jump-start your metrics for email deliverability.

    Behavioral analytics lets you better understand how many people are interacting with your site. Besides that, you can learn which pages bring them to the site in the initial phase, and which pages they connect with the most. Understanding analytics can help you produce content that your audience will like.

    9/ Avoid Blacklists & SPAM Traps

    As mentioned already, being blacklisted by spam traps can have a lasting impact on your email deliverability. Periodic removal of inactive subscribers is always preferred. Your next preference should be strictly sticking to the organic growth of your list. Moreover, using programs like web crawlers and email scraping tools is a surefire way to gather honeypot emails and get yourself blacklisted. Lastly, we suggest you clean your lists using email verification tools.

    Wrap Up

    Email deliverability is the prime metric you need to consider to analyze the effectiveness of your marketing campaigns.

    We hope our short-listed ways help you market your brand in the most organic and innovative way.

    So, what all pointers do you plan to implement out of this?


    1. When is the best time to send an email?
      The best time to send an email is simply when your contacts want to receive it. Some contacts want a daily, weekly, or monthly email. Other contacts only want to hear from you when you have a discount/offer ongoing. Analysis and consistency come into play here.
    2. How often should I clean out my email list?
      One of the main causes of deliverability issues is poor list hygiene. You should review and clean out your email lists often. We recommend a scheduled clearing out of your email list at least twice a year.
    3. Why you shouldn’t email your complete list at once?
      One of the key strategies of a successful email campaign is segmentation. We recommend you design each message with a target audience in mind and send it just to that audience. This will also increase the engagement of the subscriber with your content.
    4. What is an acceptable email deliverability rate by industry?
      100% deliverability is considered nearly impossible as user mailboxes change often, or people simply leave. An email deliverability rate of 90% or higher, sidelines a successful marketing campaign.
    5. How will changing my IP address affect my deliverability?
      A change of IP address can help you to grow your domain reputation to some extent, but not enough to overcome other negative sending habits, like bad content and low engagement.