What are SPF, DKIM and DMARC?

Learn how SPF, DKIM, and DMARC email protocols can help your email security and deliverability.

Tim Hogwood avatar
Written by Tim Hogwood
Updated over a week ago

The article looks complicated, can you just give me a quick summary of what these terms mean?

SPF = Proof it was actually you who sent the email
DKIM = The email that was sent by you wasn't altered by someone else along the way
DMARC = What should the recipient do if they receive an email from you that doesn't look right (e.g. failed SPF or DKIM checks)? It also covers reporting back to you so you can monitor for any deliverability issues with your legitimate email sending.

How do I know if these are set up correctly?

Run the SourceWhale deliverability tester found here to see, amongst other things, if you have SPF and DKIM set up correctly for your domain and email provider. Speak to your IT support regarding DMARC.

SPF - 'Sender Policy Framework'

SPF records are essential for email security. They specify which IP addresses are authorized to send emails from your domain, helping to prevent email spoofing. When an email is received, its sending server's IP address is checked against the SPF record. If the IP isn't listed in the SPF record, the email might be considered spoofed and rejected as spam. Different services you utilise to send emails will have their own mail servers and hence different IP addresses.

For example, Gmail or Office365 will have a set of IP addresses which they send email from on your behalf vs your marketing platform (MailChimp etc.) or CRM.

How do I setup SPF Records:

  • For Gmail users, review the recommended SPF settings here.

  • For Office 365 users, check the appropriate settings here.

    Note: Using an incorrect SPF record can be more problematic than having none, particularly if you've recently switched email providers.

Correcting an Incorrect or Missing SPF Record: If you find that your SPF record is incorrect or missing, update it in your domain’s DNS settings. This task is typically handled through your domain registrar. They can assist you in adding or modifying the TXT record with the correct SPF information. Remember, changes in DNS records may take a few hours to propagate across the internet. Your DNS provider can offer more details about this process.

Do I need to do anything differently for SourceWhale?

No, as long as your normal day to day emailing provider (Gmail, Office365, Exchange etc.) has a valid SPF record on your domain then SourceWhale will be setup correctly.

DKIM - 'Domain Key Identified Mail'

DKIM uses public key cryptography to secure your emails. Your email server encrypts the message using a 'private key' (nobody else knows this). The recipient's server uses the corresponding 'public key' (this is available for all to see) to decrypt the message once they receive it.

This process verifies that the email is legitimately sent from your domain and remains unaltered during transit. Implementing DKIM can enhance your email's credibility and improve its standing in anti-spam evaluations conducted by email providers.

How do I setup DKIM?

  • For Gmail users, follow the guide here.

  • For Office 365 users, check the appropriate settings here.

Do I need to do anything differently for SourceWhale?

No, as long as your normal day-to-day emailing provider (Gmail, Office365, Exchange etc.) has DKIM correctly setup then SourceWhale will be setup correctly.

DMARC - 'Domain-based Message Authentication, Reporting, and Conformance'

DMARC works by leveraging two existing email authentication methods, SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail). It allows the sender to indicate that their emails are protected by SPF and/or DKIM, and tells the receiving mail server what to do if neither of those authentication methods passes – such as rejecting the message or quarantining it. Furthermore, it provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.

In essence, DMARC is a policy framework that helps senders to enforce authentication standards, thereby improving email security and reducing the likelihood of their domain being exploited for email-based attacks. This is viewed positively by spam filters when reviewing emails sent from your domain.

How do I setup DMARC?

Implementing DMARC is a simple process that requires only a single DNS update. This involves adding a DMARC (TXT) record, which guides email systems on managing emails from your domain. To get started, collaborate with your hosting provider to create and publish this DMARC DNS record.

Whenever an email is sent from your domain, or appears to be from your domain, the recipient's email server will check for your DMARC record. This record prompts the server to perform DKIM and SPF checks to confirm the sender's legitimacy. Depending on these checks' outcomes, your DMARC policy will instruct the server to either quarantine, reject, or allow the email. Additionally, the recipient's server will produce DMARC Aggregate Reports. These reports are sent to the email addresses you've designated in your DMARC record, offering valuable feedback on the handling of your emails. Overall, DMARC works in conjunction with SPF and DKIM to authenticate emails and decide how they should be treated.

Do I need to do anything differently for SourceWhale?

No, as long as your normal day-to-day emailing provider (Gmail, Office365, Exchange etc.) has SPF and DKIM correctly setup then SourceWhale will be setup correctly to work with your DMARC policy.

Stuck or need some help? Click on the chat icon at the bottom right-hand corner to connect with our support team! 💬

Did this answer your question?