Setting Up SPF, DKIM, and DMARC Records

Shawn Elledge
Shawn Elledge
Guide to setting up SPF, DKIM and DMARC records for improved deliverability

Email is a critical communication tool for businesses, but it is also a prime target for cyber attacks. According to the Verizon Data Breach Investigations Report, 94% of malware is delivered via email. This makes email security a top priority for any organization.

Setting up proper SPF, DKIM and DMARC is also important to ensuring your emails get delivered into the inbox vs. the spam folder or missing completely.

In fact, Google and Yahoo have announced they will start to enforce stricter email compliance in 2024 and block any emails going to their customers without proper authentication.

This detailed article aims to uncover the best strategies for establishing proper SPF, DKIM, and DMARC records. This will aid in safeguarding your email interactions and defending your business from digital dangers and improve your email deliverability.

What is SPF?

SPF stands for Sender Policy Framework (SPF). This allows you to store a cache of IP addresses authorized to send emails on your behalf.

How Does SPF Work?

When sending an email, the recipient mail server checks for published SPF records. The SPF record is a TXT record you add to your Domain Name Server (DNS).  If the recipient’s mail server detects that a valid SPF record exists, your email will be marked as “PASS.” If the email is rejected, it will be sent to the recipient’s spam folder.

The Benefits of SPF

  • SPF authenticates the email and allows malicious sources to be identified as spam quickly.
  • The email will be secure and trustworthy.
  • An SPF can improve your email’s reputation.

When used alone, without DKIM and DMR records, there are some limitations. That’s why it is best to add all three DNS records, i.e., SPF, DKIM, and DMARC records, to your domain.

Advantages and Disadvantages of SPF

  • In the event that someone else forwards your email, it will not appear on your SPF records. This can lead to it mistakingly identifying the message as spam.
  • SPF authentication occurs on the specific Return-Path/mail from Domain, not at the usual address. The attacker can use their domain to send an email but use a completely different sender. An average user wouldn’t bother to check the Return-Path/mailfrom, opening themselves up for a phishing attack.
  • Domain owners require that third-party email vendors send emails on their behalf. So, if you use an SMTP service like Mailgun, Sparkpost, or Sendgrid, you will have to make sure to include those providers in your SPF record. Each SPF record has IP addresses associated with that provider.

    SPF records must be updated every time there is a new IP address or when a third-party vendor changes. This can make maintaining the records a bit of a chore. 
  •  Each SPF record allows ten DNS lookups. If you exceed this limit, the receiving servers will not accept SPF authentication. New tools, like AutoSpft.com allow you to simplify and optimize your SPF records to stay below the 10 IP address limit. They call this SPF record flattening.   
  • SPF/DKIM is used in several internal filtering algorithms that are part of mailbox providers. They use these protocols to determine whether or not an email should go to the spam folder or the inbox or be rejected. SPF, however, does not let domain owners instruct mailbox providers on how to handle a message in the event that authentication checks are not valid.

SPF has limited ability to stop domain fraud on its own. SPF implementation alone will not protect you against email fraud. It can be combined with DKIM/DMARC to offer strong anti-spoofing protection.

Example SPF Record

Below is an example of a SPF record Google automatically adds to anyone who purchases a workspace account (formerly G-Suite)



You will notice Google creates both an SPF record and a TXT record. Some Domain providers don’t have the option to add a specific SPF record so in those cases just add a TXT record and you will be ok.

This SPF record basically tells the recipients mail server that Google is authorized to send email on behalf of this domain Prophetemail.com.

SPF Records When Using Multiple Email Providers

Since you are only allowed to have one SPF record per domain, if you are using any additional email platforms to send email on your behalf, you will have to include that provider in your SPF record. So maybe you have some people using Google and others using Microsoft Office 365

See the additional record added to this SPF record below in bold.

“v=spf include:_spf.google.com include:spf.protection.outlook.com~all”

SPF Records When Using SMTP Providers

A lot of companies will setup subdomains and use a third-party SMTP provider to email out of those subdomains. So instead of sending your marketing emails out of the same email server and domain as your main domain, you can create a subdomain like info.yourdomain.com and connect that subdomain to a SMTP provider like Sparkpost.

You could also create another subdomain like sales.yourdomain and use another SMTP provider like Mailgun. That way your outbound marketing emails and sales emails don’t impact the email reputation of your main domain.

You will need to follow the instructions from your SMTP provider for creating and connecting your subdomain to their email service and you will need to add those SMTP providers to your SPF Record.

These new SPF records will look something like this below in bold.

“v=spf1 include:_spf.google.com include:_spf.sparkpostmail.com include:mailgun.org ~all”

Now all three providers Google, Sparkpost and Mailgun are listed as approved email senders for our domain and subdomain.

Testing Your SPF Record

Once you have your SPF record added to your domain records you can use a third-party solution like EasyDMARC to inspect your spf record to make sure you configured it correctly.

Understanding DKIM

DKIM stands for Domain Keys Identified Mail. DKIM has a higher level of authentication than SPF because it uses public key cryptography rather than IP addresses.

DKIM allows senders to add DKIM signatures into email headers. They can then verify them by using the public cryptographic keys found in DNS records of their company. The domain owner publishes and configures a cryptographic key as a DNS TXT.

How does DKIM Work?

DKIM or SPF both allow the addition of a TXT record associated with your domain via DNS. For DKIM, however, we still need to generate both a public and a secret key.

