What are DMARC, DKIM, and SPF? The Go-To Guide for 2024

Did you know that 81% of companies use email for their marketing campaigns?

Yes, emails are a direct and open way to communicate with customers, present new products and services, explain their advantages, and offer promotions or discounts, follow-up emails (or even warm-up emails, that’s for sure important). 

However, inbound marketing campaigns’ messages usually end up in the junk folder, and the customer never finds out your product or offer exists. Why?

According to Statista, “phishing was the leading cause of 85% of cyber attacks in 2022.” That’s why email authentication protocols are getting stricter every day, with all these limitations giant ESPs integrated into their solutions

Today on Reply.io, we explain everything you need to know about SPF, DKIM, and DMARC checks and why you should implement them so your emails can reach your potential customers’ inboxes.

Let’s get started!

What are SPF, DKIM, and DMARC? 

According to a Statista survey, 6 out of 10 emails employees receive worldwide are intended to steal their credentials.

Phishing is a cyberattack in which a malicious actor sends an email pretending to be a trusted source, such as a customer, another team member, or a company, to gain access to confidential data such as personal information, banking, passwords, or account credentials.

But how can we prevent phishing? 

To protect confidential information from fraud, you should implement email authentication protocols that detect if an email is spoofing, if a malicious party sends it, or if someone has altered the original message.

The 3 most commonly used email authentication methods are: 

• Sender Policy Framework (SPF) → verifies that a particular mail server has permission to send an email to a domain. 
• DomainKeys Identified Mail (DKIM) → detects whether the sender’s email address is false or that the message was altered during transit to the inbox. 
• Domain-based Message Authentication, Reporting & Conformance (DMARC) → a technical standard for message-sending authentication that specifies how to treat emails from a domain.

What do these three protocols have in common? By implementing them on your server, you can increase the deliverability of your emails, i.e., the likelihood that your potential leads will see and open the new offer you are launching on the market. 

Let’s see more about email authentication & validation and how to get in the inbox! But, before we dive into it…

What is email authentication? 

Email authentication refers to verifying or validating the sender’s trustworthiness and the message’s legitimacy. 

In simpler words, this method confirms that you, the sender, are who you say you are and have sent that message to that specific email address. 

This verification process allows email providers to confirm the source of a message, i.e., whether its origin is reliable or whether it’s been altered by spammers or scammers who are impersonating you to obtain the recipients’ personal or banking information.

You may wonder, isn’t this method included when sending an email? 

The answer is a big NO. 

The Simple Message Transfer Protocol (or SMTP) doesn’t include message verification and authentication methods in its default configuration. So, you must incorporate these additional verification measures separately, especially if you want to use email in your digital marketing campaigns. 

Why? 

Email authentication improves the deliverability of your emails since Internet Service Providers (IPS) are sure that you are a trustworthy sender and that the person contacting them is you and not some “P3t3r from P4yP4l” asking to update the card information or else urgently the account will be deleted. 

Why is email authentication important? 

Implementing authentication protocols allows email service providers to strengthen their anti-phishing methods. By incorporating these methods, providers can detect within seconds that your email address and messages are legitimate, thus protecting recipients from cyber-criminals. 

Was this always like this? 

By 1988, when email became famous thanks to Microsoft, providers considered almost all senders trusted sources, and there was no need to incorporate authentication processes.

Thus, cyber-criminals took advantage of these system flaws to surprise and easily exploit receivers, getting them to provide their personal information, such as passwords, account numbers, and cards, and, in some cases, even download viruses, malware, spyware, or others. 

It was also easy for spammers to send emails posing as marketers from brands such as yours, affecting the security of the company, its customers, and its potential audience. 

According to Forbes, there are 4.48 billion email users worldwide; checking every single address and every single message sent through it is an uphill task, a nightmare! That’s why it’s dispensable to use verification methods:

• Providers receive a signal that you meet adequate security standards.
• Your emails are marked as legitimate. 
• You protect the reputation of your domain.
• Your emails reach their recipients.
• You protect your branding.

Now we know why it’s important. Let’s now answer the following questions: What are SPF, DKIM, and DMARC?

What are the types of email authentication? 

There are three types of email authentication standards that servers consider to prove the legitimacy and good reputation of the sender. Here, we explain each one and how they work. 

Sit back, grab your drink, and don’t forget to take notes! We’ll start with DKIM.

What is DKIM, and how does it work? 

Domain Keys Identified Mail, or DKIM, is an email authentication standard that uses a digital signature to let the recipient know they have a message authorized by the domain’s owner. 

