Email Authentication: A Comprehensive Guide to SPF, DKIM, and DMARC Implementation

Email authentication tells you if an email is legitimate. If we go into a bit more detail, it checks if the email in question is really from the sender it claims to be from. Email authentication will also look into if the content of the email hasn’t been altered in transit.

Authenticating emails is very important as it keeps users safe from phishing, spoofing, and spam. It builds trust by making sure that the messages we receive are genuine and arrive unchanged from sender to receiver.

Key Components of Email Authentication

Sender policy framework (SPF): SPF is a protocol that lets domain owners specify which IP addresses are authorized to send emails on behalf of their domain. When an email is received, the recipient’s email server  checks the SPF record in the domain’s DNS (Domain Name System) to verify that the email was sent from an authorized server. If the check fails, the email can be rejected or marked as spam.

DomainKeys identified mail (DKIM): DKIM provides a way for the sender to include a digital signature with their email. This signature is associated with the domain’s public key, which is published in the domain’s DNS records. The receiving email server uses this public key to verify the signature, ensuring that the email content has not been tampered with in transit. DKIM helps to maintain the integrity of the email message.

Domain-based message authentication, reporting, and conformance (DMARC): DMARC builds upon SPF and DKIM, allowing domain owners to define how receiving email servers should handle messages that fail SPF or DKIM checks. It also specifies a reporting mechanism, enabling domain owners to receive feedback on emails claiming to be from their domain. This helps organizations identify and mitigate fraudulent use of their domain in email communications.

How Email Authentication Works

When an email is sent, the sending server attaches authentication records (such as SPF and DKIM) to the message header. Upon receiving the email, the recipient’s server performs checks against these authentication records:

• It verifies the SPF record to ensure the email comes from an authorized IP address.
• It checks the DKIM signature to confirm that the email has not been altered.
• If DMARC is in place, it then applies the domain owner’s policies to decide how to treat emails that fail these checks.

The Importance of Email Authentication

Email authentication has a very important role in making sure email communications are secure:

• Preventing email spoofing: It makes it difficult for attackers to impersonate a trusted domain — thus the risk of phishing attacks is reduced.
• Protecting email integrity: It ensures that the content of the email has not been changed from the time it was sent to the time it was received.
• Improving email deliverability: Emails that pass authentication checks are less likely to be marked as spam, improving the likelihood that they will reach the recipient’s inbox.

Understanding SPF Records

An SPF record is a TXT record within your domain’s DNS. 

It specifies which mail servers are permitted to send emails on behalf of your domain. 

When an email is sent from your domain, the receiving server looks up your domain’s SPF record. If the IP address of the sending mail server matches an IP address listed in the SPF record, the email is considered authentic. If not, the email can be flagged as spam or rejected.

How to implement SPF for your domain

To implement SPF you will need to create an SPF record in your domain’s DNS settings. 

Here’s how:

1. Identify your sending email servers

Start by listing all the IP addresses of the servers that send emails on behalf of your domain. Include your own mail servers and any third-party email services you use (e.g., Google Workspace, Office 365, Mailchimp).

2. Create your SPF record

An SPF record starts with “v=spf1,” indicating the version of SPF used, followed by mechanisms that specify the servers allowed to send mail on behalf of your domain. For example:

This record allows emails to be sent from the IP ranges 192.0.2.0/24 and 198.51.100.0/24, as well as from servers authorized by Google’s SPF record (_spf.google.com). The -all mechanism indicates that emails should be rejected if they don’t come from one of these sources.

3. Publish the SPF record in your DNS

Go on to access your domain’s DNS settings through your domain registrar or DNS hosting provider. Add a new TXT record with the value of your SPF string. How you will go about this specifically will vary based on your provider. Generally, though, you will need to select to add a “TXT” record, enter “@” or your domain name as the host, and paste your SPF record into the value field.

4. Test your SPF record

Once you’ve  published your SPF record, it’s important to test it to ensure it’s working correctly. Tools like MXToolbox’s SPF Record Checker can verify your SPF record’s syntax and effectiveness.

5. Monitor and update as necessary

Your email sending practices may change over time (e.g., changing email service providers, adding new email servers). It’s a good idea to regularly review and update your SPF record to make sure these changes are reflected. 

Best practices for SPF implementation

• Use -all carefully: The -all mechanism tells receiving servers to reject any emails that don’t match your SPF record. While this is effective for preventing spoofing, it can lead to legitimate emails being rejected if your SPF record is not up-to-date. A softer approach, using ~all (soft fail), might be preferable during initial implementation.
• Avoid too many DNS lookups: SPF checks that result in more than 10 DNS lookups are considered invalid. This can potentially lead to legitimate emails being rejected. Use the include mechanism judiciously and consolidate IP addresses where possible.
• Regularly audit your email sources: Keep an inventory of all systems and services that send email on behalf of your domain and update your SPF record accordingly.

Understanding DKIM Signatures

A DKIM signature is an encrypted header added to an email. This header includes a digital signature generated from the content of the email using a private key. The corresponding public key is placed in the DNS as a TXT record. Email servers receiving the message use the public key to decrypt the signature and verify the message’s integrity.

How to implement DKIM for your domain

Here’s how you can implement DKIM for your domain: 

1. Generate your DKIM key pair

• Private key: Used by the sending mail server to sign outgoing emails.
• Public key: Published in the DNS for recipients to verify the signature.

