SPF, DKIM, and DMARC explained

Jul 21, 2021 | Best practice, Email marketing

We use a travel analogy to explain three email authentication methods - SPF, DKIM, and DMARC.

Melaina Gross


The moment you press Send on your email campaign, your email packs his bags and gets ready for travel. He hops into the car and heads for the airport. At the airport he presents his passport, complete with visas for travel, and boards the plane. When he arrives at his destination, his passport is checked again before he’s granted entry into the country. 

The airports are the Internet Service Providers along his journey to his final destination – your customer’s mailbox. 

Successful email marketing goes beyond the design and content of your email campaign. If nobody receives your mail, then all that effort is for nothing.

There’s a whole bunch of stuff going on in the background to get your mail to your subscriber’s inbox. Here’s a look into the world of email delivery and the importance of email authentication.  

Levels of authentication are taking place that help make email more secure. To get through the gates at the airport terminal of Internet Service Providers (ISPs), your email must pass a few authentication tests, and prove it’s being sent by a legitimate sender.  

The way this is done is with SPF, DKIM, and DMARC. 

What are DMARC, DKIM, and SPF? They are acronyms for text records that prove an email sender is who they say they are.  Here’s what each one does. 

What is SPF? 

SPF stands for Sender Policy Framework. It’s an email validation protocol to detect and block email spoofing.  

The best way to think of SPF is like the return address on a postcard you received in the post.  

It increases your level of trust when the return address is recognisable and reliable. 

The SPF record specifies which IP address is allowed to send email “from” your domain. This helps to tell the receiving ISP that the mail is being sent from an IP address that has been authorised by the administrators of that domain. 

All in all, it helps to protect you from spammers sending email on your behalf.  

Emails using first-party data to enrich the customer experience

What is DKIM? 

DKIM stands for Domain Keys Identified Mail and it also builds trust between sender and receiver, but it’s a bit more complicated than SPF. DKIM’s advantage is that it can survive forwarding, which makes it superior to SPF and a foundation for securing your email.  

DKIM is important as it proves 3 things: 

  1. The content of your mail hasn’t been tampered with.
  2. The headers in the email haven’t changed since the original sender sent the email, and there’s no new “from” domain.
  3. The sender of the mail owns the DKIM, or is permitted by the owner of that domain.

DKIM is a way to sign an email with a digitally encrypted signature. This signature is a header that gets included in an email message. It’s not visible in the email itself unless you go looking for it here.

When we troubleshoot delivery issues, we’ll ask our clients to send us the headers of the email in question. It tells the story – like a passport with visa stamps – about where the mail has come from. 

What is DMARC? 

DMARC stands for Domain-Based Message Authentication, Reporting, and Conformance. Phew, what a mouthful!  

It’s an added authentication method using both SPF and DKIM to verify whether or not an email was sent by the owner of the “friendly” from domain that the user sees displayed as the sender name in their mailbox. 

In order for DMARC to pass, both SPF and DKIM must work.  

Basically, a message that doesn’t have its house in order is treated as phishing and is not delivered. 

This is why it’s so important to have SPF, DKIM, and now DMARC set up correctly. 

When a client is experiencing delivery issues with their mail campaign, this is one of the first things we check.  

A word to the wise – the DMARC/DKIM/SPF journey isn’t a simple one, with lots of side roads and diversions. We’re here to help. If you want to check that your SPF, DKIM, and DMARC are set up correctly and are helping your email campaign deliverability, ask us to do a deliverability audit.  


Submit a Comment

Your email address will not be published. Required fields are marked *

Recommended reading