In simpler words, this process involves attaching your signature to your emails so that email servers can verify the legitimacy and integrity of the message. 

What does this signature look like? This is a cryptographic signature, a sort of encrypted message that you must place in the message’s header to confirm that it’s authentic and remains intact during sending.  

We’ll tell you step by step how it works.

If you own the domain, you must generate two public keys stored in your Domain Name System (DNS) and a private key known only to the Email Service Provider (ESP). 

Each time you send a message, the ESP signing authority generates a signature hash using the private key that appears in the email header. 

The receiver uses a public key provided by your DNS DKIM record to decrypt the signature hash and authenticate the message. 

The main advantage of this method is that it provides a layer of security to prevent direct phishing attacks, which use your name or brand name to send malicious emails. These attacks can affect your reputation and your customers. 

Although DKIM signatures are authentication processes, they alone may be insufficient. You will likely need additional layers of security, which we explain below. 

Read on to meet SPF!  

What is SPF and how does it work? 

The Sender Policy Framework (SPF) is a DNS record. It consists of a TXT file containing a complete list of IP addresses or servers authenticated to send email from a specific domain. 

How does SPF work?

By including the SPF authentication method, every time you send an email, a server processes the incoming message quickly, ensuring that your domain has authenticated the IP address to send the email.

The receiving server does a DNS lookup on the return path address for authentication. Once it finds an SPF record for that domain, it scans the list of authorized addresses to see if there is a match. 

In case of a match, the SPF is positive, and the message arrives successfully in the inbox. However, if the IP does not appear on the list, a “SoftFail” will appear. Even if the mail is sent, “SPF check failed” appears next to it and may be marked as spam.

To better illustrate what the SPF record looks like, we show you what it looks like when it includes domain names:

• include:_spf.reply.io
• include:_spf.google.com

However, an SPF record can also include lists of IP addresses, for example:

• ip4:192.153.106.0/16
• ip4:192.124.109.0/20

Yep, it’s that simple (or not, depending on how deep you dive into the technical details). The last contender is DMARC—let’s talk about it.

What is DMARC, and how does it work? 

Domain-based Message Authentication, Reporting & Conformance (DMARC) is not an authentication method per se; however, it adds another layer of security to the SPF and DKIM methods. 

DMARC allows you to configure a policy for failed SPF and DKIM checks and generate reports on your emails’ performance. These policies prevent phishing by preventing spammers or malicious third parties from using your domain to send unauthorized emails. 

Their implementation is essential as spam and phishing methods have become increasingly sophisticated. A cybercriminal can spoof the sender’s address in a message to make it look like it comes from a user on your domain. An example is the messages they send impersonating banking institutions, credit card providers, or e-wallets requesting urgent account information. 

Let’s see how DMARC works!

The domain owner creates and configures DMARC policies in their DNS. These policies include guidelines on how they expect recipients to process their email messages, considering the results of the SPF and DKIM standards.

DMARC policies will apply to all emails where that domain appears in their header (From:).

To obtain DMARC approval, the DKIM and SPF standards must be approved and in sync with the domain’s policies. 

If you are still unclear on all the ideas, we explain the differences between the SPF DMARC and DKIM check! 

Let’s go! Or… maybe not just yet? First, let’s answer this: Do you want to know how to avoid the spam folder at all costs? We’ve got an insightful video for you—check it out!

How do DKIM, SPF, and DMARC differ?  

While it may seem that SPF, DMARC, and DKIM checks are similar, they have clear differences. To better illustrate them, we have set three points of comparison according to their purpose, how they work, and what they protect with their implementation. 

Let’s get started and see where it’ll take us!

So, we know the difference, but I think we can dive deeper down the rabbit hole. Let’s take a look at where those records are stored.

Where are SPF, DKIM and DMARC records stored? 

The information collected by SPF, DKIM and DMARC can be found in your domain’s DNS. The DNS acts like an Internet phone book, transforming domain names into IP addresses and allowing email servers to verify the authenticity of messages. 

SPF records are pivotal in listing all the servers authorized to send emails on behalf of your domain. This record, stored in TXT format in your domain’s DNS configuration, isn’t just crucial, it’s a must-have for email authentication. If a server isn’t on this list, the emails you send may be considered untrusted, underscoring the importance of this record. 

DKIM records, like SPF records, are stored as TXT records. This type of record contains a public key that allows you to confirm that emails have not been altered in transit, ensuring the integrity and authenticity of the sender’s emails. 

