Email Authentication: SPF, DKIM, and DMARC Explained

To sustain this free service, we receive affiliate commissions via some of our links. This doesn’t affect rankings. Our review process.

Did a friend tell you that email you sent them from your domain is getting flagged as spam? For example, they may have gotten a notice from Gmail that looks as follows:

Alert from Google that reads: Be careful with this message Gmail could not verify that it actually came from.com. Avoid clicking links, downloading attachments, or replying with personal information.

Be Careful With This Message (Authentication Alert)

Gmail could not verify that it actually came from [domain redacted].com. Avoid clicking links, downloading attachments, or replying with personal information.

What your email provider may not have explained to you is the importance of email authentication (setting up your sending email server so it can prove that emails sent from your domain actually come from your domain).

What Are SPF, DKIM, And DMARC?

There are authentication protocols that can help verify the identity of the email sender. Which of these do you really need? As far as our experts are concerned:

  1. SPF is a must
  2. DKIM will fix the authentication alert above
  3. DMARC is only required sometimes

SPF

SPF, or Sender Policy Framework, is an email authentication method designed to detect forging sender addresses during the delivery of the email. The reason we recommend combining SPF with DKIM and DMARC is because SPF on its own is limited to detecting a forged sender claim in the envelope of the email (used when the mail gets bounced).

DKIM

DKIM, or DomainKeys Identified Mail, is used to detect forged sender addresses in email (think phishing and email spam). DKIM allows the receiver to check that an email claimed to have come from a specific domain was authorized by the owner of that domain.

DMARC

DMARC, or Domain-based Message Authentication, Reporting & Conformance, is used to give email domain owners the ability to protect their domain from unauthorized use (think spoofing – i.e. making it look like an email came from a particular domain when actually it was sent from elsewhere).

How To Setup SPF

You’ll want to add the following TXT DNS record to your email hosting provider (the provider hosting the domain name you use to send email from):

  • Type: TXT
  • Hostname: @
  • Value: v=spf1 include:example.com ~all (where example.com is your email domain). You can change the ~all value as follows to enforce SPF failures:
    • ~all: results in a soft fail (Not authorized, but not explicitly unauthorized – the one used in our example)
    • -all: results in a hard fail (Unauthorized)
    • ?all: neutral (As if there is no policy at all)
  • If you have more than one domain you send mails from (example2.com), you can add them with the include statement in the TXT value field:
    • v=spf1 include:emailsrvr.com include:example2.com ~all

Save your record and verify with your mail provider that it has taken hold.

How To Setup DKIM

Check with your mail hosting provider for a TXT DNS record to add (just like you did above) to enable DKIM. This will include a key for the hostname, and record for the value. For example:

  • Type: TXT
  • Hostname: 12345._domainkey
  • Value: v=DKIM1; k=rsa; p=1Cnao7#fn5WqGEUtSX (this will typically be a much longer string of randomly generated characters)

How To Setup DMARC

First, you can check to see if your email domain has an existing DMARC record with this DMARC checker. You can start the setup of your DMARC records by registering on dmarcian.

DMARC Tags

Once your DMARC record is setup, you can handle suspicious emails with the following tag values (you’ll need to change these from the default ‘p’ value):

  • Tag: v
    • Value: DMARC1
    • Translation: The DMARC version should always be “DMARC1”. Note: A wrong, or absent DMARC version tag would cause the entire record to be ignored
  • Tag: p (default)
    • Value: none
    • Translation: Policy applied to emails that fails the DMARC check. Authorized values: “none”, “quarantine”, or “reject”. “none” is used to collect feedback and gain visibility into email streams without impacting existing flows. “quarantine” allows Mail Receivers to treat email that fails the DMARC check as suspicious. Most of the time, they will end up in your SPAM folder. “reject” outright rejects all emails that fail the DMARC check.
  • Tag: rua
    • Value: mailto:name@example.com
    • Translation: The list of URIs for receivers to send XML feedback to. Note: This is not a list of email addresses, as DMARC requires a list of URIs of the form “mailto:name@example.com”.

Voila there you have it! If you setup at least an SPF record on your email domain you should now be well on your way to avoiding getting flagged as a spammer. Speaking of which, email authentication may help others using your email domain to send spam, but it will not prevent you from receiving spam. Don’t worry, we’ve got a solution for that as well

Stop Spam For Good

Our experts review the best spam blockers with pros, cons, compatibilities, and more.

About The Author:

Alex has been involved on the business side of the internet since the early 2000's. He holds both a Management Science degree from the University of California at San Diego as well as a Computer Science degree from NJIT.

We Rock Your Web had its roots back in 2004 as the tech blog for a web design and development company Alex founded that has grown and evolved into the parent company of We Rock Your Web.

While his foundation is rooted in web development, his expertise today lies in content and digital marketing, SEO, organic and paid search, analytics, and publishing. Alex is an avid tennis player, nature enthusiast, and hiker, and enjoys spending time with his wife, friends, and dogs.

Disclaimer: This website contains reviews, opinions and information regarding products and services manufactured or provided by third parties. We are not responsible in any way for such products and services, and nothing contained here should be construed as a guarantee of the functionality, utility, safety or reliability of any product or services reviewed or discussed. Please follow the directions provided by the manufacturer or service provider when using any product or service reviewed or discussed on this website.

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments