If you are here, that means you've come across terms like SPF, DMARC, and DKIM and are interested in email security and deliverability.

Well, you've come to the right place. In this blog, we will learn what SPF, DKIM, and DMARC are, how to set them up effectively, and why they are crucial for safeguarding your email messages.  

Additionally, I will share my personal experience on how these email authentication methods helped me improve my campaigns. So, without further ado, let's dive in!

What is DNS, SPF, DKIM, DMARC – Terminologies Explained

DNS

When talking about SPF, DMARC and DKIM the word DNS is mentioned a lot. But what exactly is DNS? DNS stands for Domain Name System, serving as the Internet's phonebook.

It performs the crucial task of translating domain names (like example.com) into corresponding IP addresses (such as 111.222.333.444). This translation enables web browsers to access and load the correct website by connecting to the corresponding IP address.

SPF

SPF stands for Sender Policy Framework and helps you know the emails you receive come from a legitimate and trusted source.

Using SPF records helps ISPs (Internet Service Providers) confirm if a mail server is allowed to send emails to a specific domain. An SPF record is a list of approved IP addresses that can send emails on behalf of your domain stored in a DNS TXT record.

If the server finds the email coming from an illegitimate source, it can be marked as spam. The idea behind SPF is simple: if the recipient knows the email's sender, they will be inclined to open it.

DKIM

DKIM stands for DomainKeys Identified Mail. DKIM adds a digital signature to your email, which helps prevent Phishing or Spoofing of your email domain.

A DKIM record is a special type of TXT record added to the sending domain's DNS records. It includes a public key used by receiving mail servers to validate the signature of a message.

If you don't have your DKIM setup, this can signal to the recipient that your email has not been sent from a legitimate source. 

DMARC

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. It is a last-checking test that tells mail servers what to do when SPF or DKIM fails.

If an email has a DKIM signature and the sending server is included in the SPF records, then when you send an email, it will go straight to the recipient's inbox.

But, If your message fails SPF authentication or DKIM authentication, DMARC chooses what to do with the email according to the selected DMARC policy: None, Quarantine, or Reject.

  • If you select the “None” policy, the mail servers won’t take any action so that it won’t affect your deliverability, and the email will land in the inbox. However, it also won’t protect you from scammers.  
  • If you select the “Quarantine” policy, the emails from your domain that don’t pass the DMARC check will be sent to the SPAM/Junk folder.
  • If you select the “Reject” policy and the email fails to pass the authentication, the receiving server will reject them, causing the emails to bounce. 

How to Set Up SPF, DKIM and DMARC

To set up SPF, DKIM, and DMARC, you need to access and edit your DNS records which you can find in either your web hosting control panel or your domain registrar’s control panel.

SPF Setup

  • Go to your DNS settings. I am using Dynadot for my DNS settings. You might have a different domain provider like GoDaddy or Google Domains.
  • Click on add a new DNS record.  
  • The record should be TXT. 
  • Enter “@” in the “hostname” field.
  • Paste “v=spf1 include: _spf.google.com ~all” in “Value” and then save.

DKIM Setup

  • Go to Admin.google.com.
  • Go to Apps and select google workspace. 
  • Click on Gmail (email service provider) and select Authenticate Email, and then you will get to DKIM authentication. 
  • Select the domain (example.com) for which you need to generate the record.
  • Click on Generate new record and select DKIM Bit length as 1024. 
  • Copy the DNS hostname (google._domainkey.example.com) and the TXT record Data.
  • Go to your domain provider's DNS settings
  • Create a new TXT record and paste the DNS hostname google._domainkey.example.com and the TXT record value (Custom record).
  • Go back to DKIM authentication in google workspace and Click Start Authentication. It will start showing STATUS: Authenticating Email.

 Note: DKIM can take 48 hours to set up after you have done this.

DMARC Setup

Follow these steps to set up and implement DMARC

  • Go to your DNS settings.
  • Go to manage DNS records
  • Create a new custom record
  • The record type will be TXT
  • Insert “_dmarc” in the Hostname
  • You can choose TTL (Time To Live) at 3600 or higher. 
    (Note: TTL is in which means 60 = 1 minute and 3600 = 1 Hour)
  • Add this in the value field “v=DMARC1; p=none; rua=mailto:youremail@example.com” and save these records.

And you have successfully set up DMARC and added its records.

Also, you may have noticed The DMARC record shown above consists of various components like “v,” “p,” and “rua.” These are known as DMARC tags. These tags have specific values that define different aspects of DMARC.

  • The “v” tag stands for the version of DMARC, which is always DMARC1.
  • The “p” tag stands for the policy of the DMARC, which I explained earlier. It can be set as “none,” “quarantine,” or “reject,” depending on your choice.
  • “rua” specifies the email address where you will receive your DMARC aggregate reports.

Generating Custom DMARC Records

If you're still feeling unsure about adding your DMARC records and need help generating custom records, don't worry—I've got you covered!

Follow these steps to generate your custom DMARC records and copy and paste them into your DNS records.

