What Are DKIM, SPF & DMARC?

Email Marketing Article
20 mins

Are your emails constantly getting stopped by your recipients’ spam filters? Worse still, are they just not showing up at all?

Email deliverability is a problem for many businesses – and solving the issue can sometimes be a bit of a dark art. In this guide, we discuss three above-board solutions for improving email deliverability: DKIM, SPF and DMARC.

Setting up DKIM, SPF and DMARC for your domain can improve email deliverability, while also reducing the risk of scammers and spoofers successfully sending emails purporting to be from your organisation.

What are DKIM and SPF?

DKIM and SPF are two digital methods used for email validation. They can both protect an email’s sender and its recipient against spoofing, phishing and impersonation.

When someone’s email account receives an email which has a DKIM or SPF signature, their spam filters check the sender’s domain to ensure the email is valid and not forged. Emails that pass the DKIM or SPF check qualify to get delivered; emails that don’t pass get rejected or quarantined.

DKIM is used to validate emails sent by a certain domain, while SPF also validates emails sent by third parties on behalf of the ‘sender’ domain.

What is DKIM?

Let’s talk about DKIM and SPF in greater detail, starting with DKIM.

DKIM (DomainKeys Identified Mail) is a security protocol which can tell someone’s email account whether or not an email truly was sent from the domain it says it was sent from.

In 2005, before DKIM launched, email spoofing was especially widespread. This prompted a group of high-profile internet industry participants, which included Yahoo!, Cisco and Microsoft, to come up with a solution: DKIM. The group identified that the claimed association between an email and a domain could be validated by adding a security key to the metadata of each email. This would provide a way for domains to prove their own emails are legitimate, while making it harder for scammers to feign an association between their spoofed emails and someone else’s domain.

When a domain has DKIM set up and that domain sends an email to a recipient, the recipient’s email account checks the DKIM signature in the email against the domain’s DNS records. (A DNS record is the domain’s online record of its basic identifying information). If the signature is a match, the email passes the DKIM check and can therefore be delivered.

How to set up DKIM on your domain

Setting up DKIM is an important, accessible way to reduce the risk of email spoofing, while improving email deliverability.

The DKIM setup process varies depending on which email service provider you use. For instance, Gmail automatically completes some steps on the domain’s behalf. If you’d rather go through a fully manual DKIM setup, the following steps will be required:

  1. Install a DKIM package on the domain’s email server
  2. Use a DKIM Wizard tool to create a public and private DKIM key pair
  3. Upload a TXT record of the public DKIM key to the domain’s DNS record
  4. Store the private DKIM key securely (wherever the DKIM package says it should be stored)
  5. Check whether the email provider requires any additional DKIM configuration, and complete any appropriate further steps

Agari.com offers detailed guidance on each step of the DKIM setup process.

Once DKIM is set up, the domain should be well-placed to reap the benefits of enhanced deliverability and security. Spam filters will now have a clear signal that the domain’s emails are legitimate, which removes one of the most likely reasons why those emails might have been treated as spam.

Furthermore, if a malicious sender tries to send emails in the guise of the domain, the emails should get picked up by recipients’ spam filters, due to their lack of a DKIM key matching the one added to the domain’s DNS.

What is SPF?

SPF (Sender Policy Framework) is a way of validating all the parties which send email on behalf of a domain, from the various sending domains which may be owned by the sender, to email marketing tools like MailChimp and Campaign Monitor.

SPF facilitates this by prompting the recipient’s email account to check a list of permitted sending details in the sender’s domain registry. If the sending account’s details match the details listed in the registry, the email can be delivered; if the details do not match, the email is rejected or quarantined. 

The ideas and technologies that would become SPF were developed collaboratively by a large community of email experts in the early 2000s.

How to set up SPF

Setting up SPF for a domain is mercifully simple.

First, create a TXT record listing all the domains and servers which are approved for sending email on behalf of a domain. This could include web servers, in-office mail servers, ISP mail servers, end user mailbox servers and third-party mail servers which are used to send emails on behalf of the domain. So, the actions you need to carry out are:

  1. Make a list of relevant domains and servers;
  2. Create a TXT record including the listed domains and servers in this format.

Next, you can activate SPF by adding a SPF TXT record to your domain’s DNS. Google has detailed guidance on how to set up SPF.

Once SPF is set up, email accounts will have a way to verify all the legitimate emails sent on behalf of your domain. This improves your emails’ deliverability, while maintaining the protection which spam filters can provide against spoof emails pretending to be from your domain.

