Learn how SPF, DKIM, and DMARC email authentication management protocols can help fortify your email processes for security and deliverability.
- Outreach Users
SPF (Sender Policy Framework)
What is SPF?
SPF (Sender Policy Framework) records give a mail server information about where an email should be coming from to prevent spoofing. When an email is received, the IP address of the sending mail server is embedded in the message, much like a postmark on an envelope contains the city it was sent from. An SPF record lists the IP address or IP range that the legitimate email server uses; if a mail comes from somewhere that isn’t listed in the SPF record, the incoming server can assume it was spoofed or otherwise illegitimate and reject it as spam.
Do I have an SPF record for my email address?
You can find out if this is already set up by asking your domain or mail administrator, but you can also do a quick check yourself to see if this record already exists. To do so, you can do a search for TXT records here: https://toolbox.googleapps.com/apps/dig/#TXT/
Enter just the domain from your email address in the box on this page. For example, if your email address is firstname.lastname@example.org, you would enter just outreach.io in this box. You’ll get a result that looks like this:
The SPF record (if you have one) is the record that begins with “v=spf1”. However, you won’t know if this record is correct for your domain without checking with your email provider. If you send mail from many different sources, this record could be quite complex, but the major email providers provide some information about the correct records for their services.
- Review the right records for Gmail here: https://support.google.com/a/answer/178723?hl=en&ref_topic=2759192
- Review the right records for Office 365 here: https://technet.microsoft.com/en-us/library/dn789058(v=exchg.150).aspx
Having the wrong record can be worse than no record at all, so be sure that this has been updated if you’ve recently changed email providers.
Help! My SPF record is incorrect or missing! How do I fix it?
If your SPF record is incorrect or missing, you’ll need to update this in your domain’s DNS records. To do this, you’ll need to check with your domain’s DNS provider, which is most often the registrar where you purchased the domain. Each provider will have different ways of entering this information, but they can all help in adding a TXT record to your domain containing the correct information. Once you’ve added or edited the record, it can sometimes take a few hours for the new record to propagate fully and be available to all mail servers. Your DNS provider can give you more information about this.
DKIM (Domain Keys Identified Mail)
What is DKIM?
DKIM (Domain Keys Identified Mail) is the process of using public key cryptography to encrypt all or part of your email. Your mail server will use a private key to encrypt the data and receiving email servers can get the corresponding public key to decrypt it, ensuring that your email is genuinely sent from your domain and hasn’t been altered. This will contribute positively toward your anti-spam score for mail providers that use this.
Am I already using DKIM?
This is harder to check, as you would need to know the selector for your DKIM key and this could be anything chosen by your mail administrator. If you have access to your domain’s DNS records, you can see if you are already using DKIM by looking for a record that looks like:
selector._domainkey 3600 IN TXT “v=DKIM1; k=rsa; p=[lots of random looking symbols]”
In the above, selector is the string chosen by your mail administrator to correspond with the DKIM policy activated by your mail service. If you are already using DKIM, it’s very important not to change any part of this record, as it needs to correctly correspond to your current mail policy.
How do I start using DKIM?
Much more so than SPF, this requires cooperation from your email provider, so the records and changes you might need to make will be specific to your provider.
- Review the instructions for Gmail here: https://support.google.com/a/answer/174124?hl=en&ref_topic=2752442
- Review instructions for Office 365 here: https://technet.microsoft.com/en-us/library/mt695945(v=exchg.150).aspx
If you’re using another provider, you’ll need to work with your mail administrator in generating the keys and implementing the correct policy for DKIM for your service, in addition to providing the public key through adding a DNS record. Note that incomplete or incorrect records can render your email undeliverable to your recipients, so be sure to follow instructions carefully!
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
What is DMARC?
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email protocol that uses SPF and DKIM checks to determine whether a message's claimed sender is legitimate. DMARC then provides options to quarantine, reject, or allow such messages, acting as an inbox gatekeeper to prevent phishing and malware attacks.
How do I start using DMARC?
Setting up DMARC is straightforward, involving just one DNS change to establish a DMARC (TXT) record, which instructs email systems on how to handle messages from a specific domain. To start using DMARC, work with your hosting company to publish a DMARC DNS record.
When an email is sent from your domain or a potential spoofed sender, the recipient's server checks for your DMARC record. It then conducts DKIM and SPF authentication tests to verify the sender's identity. Based on the results, your DMARC policy dictates whether to quarantine, reject, or take no action on the message. The receiving server generates DMARC Aggregate Reports, sent to the email addresses specified in your DMARC record, providing insights into message outcomes. In essence, DMARC aligns with SPF and DKIM to authenticate messages and determine their handling.
If I use SPF, DKIM, and DMARC, am I guaranteed not to get flagged for spam?
Not at all. There is no guarantee that you won’t be marked as spam by a receiving mail provider’s spam filter. These filters are dynamic and incorporate a variety of factors, including SPF and DKIM verification, an analysis of your message content, the reputation of your domain, and even the behavior of other users on the receiving domain.
With that said, SPF, DKIM, and DMARC are a significant part of this filtering that is completely under your control, and using these technologies properly will give your messages the best chance of reaching their intended recipients.
If you’re looking for a good way of testing your overall spam score (which will include many of these elements), you can try a service like https://www.mail-tester.com/ to get a good baseline.