There are lots of tools and services that can generate DKIM keys. This includes command-line utilities and control panels provided by hosting services.

2. Publish the public key in your DNS

Once you have your DKIM key pair, the public key needs to be added to your DNS records as a TXT record. This process varies depending on your DNS or hosting provider but generally involves:

• Logging into your DNS management console.
• Adding a new TXT record.
• Setting the Host/Name to something like selector._domainkey.yourdomain.com, where selector is a unique name identifying this specific key, and yourdomain.com is your domain.
• Entering the DKIM public key as the Value. The format typically looks like v=DKIM1; k=rsa; p=MIGfMA0G… (a long string representing the key).

3. Configure your email server or service

You’ll need to configure your email server or service to use the DKIM private key to sign outgoing emails. This configuration will depend on your email system:

• Self-hosted email servers: For servers like Postfix, Sendmail, or Exim, configuration might involve editing config files and specifying the path to your private key.
• Email services (e.g., SendGrid, Mailchimp): These services often have a straightforward setup process for DKIM in their dashboard, where you simply upload your DKIM key or follow their steps to generate one.

4. Test your DKIM configuration

After setting up DKIM, it’s essential to ensure that it’s working correctly. Send a test email to a service like Mail-Tester or use tools designed to analyze and verify DKIM signatures. These services will check if your DKIM signature is valid and if there are any issues with your setup.

Best practices for DKIM implementation

• Use strong keys: A key length of at least 2048 bits is recommended for better security.
• Multiple selectors: If you’re changing keys or have different keys for various email sources, use different selectors for each to manage them independently.
• Regular key rotation: Periodically change your DKIM keys to enhance security. Remember to update your DNS records with the new public keys whenever you rotate them.
• Monitor your email delivery: Keep an eye on your email delivery metrics to ensure that DKIM (along with SPF and DMARC) is helping your emails reach their intended recipients.

Understanding DMARC

DMARC is what ties the results of SPF and DKIM authentication to the content of the email – specifically, the domain found in the “From:” header. This alignment is used to make sure that the sender’s stated identity is consistent with the identities verified by SPF and DKIM. DMARC defines the policy applied to an email that fails this alignment and provides a reporting mechanism to the sender about these actions.

How to implement DMARC for your domain

To implement DMARC you will need to create a DMARC record and publish it to your DNS. 

This record will tell receiving mail servers how to enforce SPF and DKIM authentication results for emails using your domain in the “From:” address and where to send reports about these actions. 

Follow these steps to implement DMARC:

1. Check your SPF and DKIM configuration

Before you set up DMARC, make sure that SPF and DKIM are correctly configured for your domain. DMARC relies on these two protocols, so their proper operation is very important.

2. Create your DMARC record

A DMARC record is a TXT record in your DNS that specifies your policy and reporting preferences. The record starts with “v=DMARC1,” indicating the DMARC version. Here’s an example of a simple DMARC record:

This record specifies:

• p=none: The policy for handling mail that fails the DMARC check. Other options are quarantine (mark as suspicious) and reject (block the email).
• rua=mailto:dmarc-reports@example.com: The address to send aggregate reports of DMARC failures.

3. Publish the DMARC record in your DNS

• Access your DNS management console.
• Create a new TXT record.
• For the Host/Name, enter _dmarc, so the full hostname is _dmarc.yourdomain.com.
• Paste your DMARC record into the Value field.

4. Start with a lenient policy

When you’re first implementing DMARC, it’s wise to start with a lenient policy (p=none) to monitor how your emails are being authenticated without affecting your email delivery. This policy allows all emails to be delivered while providing you with reports on your email flows and any potential issues.

5. Analyze DMARC reports

DMARC generates two types of reports: aggregate reports (rua) that provide an overview of your email authentication status, and forensic reports (ruf) that provide details about individual failure instances. Use these reports to:

• Identify legitimate emails failing SPF/DKIM checks.
• Detect unauthorized use of your domain.
• Adjust your SPF/DKIM setup as needed.

6. Adjust your DMARC policy

Based on the insights from your DMARC reports, you can adjust your DMARC policy over time. Move from p=none to p=quarantine to p=reject as you become more confident in your email authentication setup. This gradual tightening ensures that unauthorized emails are increasingly likely to be blocked or marked as spam, protecting your domain’s reputation.

Best practices for DMARC implementation

• Gradually tighten policies: Transition your DMARC policy from none to quarantine to reject gradually to avoid legitimate emails being wrongly blocked.
• Regularly review reports: Regularly review your DMARC reports to adjust your SPF and DKIM settings and stay ahead of any authentication issues.
• Educate your team: Ensure that your team understands DMARC’s role in your email security posture and the importance of maintaining proper email authentication practices.

To Sum Up

Email authentication protocols like SPF, DKIM, and DMARC are trust builders when it comes to emails.

For businesses, using these protocols translates into better reputation, higher email delivery rates, and more fulfilling customer interactions.

• SPF checks if emails come from authorized IP addresses.
• DKIM adds a digital signature to each email and makes sure that email content isn’t changed.
• DMARC combines SPF and DKIM. It lets domain owners decide how to handle emails that fail these checks. It will also provide useful reports on why the checks have been failed.

Using SPF, DKIM, and DMARC keeps both customers and businesses safe from a wide range of email threats.