A tool for testing DKIM and SPF email signatures

After you’ve finished setting up DKIM and SPF, you should test to ensure both technologies are working correctly. We recommend using the free tool from mail-tester.com: Check your SPF and DKIM keys.

Testing your DKIM and SPF precautions is crucial, because an incorrect configuration could actually harm your emails’ deliverability.

What is DMARC?

DMARC is an advanced email security protocol which adds reporting functionality to the protection offered by DKIM and SPF. For domains using email on a wide scale, DMARC can be a particularly powerful and efficient tool for flagging deliverability issues and gathering information about problematic emails associated with the domain.

When DKIM and SPF first launched, it was hoped that the technologies would be an airtight solution for validating emails. Unfortunately, DKIM and SPF have not always proven perfectly effective at preventing fraudulent email – especially in cases where the domain owner uses email at scale and with multiple email systems.

In 2012, a coalition of internet giants including PayPal, Google, Microsoft and Yahoo! assembled to work on a way to shore up the weaknesses of DKIM and SPF. They came up with a security protocol called DMARC, which adds in-depth reporting functionality to an email account’s existing DKIM and SPF signatures.

With DMARC, each email still gets passed, rejected or quarantined based on its DKIM or SPF signature; the difference comes after. Whenever an email is rejected or quarantined, DMARC sends a failure report to the domain. And on a periodic basis, DMARC sends the domain an ‘aggregate report’ which brings together information on passed, rejected and quarantined emails.

The DMARC reports provide detail about the author domain name, plus information on the interaction between sender and recipient. This gives the domain owner a very clear vantage on how their email channel is being used, and who is using it – including potential fraudsters.

How to use DMARC reports

DMARC reports can be a huge asset in terms of email deliverability. The failures highlighted by the reports help businesses to identify and deal with instances of malignant emails associated with their domain. This reduces the volume of negative signals to do with a domain which are picked up by email service providers, which can have a positive effect on the domain’s overall email deliverability.

Email services such as Gmail and Outlook can generate detailed DMARC reports covering all of the emails sent from a domain, including information on all of the IP addresses which used the domain to send an email.

In order to activate DMARC reports, the domain owner will first need to create a DMARC record for the domain. Mistakes in a domain’s DMARC record could cause serious problems with email deliverability, so we would always recommend using an expert contractor or service to ensure DMARC setup goes smoothly.

Once a domain’s DMARC record is active, it can start receiving DMARC reports from email service providers.

DMARC reports are difficult to understand in their raw format, so it’s advisable to use a DMARC analysing software, such as DMARC Analyzer, to efficiently scan each report for instances of malicious use. If the software picks up on anything phishy, the domain owner can take appropriate actions, such as instructing Gmail and other email services to reject the malicious senders in future.

The acronym DMARC stands for Domain-based Message Authentication Reporting and Conformance.

We would like to reiterate that if you’re interested in DMARC, our advice would be to get the tool set up by an expert, who can monitor performance and make adjustments to get your DMARC policy just right.

DKIM, SPF and DMARC as part of email deliverability hygiene

DKIM, SPF and DMARC all contribute to email deliverability and security. However, for the best results, they need to be used as part of a thorough email hygiene regimen. This means the domain regularly goes through a set of processes – including management of DKIM, SPF and DMARC – to ensure optimal email deliverability.

For many email marketers, the most important component of email hygiene is tidying up your email list (AKA your mailing list). This may involve going through the list to identify recipients who haven’t opened an email in a long time, and then removing those recipients from the email list. You might also check your email list for ‘horizontal inconsistencies’ – where one of the pieces of information about a recipient, such as the name, does not seem to match the email address (e.g. name: Dr. Norman Whibley-Castle; email address: bikerchickmartha2001[at]gmail[dot]com). For more guidance on email hygiene, see tye.io’s article, ‘10 Essential Email Hygiene Best Practices for 2021’.

We recommend taking the following steps to manage DKIM, SPF and DMARC::

  • DKIM and SPF: regularly test your DKIM and SPF keys.
  • DMARC: if you’re using DMARC, get an expert team member or contractor to regularly check your DMARC reports and adjust the domain’s settings if necessary.

With DKIM, SPF and possibly DMARC in place, your domain will have a great foundation for email deliverability and security. Just remember to manage these technologies as part of your email hygiene regimen, as this will help ensure they are working properly.

There’s quite a lot of work involved in setting up these email security technologies – but ultimately, you’ll be rewarded by seeing an increased percentage of your emails landing in the recipient’s inbox.

Build a ü free personalised ¥ learning plan to see our course recommendations î for you

Free for 30 days

Build a å free personalised ¥ learning plan to see our course recommendations î for you

Free for 30 days