If you are wondering what SPF, DKIM, and DMARC are? Then, you have come to the right place to learn everything about SPF, DKIM, and DMARC.
In simple terms, these three email domain authentication methods help verify the identity and integrity of your domain and prevent unauthorized parties from impersonating your domain.
In this article, we will explain what SPF, DMARC, and DKIM are, how to set them up for your domain, and how to check them for an email.
So, without any further delay, let’s dive right in!
What is an SPF Record?
SPF stands for Sender Policy Framework, which specifies the servers/IP addresses that are authorized to send emails from your domain. In this way, you can prevent spammers from forging your domain in the From header of their emails.
In other words, if you own example.com and have set up an SPF record, you can tell the receiving mail servers that only emails from 192.168.123.123 are valid emails from example.com. If a spammer tries to send an email with a From header of user@example.com from another IP address, the receiving mail server will check your SPF record and reject or mark the email as spam.
An SPF record is a TXT record that contains three parts:
- Declaration: Every SPF record starts with “v=spf1” (only appears at the beginning and does not repeat throughout the rule).
- Specify IP Addresses and Domains: “include” mechanism to specify the domain and “ip4” or “ip6” to mention allowed IP addresses.
- Enforcement Rule: End the record with a “~all” statement (make sure you use it only once at the end).
An example of an SPF record would look like this:
v=spf1 ip4:192.168.123.123 include:_spf.google.com ~all
It tells that only emails sent from 192.168.123.123 IP addresses using Google’s servers (as defined by _spf.google.com) are valid emails from your domain, and everything else is spam.
Without an SPF record, your WordPress emails can trigger spam filters, which results in lower email deliverability. Although WordPress might generate and send emails successfully, the absence of an SPF record can lead to their rejection by recipients.
In Case of Multiple SPF Records: Merge Them Into One
Most businesses use more than one email service provider as a backup. In that case, the domain has various SPF records for every ESP, which causes authentication problems.
According to the SPF specification, a domain can only have one SPF record. If a domain has more than one SPF record, the receiving mail servers will consider the SPF invalid and may reject or mark your emails as spam.
So, merging multiple SPF records into one can simplify your email authentication configuration and maintenance. To merge all your SPF records into one, check out our guide on how to merge multiple SPF records the right way.
What is DKIM?
DomainKeys Identified Mail, short for DKIM, enables you to digitally sign your emails using a private key that only you know and a public key that everyone can see. Using DKIM records, email servers verify that the email hasn’t been changed during transit and prove that it came from your domain.
For example, if you own example.com and use DKIM, you can sign your emails with a private key that matches a public key stored in your DNS records. If someone tries to modify or spoof your emails, the receiving mail server will check your DKIM signature against your public key and detect the mismatch.
A DKIM signature typically looks like this:
DKIM records have one part: the public key. Similarly, the mail server has a private key to match it. Mail servers verify whether the email is originated from you by comparing these keys.
Afterward, the DMARC records check the validity of the email further.
How to Add a DKIM Record to Your DNS?
Every email service provider has different rules regarding DKIM records, so you need to contact your email provider to get the details of the DKIM record that you have to add to your DNS. They usually have the instructions in their setup documentation.
IMPORTANT: If you are using Post SMTP and don’t know how to add a DKIM record to your DNS, then feel free to contact us to get expert assistance. Our expert will do it for you and will also offer guidance in the future.
What is DMARC?
DMARC helps you protect your domain from email spoofing and phishing. DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It relies on SPF and DKIM authentication to verify the sender’s identity and the integrity of the email content.
The DMARC record lets you define a policy for how the recipient email server should handle emails that fail these checks and receive reports on the authentication results.
A DMARC policy is stored as a DNS TXT record, which is a type of DNS record that can store any text information. For example, the DMARC policy for example.com might look like this:
- This policy tells the recipients to quarantine (move to the spam folder) any emails from example.com that fail SPF or DKIM verification.
- Also, it instructs them to send reports on the authentication results to a third-party service with the email address example@third-party-example.com.
These reports can help you monitor and improve your email security and deliverability.
NOTE: There’s no need to worry if you are not getting DMARC reports. However, it’s crucial not to ignore these reports since they could indicate someone is using your domain for spam purposes. In case you have difficulty understanding the report, you can forward it to your email provider.
How to Add a DMARC Record to Your DNS?
To add a DMARC record to your DNS, first contact your email service provider to get a specific DMARC record that you need to add to your DNS record.
If your provider hasn’t provided a particular DMARC record, you can use a generic one. Add the following sample DMARC record to your DNS:
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com
To customize your DMARC policy, modify the “p” tag value to your liking, such as:
- None: Don’t take any action if a message fails DMARC, but send reports to you for monitoring.
- Quarantine: Mail that doesn’t pass DMARC goes in junk.
