Skip to main content

Search

Welcome to the Structured Support Portal!

StructuredAI → What are SPF, DKIM, and DMARC?

Krista Staples
  • Updated

What-are-SPF,-DKIM,-and-DMARC2.gif

Favicon 512x512.png Purpose & Scope

This article provides an overview of the three core email authentication protocols SPF, DKIM, and DMARC and explains how they work together to verify sender identity, protect against spoofing, and improve email deliverability. 

It outlines the role each protocol plays in securing outbound email and highlights the benefits of proper implementation, including enhanced sender reputation and reduced risk of being blacklisted.

This guide is intended for domain owners, IT administrators, and marketing professionals responsible for managing email infrastructure. It is applicable to any organization looking to improve the security, reliability, and inbox placement of their outbound email communications by implementing industry-standard authentication protocols.

SPF, DKIM, and DMARC are the three main email security protocols that complement one another. They are methods to authenticate a mail server and prove to Internet Service Providers (ISPs) that the sender is trusted and truly authorized to send an email.
 


Favicon 512x512.png SPF: Sender Policy Framework

SPF works by allowing domain owners to specify which IP addresses are authorized to send emails on behalf of their domain. When an email is received, the recipient’s mail server checks the SPF record published in the sender’s DNS to verify if the email came from an authorized IP address.
spf flow.png
 

This enables domain owners to maintain a secure and trusted communication channel with their recipients.
 


Favicon 512x512.png DKIM: DomainKeys Identified Mail

DKIM authentication makes sure that the content of the email has not been compromised or tampered with during the delivery.  It works by adding a digital signature to the email’s header, which is created using a private key known only to the sender. The recipient’s mail server uses a public key published in the sender’s DNS records to verify the signature.
DKIM.png
 

If SPF is like the return address of a postcard or letter, DKIM is like sending that postcard or letter through Certified Mail, which further builds trust between the receiver and the sender server. Implementing SPF and DKIM authentication helps ensure that your emails are both verified and trusted and come from an authorized IP address.
 


Favicon 512x512.png DMARC: Domain-based Message Authentication, Reporting, and Conformance

DMARC is also referred to as “email signing.” It ties the first two email security protocols (the SPF and DKIM) together with a more consistent set of policies. For domain owners, setting up DMARC is the final step to secure their email communications fully.

It works by ensuring that both SPF and DKIM checks pass and align with the sender’s domain. If an email fails these checks, DMARC provides instructions on how to handle it (e.g., reject or quarantine) and sends reports to the domain owner about failed authentication attempts.
DMARC GRAPHIC.png

DMARC has three basic purposes:

  1. To verify that the sender’s email messages are protected by both DKIM and SPF protocols
  2. To inform the receiving mail server what it should do if neither of those email security protocols passes and
  3. To provide a way for the receiver server to report to the email sender that their message has failed or passed the DMARC evaluation.

Combining these three pillars of email authentication provides you or your company with the best protection necessary and protects against phishing attacks.
 


Favicon 512x512.png Why should you set them up?

Simply put, if you want to improve your deliverability rates (i.e., make sure your emails land in the inbox), you’ll need to have these protocols set up. Before we get into the how, here’s some motivation for you to do so:


1. Improved sender reputation

By verifying that emails are coming from legitimate sources, these protocols help prevent email spoofing and phishing attacks. This reduces the likelihood of your domain being used for malicious activities, which can significantly harm your sender reputation.


2. Avoid blacklists

Blacklists are used to block emails from domains that are suspected of sending spam or malicious content. If your domain is not properly authenticated, it can be more easily exploited by spammers and phishers, increasing the risk of being blacklisted. Once on a blacklist, your emails are likely to be automatically rejected or sent to spam folders.


3. Improved deliverability rates

Authenticated emails are more likely to reach the recipient’s inbox rather than being flagged as spam. When email providers see that emails pass SPF, DKIM, and DMARC checks, they recognize them as coming from a legitimate and trustworthy source. This reduces the chances of your emails being filtered out or rejected, leading to higher deliverability rates.