Email authentication is crucial to ensure the deliverability of your messages and stop your emails from ending up in the spam folder.
If you’ve ever wondered how SPF, DKIM, and DMARC work and how you should use them, it’s your lucky day! Keep reading for our full guide to setting DNS records for email authentication.
- What Are SPF, DKIM, and DMARC?
What Are SPF, DKIM, and DMARC?
SPF, DKIM, and DMARC are acronyms for email security protocols that verify emails came from the domain name they claim to be sent from.
Spam is a huge problem for internet service providers (ISPs). It’s estimated that over half of all emails sent are spam. To try and cut down the sheer volume of spam messages, ISPs use SPF, DKIM, and DMARC to verify that an email message was sent from a legitimate domain and the message hasn’t been changed in transit.
Each of these email authentication methods works in a different way. But essentially, they set out rules for determining whether or not an email is genuine. Each domain publishes these rules in its DNS records, which are accessible by the receiving mail server.
While SPF and DKIM are both authentication protocols, DMARC is a set of instructions that explains what the receiving email server should do with an email if SPF or DKIM authentication fails.
How Does SPF Work?
Sender Policy Framework (SPF) records list all the IP addresses of the servers and apps that are authorized to send emails on behalf of your domain.
Email providers can check the SPF records when they receive an incoming email to make sure it came from one of these authorized servers.
You can think of SPF as being like a guest list to gain entry to an exclusive club. Just as a bouncer won’t let in anyone who’s not on the list, a mail server may reject emails coming from a sending server IP that’s not in the SPF record. Sometimes mail servers won’t block emails that fail SPF authentication entirely, but may mark them as spam.
Even if you don’t send emails from your domain, you should set an SPF record. This will prevent malicious parties from domain spoofing and sending emails that look like they come from you.
You should only have one SPF record for your domain. If you’re using two or more email services (for example your web hosting email service and a transactional email service like SendLayer) that both provide SPF records, you’ll need to combine them into a single SPF record. If you need to do this, you can follow this tutorial on how to merge SPF records.
How Does DKIM Work?
DomainKeys Identified Mail (DKIM) allows domain owners to attach a digital signature to their emails to prove they came from their domain.
DKIM uses public key cryptography to authenticate email. This also ensures that the content of an email hasn’t been compromised since leaving the outgoing server and being received by the incoming mail server.
The DKIM record stores the domain’s public key. This key is visible and accessible to any mail server that requests it.
The email sender signs the message header of each email with the private key, which is secret and only accessible to the domain owner.
When the receiving server applies the public key to incoming email, it will only pass the authentication test if it has been signed with the private key.
If DKIM authentication fails, the email may be blocked or marked as spam.
How Does DMARC Work?
Domain-based Message Authentication Reporting and Conformance (DMARC) is a policy that tells incoming mail servers what to do with emails depending on if they pass or fail SPF and DKM authentication.
DMARC policies may instruct mail servers to quarantine, reject, or deliver emails that fail SPF and/or DKM authentication. Like the other email authentication protocols, these DMARC policies are stored as a DNS TXT record.
You configure the DMARC policies for your domain and therefore tell mail servers what to do if they receive an email from your domain that fails authentication.
If emails fail DMARC authentication, the DMARC record can also generate a report with information about the messages that aren’t authenticated.
Domain administrators may choose to adjust their DMARC policies based on information in these reports, for example, if too many emails are being marked as spam.
DMARC reports also perform an important security function, as they can alert you and your email provider to someone using your domain for sending spam, or email spoofing to send phishing emails.
Are SPF and DKIM Required for DMARC?
It’s not mandatory to use both SPF and DKM for DMARC, although it’s highly recommended.
When you’re comparing SPF and DKIM, it’s not a case that one is better or preferable to the other. The two protocols work in different ways. While SPF confirms that an email was sent from the domain it claims to come from, the DKIM signature confirms that it hasn’t been intercepted or altered on its way to the recipient.