When an email is sent out, the message header includes a private key to encrypt the signature. The DNS TXT record stores the hash of the public key. The receiving party (incoming email servers) validates an email signature by decoding the public key and comparing it to the private key. If the values match, it will not be considered as spam.

DKIM Advantages

  • DKIM has a higher level of authentication than SPF, as it relies on public-key cryptography rather than IP addresses.
  • SPF is an information protocol that adds to the message envelope. When you forward an e-mail, the forwarding servers may remove portions of the message envelope. DKIM, however, works better with forwarding because the digital signature stays in the header of the email.
  • DKIM is a system of email tags that don’t filter or identify spam by itself. The system can stop spammers from changing their message source addresses.

DKIM Disadvantages

  • Mailbox Providers include several internal filtering algorithms that use SPF and DKIM protocols to determine if a message should be sent to inbox, the spam folder, rejected, etc. SPF/DKIM does not allow domain owners to give instructions to mailbox providers on how to handle a message in the event that authentication checks aren’t valid.
  • If the relay or filtering software changes the messages, this can cause problems.
  • A malicious individual can send an email to any mailbox, using a trusted domain and DKIM. It can be recovered as a copy of the signed email and forwarded to multiple recipients without restriction.

Senders can implement the DMARC protocol to let mailbox providers know exactly what they should do if DKIM, SPF and DKIM fail.

Testing your DKIM Record

Most email service providers include a DKIM record for your account. See an example below that Google provided for one of our domains.


“v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAhC5G1F+sS7pZpKatV+fNuBmUKGsLmki1ft1H sHFwb3YQ1Uhl3EReJIsdqhsbhBYnW8qhnmUaa2dxesjCR7RA+qhv3dai1IPx0oRPy0/5XpQVAEfFkXTJTdur0C +IwUOHhjwJe+vpVF5iTbgoh6lDOJVZwQLU4J/mZN8o/avo1KR3Bc0Sw/Wz90VH0mHQF0PgE” “KWzMTz8Ujn+W55p/jv80irMGrctZQJv7gSwNmk5GjIDIPB2gxnOXM4RJDq10GHewVWY7dPFYGBtddzXraU 9uMK85UvLOREIhT7Vr43etQkfByiSXKcede4CoOh5AUqmvvvYqsc7bE+HPeJhmGaVvQIDAQAB”


If you don’t see a DKIM record for your domain and need to generate a DKIM record or you want to test your existing record, go to EasyDMARC here.

Understanding DMARC

Domain Based Message Authentication Reporting & Compliance (DMARC) is an email authenticity protocol that uses SPF and DKIM for determining the authenticity.

DMARC has a high level of effectiveness because it validates a sender’s email by using DKIM and SPF. DMARC also assists mail systems in deciding what they should do with messages that fail SPF and DKIM authentication.

How Does DMARC Work?

DMARC is a tool that allows domain owners to specify how mailbox providers should handle unauthenticated email. Some policies are pre-defined to accomplish this.

  • Policy = (p=none). The email is delivered as normal.
  • Policy = (p=quarantine). This sends the email to the spam/junk/quarantine/failure folder.
  • Policy = (p=reject). This sends the email to the back to the sender

To use a DMARC Record, you must first configure SPF/DKIM. Then, add your DMARC record to your domain name server (DNS) and run a DMARC check to ensure the record is valid. This will ensure the following:

  • Validation IP addresses within the SPF record.
  • DKIM signature verification.
  • Check to see if the domains of From and Return-Path in the message are identical.

If validation fails, the appropriate action is taken based on the policy defined within your DMARC record, and a generated report is then sent to the email address on record.

DMARC protocol should always be followed because it shows Internet Service Providers (ISPs) that the sender is a real person who will take measures to protect their identity and reputation. Note: Not all ISPs support all types of validation.

DMARC Has Many Advantages

  • DMARC allows domain and organization owners to receive reports regarding emails they send on the internet.
  • The ability to control your email messages will increase the trust and value of the messages you send.
  • DMARC allows you to easily identify your email across the network of DMARC receivers.

Disadvantage of DMARC

  • Messages that are legitimate can sometimes be marked as spam or blocked. DMARC helps prevent limit this, but nothing is perfect in the email world.

Example DMARC Records

Below is a DMARC record we created in Google, now managed by Squarespace.


Host Name                                                     Record Type                  

_dmarc.corporatemobilitytoday.com      TXT

Value

“v=DMARC1; p=quarantine; sp=quarantine; pct=100; aspf=r; rua=mailto:support@ourdomain.com; adkim=r;”


We used a similar DMARC record for a subdomain info.ourdomain.com which uses Sparkpost’s SMTP email service.


Host Name                                                  Record Type

_dmarc.info.ourdomain.com                      TXT

Value

“v=DMARC1; p=quarantine; sp=quarantine; pct=100; aspf=r; rua=mailto:support@ourdomain.com; adkim=r;”


DMARC Configuration

The most important part of the DMARC record is the policy you chose which tells the recipients email server what to do if the email doesn’t pass authentication.

  • Policy = (p=none). The email is delivered as normal.
  • Policy = (p=quarantine). This sends the email to the spam/junk/quarantine/failure folder.
  • Policy = (p=reject). This sends the email to the back

In this example we have our policy listed as quarantine and will send any unauthorized email to the junk or spam folder.

Testing Your DMARC Records

Once again, we recommend using EasyDMARC for testing or creating your DMARC records.

However, if you run into any problems, please don’t hesitate to contact Sales Prophet. We are more than glad to help.

Related Post