- Reject: The recipient will not receive emails that fail authentication.
IMPORTANT: Remember that you don’t need DMARC for domains you don’t control. For instance, a Gmail account with a @gmail.com address doesn’t require DMARC, but a Google Workspace account with a custom domain does.
How Do I Set Up SPF, DKIM, and DMARC?
To set up SPF, DKIM, and DMARC, you have to edit the DNS records of your domain. You can find your DNS records in one of these locations:
- Web Hosting Control Panel: If you bought your domain and hosting together, or if your hosting provider includes a free domain.
- Domain Registrar’s Control Panel: If you purchased hosting and domain separately.
- CDN or DNS Management Control Panel: If you use such services to manage your domain, like Cloudflare.
Let’s take Cloudflare as an example. Your DNS records in Cloudflare will look like this.
Although all three of these are important, not every email service provider will require all three at the same time. But setting all of them will enhance your email deliverability, reduce the risk of spoofing, and ensure the security of your domain’s email communications.
How to Check SPF, DKIM, and DMARC Records for Your Domain
If you want to check if your domain has valid SPF, DMARC, and DKIM records, you can use various online tools to check the DNS records. Some examples of these tools are:
- MXLookup: A comprehensive tool that can check various aspects of your domain, such as SPF, DMARC, DKIM, MX, blacklist, SMTP test, etc.
- DMARC Analyzer: With this tool, you can check the DMARC policy and get reports on your email authentication performance.
- DKIM Validator: To check your DKIM signature and public key for validity and alignment.
To check the same for an email, look for the “View Source,”/”Show Original,”/”View Headers” option in your email client account.
The email headers contain information such as the From, To, Subject, Date, and Message-ID fields and the SPF, DMARC, and DKIM signatures.
Simply press Ctrl + F and look for SPF/DKIM/DMARC. The text you’ll find might look like the following:
The word “pass” in the above text indicates that the email has passed an authentication check.
There you have it! Now, you have a better understanding of what SPF, DKIM, and DMARC are and how they work together to improve email deliverability.
Final Thoughts on SPF, DKIM, and DMARC in Email Authentication
There is no doubt that having SPF, DKIM, and DMARC records set up for your domain can help you improve your email security and deliverability. By using them, you can protect your domain from spoofing by spammers, ensure that your emails are not tampered with in transit, and increase the chances of your emails reaching the inbox of your recipients.
However, setting up SPF, DMARC, and DKIM for your domain requires some technical knowledge and careful configuration. If you lack technical knowledge, don’t hesitate to contact us for expert assistance with all SMTP configurations and DNS records setup.
We will be happy to help!
Frequently Asked Questions
What are DMARC and SPF?
DMARC and SPF are two email authentication methods that help you verify the email sender’s identity and prevent spoofing. DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It allows you to specify how the receiving mail servers should treat emails that fail SPF or DKIM verification. SPF stands for Sender Policy Framework, which lets you specify which servers are authorized to send emails from your domain.
What is DKIM and SPF?
DKIM and SPF are two email authentication methods that help you verify the integrity and identity of the email sender and prevent tampering and spoofing. Using DKIM (DomainKeys Identified Mail), you can digitally sign your emails using a private key that matches a public key stored in your DNS records. On the other hand, an SPF (Sender Policy Framework) record specifies which servers/IP addresses are authorized to send emails from your domain.
What is SPF email authentication?
SPF email authentication is a method that allows you to specify which servers are authorized to send emails from your domain. This helps prevent spammers from forging your domain in the From header of their emails.
Are SPF and DKIM required for DMARC?
Yes, SPF and DKIM are required for DMARC as DMARC relies on SPF and DKIM to handle email authentication across different mail servers consistently.
What is the difference between DKIM and DMARC?
DKIM verifies the integrity of the email content by checking the digital signature of the email against a public key published by the domain owner in their DNS records. Conversely, DMARC provides a consistent way of handling emails that fail SPF or DKIM verification by specifying a policy and preferences for the receiving mail servers.
What is the DKIM email feature?
The DKIM email feature is a method that allows you to digitally sign your emails using a private key and verify them with a public key. It prevents tampering with your emails in transit and proves that they originated from your domain.
Can I use DKIM without SPF?
Yes, you can use DKIM without SPF, but it is not recommended. DKIM only verifies the integrity of the email content, not the email sender’s identity. If you use DKIM without SPF, spammers can still spoof your domain in the From header of their emails and bypass your DKIM verification. Therefore, it is advisable to use both DKIM and SPF for better email security and deliverability.
Is DKIM required for Gmail?
No, DKIM is not required for Gmail, as Gmail automatically signs all outgoing emails with a default DKIM signature using its own domain (gmail.com). However, if you want to use your own custom domain for sending emails from Gmail, you need to set up your own DKIM signature and record for your domain.