s

SPF, DKIM, and DMARC – Definition and Purpose

SPF, DKIM, and DMARC are linked to email marketing and is a robust way of proving that you’re an authentic email sender. The usage of these helps keys help verify email clients that you are who you say you are. They also let the various Email Service Providers understand the origin of the mail and eventually categorize the email as worthy of being in the inbox of the user.

What’s the purpose of SPF, DKIM, and DMARC?

In other words, DKIM, SPF, and DMARC authenticate your mail server and prove to ISPS, mail services, and other mailing servers that the server is authorized to send the email. These anti-spam measures have become increasingly important and are one of the mandatory checks made by GMAIL (some of the subject line related checks can be found here). So, ensuring that all these three checks have been properly configured is important in terms of its delivery, and for maintaining a healthy Domain Authority.


What is SPF?

SPF stands for Sender Policy Framework. SPF is an email authentication technique against email spoofing. An SPF record in place prevents malicious users from using your domain to send unauthorized emails, otherwise called email spoofing.

What is an SPF record?

An SPF record is a TXT record that is part of your domain’s DNS which keeps a record of all authorized hostnames or IP addresses that are allowed to send emails from your domain.

How to create an SPF record?

An SPF record is a simple string that a domain admin creates and adds to the domain’s DNS record as a TXT entry.

Here is the sample syntax for the record:

v=spf1 ip4:21.22.23.24 include:other-domain-that-can-also-send-email.com -all

There are 4 different aspects to this syntax:

1. v=spf1: Indicates the version of SPF available. The latest version will be provided here.

2. ip4:21.22.23.24: IP address of the authorized email server/domain. If you have multiple IPs, all of them could be mentioned here with space (ip4:21.22.23.24 ip4:13.14.15.16).

3. include:other-domain-that-can-also-send-email.com: Domain name of the authorized secondary domain to send emails on behalf of the primary domain.

4. all: This is an important component of SPF which tells the receiving server how to react if it receives an email from a server that is not listed in the SPF record. It has the following attributes:

  • -all: This means that servers that aren’t listed aren’t authorized to send email from the domain and the email should be rejected by the receiving server.
  • ~all:  In this case, even though the server is not mentioned in the record, it shouldn’t be flat out rejected, but marked as possible SPAM.
  • +all: This means that even if the domain is not listed in the record, it is still authorized to send an email.

What is DKIM?

DKIM stands for Domain Keys Identified Mail, also known as email signing. DKIM ensures that the content of your emails remains trusted and hasn’t been tampered or compromised. In other words, DKIM’s primary purpose is to prove that the content of the email hasn’t been tampered with, the header of the message hasn’t been changed and that the sender of the email actually is the owner of the domain.

Similar to SPF, DKIM is also a TXT record that is added to a domain’s DNS. DKIM, however, uses an encryption algorithm to create a public and a private key that handles the trust. The private key remains in the server; the public key in the DNS TXT record.

How to create a DKIM record?

Normally, the mail server itself provides the required tool that would allow you to create the required record in the server.

For instance, this is how a sample record would look like:

1B8U3CAB93D68YR._domainKey.yourdomain.com; p=NJIfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBg
QC1TaNgLlSyQMNWVLNLvyY/neDgaL2oqQE8T5illKqCgDtFHc8eHVAU

There are 3 main parts in the above record:

Selector (s) -> 1B8U3CAB93D68YR -> It indicates the record name used with the domain.

Domain (d) -> domainKey.yourdomain.com -> Senders Domain Name

Public key (p) -> p=NJIfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBg
QC1TaNgLlSyQMNWVLNLvyY/neDgaL2oqQE8T5illKqCgDtFHc8eHVAU
-> Public key published to the DNS.

How to check if a sender has DKIM set?

Once you receive an email, open the email details and check the signature section. For instance, this is an email from Paytm.

DKIM Signature in email

In the above pic, the signed-by section will show the domain that you own and if it has a DKIM record.


What is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. DMARC ties together SPF and DKIM with a consistent set of policies. In other words, it is more like a backup that comes into place if the other two fail.

DMARC has the following purposes:

  • Verify SPF and DKIM are both protecting the sender’s email
  • Tell the receiving server what to do if neither of SPF or DKIM authentication passes
  • Report back to the sender about messages that pass/fail the evaluation

How to create a DMARC record?

There are various tools available to create a DMARC record like MXTToolbox, DMARC Analyzer, Dmarcian and more.

For instance, here is how a DMARC record would look like:

v=DMARC1; p=none; rua=mailto:fbl@smartertools.com; fo=1

There are various component to it, however, only two are the mandatory ones:

  • v=DMARC1 -> This is the version tag, indicates which version of DMARC is in place.
  • p=none -> This is the policy tag that tells the receiving server which policy to apply to a message that applies DMARC. It has options like none, quarantine or reject.

Others mentioned, in addition, are the optional tags.

FAQs on SPF, DKIM, and DMARC

Related Posts