When an email is sent, it’s digitally signed with a private key. When it reaches the recipient’s server, the latter uses the public key of the SKIM record to verify that it has not been modified. 

DMARC records, stored in TXT format in the DNS, provide guidelines on handling emails that do not pass SPF or DKIM checks. As the domain owner, you have the power to decide what actions to take and how to reject or quarantine an email that does not pass authentication, giving you complete control over your email security.

We know where, but how? Don’t rush it—we’re just one step away from the answer. Keep reading!

How to set up DKIM, SPF, or DMARC?

Setting up SPF, DKIM, and DMARC may sound technical, but don’t worry—we’ll break it down for you, step by step. These records are key to keeping your emails out of the spam folder and ensuring they reach your recipients’ inboxes.

First up, SPF! It’s the foundation of email authentication, so let’s dive in and get it configured.

How to set up SPF? 

Here are the steps you need to follow to set up an SPF record on your domain so that your emails are sent from authorized sources and your recipients can trust their origin.

1. Identify sending sources → before creating the SPF record, you need to list all the IP addresses and domains authorized to send emails on behalf of your domain, including your own servers and any third-party services (such as marketing platforms).
2. Create the SPF record → to perform this process, log into the DNS management console and create a new TXT record in the DNS management section. Usually, the SPF record format is displayed in the following format: v=spf1 ip4:xxx.xxx.xxx.xxx.xxx include:xxxxxx.com ~all. For example, if you use a service like Mailchimp for email marketing, you should add it to your SPF record as follows: include:mailchimp.com.
3. Publish the record → paste the complete SPF record code into the value field of the TXT record and save it. Remember that DNS changes can take a few hours, varying from a few hours to 48 hours.
4. Test the SPF record → once published, ensure it’s configured correctly so your emails are not marked as spam. To do this, you can use online validation tools such as SPF Record Checker or send a test email to an external address and check the headers for the Received-SPF: line to indicate if the verification was successful.

Now that SPF is set up, let’s move on to DKIM. It might sound complicated, but setting up your email signature is easier than you think.

How to set up DKIM? 

Here’s how to set up DKIM on your domain to ensure the authenticity of your emails: 

1. Generate DKIM keys → first, you must use your email service provider (ESP) to create a public and private key pair. The private key stays on your server and is used to sign your outgoing emails and the public key is shared with your DNS. 
2. Add the DKIM record to the DNS → Once you have the public key, you must add it to your DNS configuration. To do this, log into your domain registrar or service provider’s control panel and add a new TXT record in the DN management section. The record name must be formatted as selector._domainkey.yourdomain.com. The word selector refers to the unique identifier provided by your ESP.
3. Publish the record → Enter the public key generated in the TXT record field and save the changes. Please note that DNS modifications may take up to 48 hours to reflect, so you must be patient.
4. Verify the configuration → After publishing the record, it’s essential to verify that the DKIM signature was configured correctly. You must email an external address, such as a Gmail account, to do this. When you receive the email, you should check the message headers and look for a line indicating DKIM=pass to confirm that the DKIM signature was correctly applied.

Finally, we’ve reached DMARC! With SPF and DKIM in place, DMARC ties it all together. Let’s finish strong with this last setup.

Psst… if you’re looking for tools to make setting up and monitoring easier, check out the ultimate email deliverability toolset to succeed in 2024. Take a look!

How to set up DMARC? 

Without a DMARC record, you risk not being able to monitor and control the emails sent on behalf of your domain. This could potentially lead to security breaches and a negative impact on your domain’s reputation. 

• Create a DMARC record → first, log into your domain registrar or DNS provider’s control panel to create a new TXT record in the DNS management section. Usually, the DMARC format looks like this: v=DMARC1; p=none; rua=mailto:tuinforme@tudominio.com; pct=100.

• • • – v=DMARC1: sets the DMARC version.
    • – p=none: indicates the policy for handling messages that fail verifications; you can opt for quarantine or rejection later.
    • – rua=mailto: yourreport@ yourdomain.com: This section specifies the email address to which you will receive reports on DMARC activity.
    • – pct=100: sets the percentage of messages the policy applies (100% applies to all messages).

• Publish the log → enter the complete DMARC log string in the value field of the TXT log and then save the changes to the system. As with the previous logs, the changes may take up to 48 hours.

• Review reports → use the email address you entered in the rua field to receive reports specifying authentication failures. With this information, you can find out who is sending emails on behalf of your domain and if those emails are passing SPF and DKIM checks.

