Email Authentication 101: DKIM, SPF, DMARC Explained

Building a brand that prioritizes security and trust with its customers is a straightforward way to build a loyal client base. Email authentication is the best way to build a trustworthy brand reputation and ensure all your messages are delivered correctly to your clients.

Email security professionals have used DKIM, SPF, and DMARC for decades to build trust with customers and diminish the potential for cyberattacks. This has been widely successful among many brands and agencies for building their reputation.

This guide will take you through the basics of three of the most popular systems for creating secure, trustworthy emails that always get delivered straight to your client’s inbox.

Understanding the Basics of Email Authentication

representation of email phishing

In 2018, the Department of Homeland Security ordered all agencies to implement email security strategies to ensure their data was protected. This order was followed by similar directives in Australia and the UK. Basic email authentication is becoming more and more essential for brands to be considered secure.

Email authentication works by layering different forms of verification and strategy to ensure that each email is sent from an authorized source. This is done to prevent email spoofing, where a malicious user impersonates a trusted email domain to scam customers. If your email is vulnerable, a cyberattack like this can happen, creating victims and ruining your brand’s reputation.

The protocols used in email authentication include SPF and DKIM which both operate to verify that an email comes from a verified sender. Email authentication also involves DMARC, a strategy that determines what to do with emails that pass or fail DKIM or SPF verifications.

The overlap of these three systems creates a stable and secure lattice that defends your domain and ensures trust in your brand. Learning these protocols is essential to learn email marketing and ensure that every message you send to the client reaches them correctly.

Key Email Authentication Techniques

SPF (Sender Policy Framework)

SPF prevents email spoofing by verifying the IP address you are sending your emails from. This prevents the use of attackers from impersonating your domain and scamming your clients. SPF does this by using a whitelist of verified IP addresses and checking this against the address of the sender.

SPF creates more secure emails by utilizing a limited set of authenticated sources to discover insecurities from. It is difficult for a malicious user to add their address to your whitelist or otherwise spoof your email domain.

DKIM (DomainKeys Identified Mail)

DKIM is an email security protocol that works in a very similar way to SPF. Instead of using a whitelisted list of servers to verify emails through, DKIM gives each email a signature that establishes its unique connection to the domain. This is then verified by incoming and outgoing servers to be labeled as either trustworthy or insecure.

DKIM enhances email security by providing another way for servers to verify that emails are coming from safe and trusted sources. This prevents impersonation of your company’s email domain which could be used for phishing attempts or any other form of malicious scamming.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC is a strategy for email security that builds off of DKIM and SPF protocols. DMARC tells the email server what to do with emails authenticated or by SPF or DKIM, choosing to either send unverified emails to spam or reject sending them altogether. DMARC also helps internet service providers detect false positives in the verification process, improving the security of the overall system.

Although DMARC is not required, it is highly recommended as it provides a framework for how to handle your email security strategy. SPF and SKIM alone cannot automate what to do with each email they reject or verify. Only DMARC can ensure that each insecure email is prevented from reaching your customers. Fortunately, it is easy to set up and usually works seamlessly with the other email security protocols.

Step-by-Step Guide to Implement Email Authentication

representation of email authentication

Configuring SPF Records

Setting up SPF is simple when you know the correct steps. Configuring SPF records involves creating a whitelist of verified senders who are allowed to use your domain to send emails. The domain administrator must implement this list into their DNS records.

An example of this record looks like this:

“v=spf1 ip4:182.155.0.1 -all”

This record works by identifying an IP address that is verified to send emails from and rejecting every email that attempts to use the domain while not coming from this IP address. There are various modifiers you can use to adjust your records, with common additions “a” and “mx” used to verify domain names that have an address or MX record.

Setting Up DKIM

DKIM is just as easy to set up for your emails. Generating and implementing DKIM keys is the first step to setting up DKIM. First, you need to retrieve a key pair. This will be used to ensure that no one can copy your email signature. One public key will be added to DNS records and one private key will be kept safe and secure on the email service provider server. These keys will work together to authenticate and verify emails.

The email provider you utilize will determine how you can access these keys. Usually, this involves requesting DKIM keys in your account settings or contacting your provider directly to access these. Remember to choose an email service provider that explicitly supports DKIM security – not all do.

Once you have your keys, you can publish your public key on the DNS server utilizing DNS TXT records. You must follow the following format: “[selector]._domainkey.[domain]”.