Ideally, it’s best to use both protocols, along with DMARC for a complete authentication solution.
How to Set UP SPF, DKIM, and DMARC
You need to set up SPF, DKIM, and DMARC in the DNS settings for your domain.
Where to find your DNS settings varies depending on the services you use to host your website and set up your domain.
- If you purchased your domain separately from your website, look for your DNS settings in your domain registrar’s control panel.
- If your web host registered your domain for you, your DNS settings should be in your web hosting control panel.
- If you use a CDN like Cloudflare or a managed DNS provider, you’ll change your DNS settings in the control panel provided by this service.
If you’re still unsure where to find your DNS settings, contact your hosting provider for advice.
SPF, DKIM, and DMARC are DNS records that you can add to your existing DNS settings. You will usually need to create and add these records to your domain yourself. Most web service providers do not automatically generate records for you, so you will need to configure them manually.
It can be quite time-consuming and confusing to create your own SPF, DKIM, and DMARC records. You can ask your web hosting service for advice on generating these records, or you can use a third-party tool or service to do it for you.
Using SendLayer to Authenticate Your Domain
SendLayer is a fast and reliable email delivery platform that authenticates your domain to ensure your emails land in the inbox and are not marked as spam.
When you sign up for a SendLayer account, the platform will automatically generate SPF, DKIM, and DMARC records to ensure all emails you send are fully authenticated. You then just need to copy and paste the records into your web hosting DNS settings to add the new DNS records to your domain.
As well as SPF, DKIM, and DMARC records SendLayer also creates additional DNS records to verify you own the domain you’re sending email from and to define a subdomain for your outgoing emails, further improving deliverability.
For more information about using SendLayer for email authentication, you can follow our getting started guide. SendLayer also includes the services of a dedicated support team, who will assist you in setting up your DNS records for email authentication if you run into any problems.
Once you’ve authenticated your domain with SendLayer, the emails you send will include this information in the header and will be accepted by incoming mail servers that require authentication, like Gmail.
How to Tell if an Email Has been Authenticated
An easy way to check if your emails are authenticated is by sending yourself a test email.
The results of SPF, DKIM, and DMARC authentication are appended to the header of the email.
Users don’t typically see this header because it is hidden by default in most email clients, but there’s usually a “See original” or “Show details” link you can click to see the entire email header.
As email headers can be quite lengthy and are designed to be read by machines, not humans, it can be quite tricky to find the authentication results.
You can look for a line of text that includes “spf”, “dkim”, or “dmarc”. For example, if an email sent to a Gmail address has passed SPF authentication, you should see something like:
spf=pass (google.com: domain of [email protected] designates example IP address as permitted sender)
Some email clients, including Gmail, extract authentication information and display it in a more user-friendly format alongside the Subject, From, and To fields when you view the original message.
In most cases, the email that reaches your inbox will have passed authentication, as messages that fail are usually rejected or marked as spam.
If you’re sending emails from WordPress, some SMTP plugins like WP Mail SMTP will monitor the authentication status of your domain.
WP Mail SMTP makes it easy for you to use an SMTP delivery service like SendLayer to improve the deliverability of your WordPress emails. The plugin includes a built-in domain check, so you can see at a glance if your domain is failing any of the authentication checks.
Improve Email Deliverability With SPF, DKIM, and DMARC
There are many factors that can affect your email deliverability but ensuring your email is authenticated is one of the most critical.
Google is now blocking email sent to Gmail users that is not authenticated by SPF or DKIM, and Yahoo has also announced that they will require senders to authenticate emails by SPF, DKIM, and DMARC from 2024.
While our research shows that many organizations still do not have DMARC set up, completing the trio of SPF, DKIM, and DMARC authentication is the best way to make sure your emails reach their intended recipient.
That’s it! Now you know what SPF, DKIM, and DMARC are and how email authentication works.
Next, would you like to learn about transactional email? Check out our guide to transactional email for more information.