Simply explained: SPF DKIM DMARC
What if I told you that you, as a domain owner, are not allowed to send emails from your domain. Yes, even if you own the domain, your sent emails can be seen as spam.
You need to tell the world (mail servers) that the one sending emails from the domain is actually you, and not someone else impersonating you. This is exactly the purpose of your email authentication records: otherwise known as SPF, DKIM and DMARC records.
By using SPF, DKIM and DMARC, you make it easier for an email receiver to check if your emails were legitimately sent from you, the domain owner, or from someone who was not authorized to send them. It is a very important step if you want to avoid landing in the spam folder and improve your sender reputation. In this article, I’ll explain to you what SPF, DKIM and DMARC are, and why they are important for your email deliverability.
First, what’s the relationship between email authentication records and spam folders?
We often think of an email address as public information. Technically, it’s true, you can send an email to any mailbox in the world. There is nothing stopping you from sending an email to your most beloved celebrity without any hurdles.
At the same time, email is a trusted communication channel, which makes it accessible for scammers (remember the Nigerian prince scam email). So, email providers have a duty of protecting their users. They needed a way to make mailboxes less accessible for scammers.
One of the solutions that were introduced is, you guessed it, SPF, DKIM and DMARC records.
SPF, DKIM and DMARC are records that are verified every time an email is received by a mailbox. Those records prove your identity as an email sender. Using these records, the mailboxes became a restricted zone that you can only enter as an authentic email sender. It’s an identity card, or a Domain ID Card if you will.
If you don’t have a proper Domain ID Card, the spam filter can’t trust your incoming emails, thus it can end up in the spam folder to protect the user.
The scary part in all this is that spam filters could silently mark your email as spam for lack of proper Domain ID. So, unless you have heard of these email authentication measures before, you wouldn’t be able to identify the issue, and you might waste a lot of time on other solutions.
Now that we established the importance of SPF, DKIM and DMARC for your email deliverability, let’s dive into each one of them, and explain it in simple words.
In simple words, what is SPF?
If I had to define SPF in one sentence for you as its user, it would be the following:
SPF is a list of IP addresses (mail servers) that are authorized to send emails from your domain.
To explain this, every server on the internet has an IP address that identifies it from other servers. It’s like the server’s social security number, or name. In that sense, SPF is a list of email servers. So, what servers constitute this list?
When you send an email from say Google, you’ll be using Google’s servers to send this email, or in other words you’ll use Google’s IP addresses. Thus, Google IP addresses should be part of your own SPF list. Similarly, if you’re sending emails from any other email provider, you’ll need to add their IP addresses to your list.
Once you have put together your SPF list, you’ll need to add it to your domain records. By adding it, you’re stating that you, as a domain owner, give permission to this list of email servers to send emails from your domain.
It means that any other mail server (IP) that is sending emails from your domain doesn’t have authorization to do so. The receiver of the email recognizes that the email sent to them wasn’t part of your SPF list. It means it's a security threat for the email receiver, and deems it as a spam email.
In other words, if you don’t have a good SPF setup, it means that you, as the domain owner, don’t authorize anyone to send emails from your domain, including you. All your emails can be considered as a security threat, and thus marking them as suspicious or throwing them in the spam folder.
The same goes for an incomplete SPF setup. If you have Outlook IPs authorized in your SPF list, but also send emails from a Gmail account, your emails sent from Gmail can be considered spam.
In short, you’ll need to list all the sending servers of your company, publish them in your domain’s DNS records, then keep an eye on it for any eventual updates. You can simply check your SPF record set up using our SPF checker. Aside from checking your SPF validity, it will give you practical insights on what to do next with the result to better set up your SPF.
However, SPF is not enough to secure your domain. I’ll explain to you the other two protocols to get the full picture of your Domain ID Card.
In simple words, what is DKIM?
Again, if I had to define DKIM in one sentence for you as its user, it would be the following:
DKIM is a digital signature.
Yes, it is a very short and simple sentence that hides a lot of technical details behind it. I’ll leave some of these technical details to another article. For this one, I’ll briefly explain DKIM's concept, otherwise called DomainKeys Identified Mail.
Back to the DKIM signature.
When you send an email, your sender encrypts your email message and header and signs it with a special signature. This enables the recipient to check if your email message is authentic, and was sent by an authorized sender.
One way that scammers can use your identity is by changing your email message midway through the sending process. You can imagine how dangerous this is, as they can use the trust you built with your recipient to scam them. DKIM is an important step to protect you, your domain and your recipients.
To protect your domain, you need to declare that the sender using a specific signature is allowed to send emails from your domain. Or in other words, publish a DKIM record for every email sender using your domain. Otherwise, spam filters can mark emails with incorrect/unauthorized signatures as spam.
You can check if your DKIM record is correct using our DKIM checker.
Now, let's move to Domain-based Message Authentication, Reporting & Conformance, otherwise known as DMARC. It seems like a complicated abbreviation, but don't worry, I'll explain it in simple words.
In simple words, what is DMARC?
Again, if I had to define DMARC in one sentence for you as its user, it would be the following:
DMARC is your law text against unauthorized emails.
Now that you've defined who’s authorized to send emails from your domain, you’ll need to add an extra layer of security. DMARC is your way to tell recipients what to do with the unauthorized emails they receive.
In DMARC words, this is called an authentication policy, and you have three policy choices: none, quarantine, and reject.
- “None” means that you’re leaving the choice of what to do with the email to the server.
- “Quarantine” means that you’re requesting to mark the email as suspicious, which is equivalent to marking it as spam.
- “Reject” is telling the server to bounce the email altogether, it won’t reach the mailbox at all.
You can simply check your DMARC set up by entering your domain name in our DMARC checker tool. Not only does it check your DMARC, but it gives you insights on how to fix and make it better.
Bonus point, DMARC is your way to receive DMARC reports about unauthorized email activity. This is interesting because you can keep an eye on bad actors trying to use your domain to send phishing emails. And, at the same time, if you forgot to authorize an email sender from your organization, you'll be notified.
That is all! There are other technical details about this protocol, but I won’t bore you with them here. The most important thing is setting DMARC alongside SPF and DKIM, so that you can become a legitimate sender and improve your sender reputation.