The selector will be your public key, while the domain will be your identifying email name. Once you save your entry, these changes may take a couple of days to implement, so do not panic if DKIM does not start working right away.

Implementing DMARC Policies

Crafting and deploying DMARC records is simple when adhering to the following instructions. The first step you need to take when creating your DMARC policy is to decide the level of enforcement you want to deploy on emails that fail verification.

A sample DMARC record will look something like this :

v=DMARC1; p=quarantine; rua=unspam:email@security.com;

You have the option to change the “p=“ tag to determine your level of enforcement. “P=none” would send you a record of the failed verification but still send the email. “P=quarantine” would still send the email as well, but would mark it as spam so the recipient would need to look in their spam folder to find it. The harshest level of enforcement, “p=reject”, automatically refuses to send the email if it fails DMARC or SPF authentication processes.

The first tag “v=DMARC1” always stays the same and the last tag “rua=“ simply describes the email address that you would like your DMARC report sent to.

Once this is all setup, your system is in place to reject or divert emails that fail DKIM or SPF verification. You will also receive regular updates on whether your emails are rejected or not, allowing you to take action if suspicious activity appears or to improve your email security if your emails are frequently rejected.

Additional Email Authentication Measures

BIMI (Brand Indicators for Message Identification)

BIMI is an email standard that adds your brand’s logo to emails that you send from your domain. This improves your brand’s visibility and security by creating a recognizable image for your clients to associate your brand with. Unlike DKIM, SPF, and DMARC, BIMI is something that your customers will notice in their inboxes.

Email service providers like Google and Yahoo are actively encouraging their users to implement the BIMI standard by only allowing a brand to use it when they have every other email protocol in place. This means that clients will instantly trust BIMI emails.

Monitoring and Troubleshooting Email Authentication

There are dozens of tools out there designed to help you monitor your email security strategy and make changes as necessary. MXalerts and SolarWinds are two examples of software that give you server performance data, email issue troubleshooting, and spam detection to ensure that all of your emails land safely in your customer’s inbox. Without using any programs, your DMARC reports and your email service provider should give you enough information on their own to monitor your email security.

A few common issues with email security are insecure passwords and using public wi-fi. These are risks that cannot be solved by practices like DKIM, SPF, or DMARC because they are insecurities outside of the email server.

Best Practices for Email Authentication

Unspam email test

Cyberattack strategies are constantly innovating and changing to attack well-known systems like DKIM, SPF, and DMARC. This means you have to stay vigilant and constantly maintain your systems through testing to ensure you have the most secure emails possible.

With DKIM, it is important to regularly rotate your pair keys to ensure that cyber attackers cannot take advantage of stagnant keys. Regular changing means that your system is constantly updating itself and is one step ahead of any malicious attack.

With SPF, it is necessary to regularly check your whitelist to ensure that only your verified senders can utilize your email domain. Additionally, make sure that none of your senders share an IP address with someone untrusted.

You can test both your SPF and DKIM protocols by sending yourself decoy emails. The exact method will vary depending on your email provider. For example, on Google, once you send an email to your decoy account, you can check the details of the opened message. If your security protocols worked, the email should read “mailed-by: your domain” and “signed-by: your domain”.

Within your DMARC strategy, it is recommended to detail your protocols to exactly what your brand needs. For example, not all companies need to reject every single unverifiable email, while for others this is necessary. Make sure you are using the strategy that is right for you, not just the one that seems the most “secure”.

If you want a quick and reliable way to check whether your emails go to spam, use our email spam test tool.

Final Thoughts

For a successful email authentication strategy, it is essential to use all three protocols laid out in this guide: SPF, DKIM, and DMARC. While one protocol may be enough to gain initial trust amongst your customers, it only takes one insecure facet of your emails for a lethal cyberattack that destroys your brand’s entire reputation.

Follow the steps in this guide. You can easily create an email security system that effectively reduces your risk of attack and increases the loyalty of your customers as they increasingly trust your brand.

If you’re still struggling with the best way to implement SPF, DKIM, and DMARC protocols, it may be time to consult an email deliverability consultant.

Avatar photo
Andrian Valeanu

Andrian Valeanu is a highly respected and recognized expert in email marketing and deliverability with over 20 years of experience in the industry. As the founder of Designmodo, a leading company in email building, Andrian has established a solid reputation for his expertise and guidance, catering to businesses of all sizes.