• Adjust the DMARC policy → Once you are happy with the reports’ results, consider changing the policy from p=none to p=quarantine or p=reject for messages that do not pass the checks. 

Now that you’ve got SPF, DKIM, and DMARC all set up, the next step is making sure everything’s running smoothly. It’s not enough to just set it and forget it—you’ll want to check and monitor these records to ensure they’re doing their job. 

Let’s dive into how you can keep an eye on things and maintain top-notch email deliverability! But, we have something to share with you first:

How to check if an email has passed SPF, DKIM and DMARC? 

To check if an email has passed SPF, DKIM, and DMARC authentications, you need to follow a specific process that starts with viewing the email headers. 

The first step is to open the email and access the headers, which provide crucial information about how the email was handled. Most email clients make this easy, although the method differs slightly depending on the platform. 

For example, in Gmail, you would select “More options” and then “Show original.” Similarly, Outlook and Apple Mail offer quick ways to display this data.

Once you’ve accessed the headers, the next step is to look for the SPF status. You’ll need to locate a line that starts with “Received-SPF.” This will tell you whether the SPF check was successful or not, and why. 

If the SPF record is set up correctly, the code will look something like “Received-SPF: Pass,” confirming that the email passed this check.

After verifying SPF, you’ll move on to checking the DKIM status. Look for the DKIM signature in the header, which is included in the “Authentication-Results” field. This field will indicate whether DKIM verification was successful with a “Pass” or if it failed, meaning the DKIM signature was invalid.

Next, you’ll want to check the DMARC status, which is also found in the “Authentication-Results” section. DMARC works by summarizing the results of both the SPF and DKIM checks, and it will provide a final result in the form of something like “dmarc=pass” for policy compliance. 

If DMARC fails, it indicates that the email did not meet the necessary requirements set by the domain’s DMARC policy.

For a more efficient and detailed analysis, you can also use online tools like mail-tester or MXToolbox. These tools streamline the process of checking headers, offering comprehensive reports on your email’s performance and helping you spot any issues with SPF, DKIM, or DMARC.

By following this process, you not only safeguard your communications but also ensure your emails pass these critical authentication checks, protecting yourself from potential fraud and ensuring your messages reach their destination securely.

How to crush email deliverability with Reply.io magic? 

Reply.io is a robust platform that can significantly optimize the deliverability of your emails, thus improving your sales efforts. Here’s how you can leverage its features to maximize the effectiveness of your communications:

Nail your email authentication

Make sure your DKIM, SPF, and DMARC records are set up correctly so your emails don’t get flagged as spam. 

Reply.io will walk you through how to add these records to your DNS, making the SPF and DKIM setup process a breeze. Plus, we’ve got you covered on setting up DMARC to protect your domain, with reports on any spoofing attempts to keep you in the loop.

Personalize like a pro

Using Reply.io’s multichannel features—emails, LinkedIn, even WhatsApp and SMS—you can seriously boost your open and response rates. Personalizing your content to match your audience makes all the difference. 

With tools like spintax personalization, you can easily add recipient-specific details, like their name, making your emails more engaging and less likely to hit the spam folder.

Track what matters

Want to know which emails are performing well? Reply.io’s built-in analytics show you exactly which messages are getting opened, so you can fine-tune your strategy and boost your results. 

You’ll get all the insights you need to improve every campaign.

Clean up your contact list

Keeping your contact list clean is key to great email deliverability for sales teams. Reply.io helps you easily manage your contacts by removing inactive or incorrect email addresses and segmenting your list for targeted messaging. 

This means you’re only sending relevant content, which leads to better response rates.

Leverage AI for smart outreach

Our AI Chat and AI SDR tools automate lead qualification and responses, ensuring your outreach stays relevant and impactful. 

This helps you improve email deliverability and build connections with your audience—without doing all the manual work.

By using all of Reply.io’s features, you’ll not only improve your email campaigns but also strengthen relationships with prospects and customers, all while driving better sales results!

Wrapping up 

Mastering email authentication through protocols such as SPF, DKIM and DMARC is crucial to protecting your email reputation and ensuring the delivery of your messages to the right inboxes. 

These security mechanisms are your first line of defense against fraud and can help you improve sales engagement results.

A solid email optimization strategy will help you reach your recipients’ inboxes, foster meaningful relationships with your leads and close more deals. Reply.io combines the best practices and tools to improve the success of your email communications. 

Put these protocols into practice and transform your emailing strategy!