  • Click on DMARC to select and then click on Next. 
  • Click on the Next button.
  • Select your DMARC policy and click on Next. 
  • Add the email where you want your DMARC aggregate reports to be sent.
  • Add the email where you want your forensic reports to be sent.
  • Choose the DMARC policy for your subdomains and click Next.
  • In this step, you can adjust other options for your DMARC, such as Alignment mode for DKIM and SPF or Format of reports and Reporting intervals. This is optional, so you can adjust it or leave it as it is and click on Finish.
  • Now you just need to copy the text in the box and paste it into your DNS records by creating a new TXT record. 

And that’s it. You have set up your custom DMARC record.

After adding your SPF, DKIM, and DMARC records, you can check them with tools like https://mxtoolbox.com/ and https://toolbox.googleapps.com/ to check if they are set, and everything is alright.

Why it is Important to Setup SPF, DKIM, and DMARC

To understand this, let’s draw a comparison here: 

Imagine you have a toothache and need a dentist to fix it. You come across two options: Option A is a certified dentist with a degree, years of experience, and a license to practice dentistry. Option B is a self-proclaimed dentist with no certification, questionable qualifications, and competency.

Which dentist would you trust more? 

I'm sure you'd go with Option A without a second thought.

Well, the same principle applies to email authentication. When you set up SPF, DKIM, and DMARC, you essentially certify your email as trustworthy. It's like waving your authentication degree proudly in the digital world.

Proper email authentication boosts your sender reputation, protects your domains from sneaky spoofers and phishing attacks, and enhances your overall email deliverability. Like certified dentists inspire confidence in their patients, properly authenticated emails inspire trust in recipients' inboxes.

However, if you neglect email authentication, it's as if you're playing dentist with a DIY toolkit. Your marketing or sales emails may end up in the spam folder, sabotaging your chances of reaching potential clients.

In simple words, establishing proper email authentication indirectly contributes to the success of your campaigns and helps you attract more clients.

How Setting up SPF, DKIM, and DMARC helped our Campaigns

After working on email marketing and lead generation as a marketing team, we realized the struggles of finding the right leads, crafting personalized emails, and investing hours into research and campaign setup, only to see disappointing results.

It can be disheartening when your hard work goes to waste as your messages end up in spam folders, left unread by recipients. That's why we decided to investigate the root causes of this issue.

Maintaining list hygiene and following email writing best practices didn't cut it for achieving high open rates. We discovered that email authentication plays a vital role, as reputable organizations tend to classify unauthenticated and suspicious emails as spam.

After realizing that warm-up strategies alone weren't yielding significant results, we focused on SPF, DKIM, and DMARC implementation for our sender domains, following the steps we mentioned earlier.

The outcome was great as we saw a noticeable improvement in email deliverability, and open rates were slowly increasing, indicating that our emails were now successfully reaching recipients' inboxes.

As an email marketer, one of your primary objectives is to ensure that every message you send lands in the recipients' inboxes.

People who receive emails from your domain that are legitimate in nature are more likely to trust and engage with them. This results in more customers and an overall boost to your business's success.

Further, if you find any issues and need expert advice, please contact webdew.

Edited by: Vaishnavi Jain

Frequently Asked Questions

The difference between DKIM (DomainKeys Identified Mail), DMARC (Domain-based Message Authentication, Reporting, and Conformance), and SPF (Sender Policy Framework) lies in their respective functions within email authentication. DKIM works by adding a digital email signature, ensuring its integrity, and verifying that it hasn't been altered during transit. DMARC, on the other hand, combines DKIM and SPF to provide a policy framework for email authentication. It allows domain owners to specify how their emails should be handled if they fail authentication checks. SPF, on its own, checks if the sender's IP address is authorized to send emails on behalf of a particular domain.

SPF (Sender Policy Framework) is an email authentication protocol that helps prevent email spoofing by verifying that the sender's IP address is authorized for the email sending process to a specific domain. DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a policy framework that combines SPF and DKIM to provide enhanced email authentication and reporting capabilities. It allows domain owners to define policies for email handling based on authentication results.

The main difference between DKIM (DomainKeys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting, and Conformance) lies in their roles within email authentication. DKIM adds a digital signature to an email, ensuring its integrity and verifying its authenticity. DMARC, on the other hand, combines DKIM and SPF to provide a comprehensive policy framework for email authentication. It allows domain owners to specify how their every email should be treated if it fails authentication checks, providing higher control and security.

SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) both play important roles in improving email deliverability. SPF helps by verifying that the sender's IP address is authorized to send emails on behalf of a particular domain. This prevents unauthorized sources from sending emails using a domain's name, reducing the likelihood of email spoofing and increasing deliverability. DKIM adds a digital signature to emails, ensuring their integrity and verifying their authenticity. This helps recipients' email servers determine that the email has not been tampered with and increases trust, leading to improved deliverability. Using DKIM and SPF provide additional layers of authentication, reducing the chances of emails being marked as spam and increasing the likelihood of successful delivery.