Email management

A Developer's Guide to SPF, DKIM, and DMARC to Authenticate Their Emails

Nikita Navral
March 31, 2023
A Developer's Guide to SPF, DKIM, and DMARC to Authenticate Their Emails
TABLE OF CONTENTS
Important Notice - New Email Policies That Might Break Your Product Communication from 1st February 2024 - From Gmail

Email authentication is the process of verifying that an email message comes from a legitimate sender. It helps ensure that email messages are delivered to their intended recipients and not diverted or blocked by spam filters. 

Email authentication also helps protect against phishing attacks, which can be used to steal sensitive information such as login credentials and financial data. By authenticating emails with advanced security protocols like SPF, DKIM, and DMARC, organizations can help protect their customers' privacy while ensuring they receive timely communications from trusted sources. 

The importance of email authentication in terms of deliverability cannot be understated; without it, emails may end up in spam folders or never reach their intended destinations.

This blog post will discuss everything you need to know about SPF, DMARC & DKIM records. So, let's get started.

Setting up Sender Policy Framework (SPF)

SPF (Sender Policy Framework) is an email authentication protocol designed to verify the identity of a message's sender, blocking emails from being spoofed or sent from malicious sources. This helps shield users against phishing attacks and other malicious activities.

How does SPF verification work?

SPF works by verifying the source of an email against a list of authorized mail servers maintained by the domain owner in their DNS records. When an incoming email is received, it can be checked against this list to ensure it has been sent from one of these authorized servers. If not, it is likely to be spam or maliciously sourced and should be rejected before reaching its intended recipient. 

Process of creating and publishing an SPF record

Now that we understand SPF records, let's create and add a record to our DNS provider. We will be using MXToolbox to generate the record. Enter the domain name in the text box and answer the questions based on your requirements. After entering the records, you'll find the generated SPF record.


Generating SPF records is not enough, we now have to add them to our DNS service provider as a TXT record. If you are using Cloudflare, you can simply move to DNS tab select type as TXT, enter the name as @ (or root domain), and SPF record in the content field. Click on Save once you have filled in all the fields.

Best practices for designing and implementing SPF

When designing and implementing an SPF policy, one should follow best practices to ensure it effectively prevents phishing attacks and other malicious activities.

  • Include all IP addresses: Domain owners must make sure to include all necessary IP addresses and domains that need authorization in their DNS records. This includes any webmail services that employees may utilize, such as Gmail or Yahoo.
  • Keep it short: The SPF record should not be too lengthy; it should only contain IP addresses and domains necessary for sending emails.
  • Update Timely: Domain owners must update the SPF record whenever changes are made to their mail server setup or new email services are added.

To maximize the effectiveness of an SPF policy, organizations should monitor how their mail servers are configured and what types of messages they send out. Doing this helps identify potential issues more quickly and allows organizations to take immediate action if an attack occurs.

SPF Syntax and mechanisms

The syntax of SPF authentication is built on a specific set of rules that must be followed to ensure the protocol is effective. These rules/mechanisms are written in plain text separated by white space. The mechanisms specify which mail servers are authorized to send emails on behalf of the domain. The following are the most common mechanisms:

  • a - Used to Match the IP address of the A record of the domain.
  • mx - For matching the IP address of the domain's MX record.
  • ip4 and ip6 - Matches a specific IP address or range of IP addresses (IPv4 & IPv6).
  • include - Includes the SPF record of another domain.
  • all - Specifies the default behavior for any IP addresses that do not match any of the other mechanisms.

Following is a sample SPF record that allows any IP address that matches the A or MX record of the domain is authorized to send emails:

v=spf1 a mx -all

Common SPF record errors and how to fix them

Sometimes when setting up an SPF record, mistakes can happen. You might use the wrong IP address or syntax to describe what should be allowed. You also need to make sure you list all the mail servers and webmail services you use so spam filters do not block emails from them. 

If you make a mistake, it is essential to fix it immediately so your emails aren't blocked or flagged as malicious. To fix this, move back to the DNS provider, select & edit the record.

Setting up DomainKeys Identified Mail (DKIM)

DomainKeys Identified Mail (DKIM) is an email authentication protocol that enables the receiver to verify if an authorized sender sent an email message and its content hasn't been altered during transmission.

DKIM is an increasingly popular email authentication standard that utilizes digital signatures to verify the authenticity of an email message. To set up DKIM for your domain, you'll need to generate and publish a DKIM key for it.

DKIM is designed to prevent email spam and phishing attacks by verifying the authenticity of email messages. To do this, it adds a digital signature to each message header. The receiver's email server can then verify that an authorized sender sent it without tampering during transmission.

Here's a sample DKIM record:

[dkim_selector]._domainkey.[yourdomain].com IN TXT "v=DKIM1; k=rsa; p=[public key]"

Here's what each part of the DKIM record means:

  • [selector] is a unique identifier that specifies which DKIM key to use for a particular email message. Using a new selector is recommended each time you generate a new key pair.
  • _domainkey is a fixed string that identifies the record as a DKIM key record.
  • [yourdomain].com is the domain name, for which you create the DKIM record.
  • IN TXT is the record type, which specifies that the record contains text data.
  • "v=DKIM1; k=rsa; p=[public key]" is the actual DKIM record data. It contains the DKIM version number (v=DKIM1), the key type (k=rsa), and the public key (p=[public key]).

Process of creating and publishing a DKIM key

To create a DKIM key, you must first generate a public and private key pair. The private key remains secret and is used to sign outgoing email messages; the public key is published in your domain's DNS record. When an email message is received by its intended recipient, the server checks up on your public key from your DNS record to confirm its authenticity.

Creating and publishing a DKIM key involves several steps:

  • Create a public and private key pair.
  • Add the public key to your domain's DNS record.
  • Configure your email server to sign outgoing emails with this private key.

Generate Public & Private Key

To generate a public & private key, follow the below-mentioned steps:

  1. Run the following command (in the terminal) to generate a 2048-bit RSA key pair:
   openssl genrsa -out private.key 2048

  1. Use the following command to generate a public key that corresponds to the private key (created in the last step):
   openssl rsa -in private.key -pubout -out public.key

Add Public Key to DNS

Adding a public key to DNS is similar to adding an SPF record. To add the public key, navigate to the DNS setting and click on add record. Select the record type as TXT, add key._domainkey as the Record (here key is the selector) & add the public key in the Content field.

Best practices for designing and implementing DKIM

When designing and implementing DKIM, it is essential to adhere to best practices to guarantee your email messages are authenticated correctly and not marked as spam. Here are some top tips for designing and implementing DKIM:

  • Use a separate DKIM key for each email domain
  • Select a unique DKIM selector for each key
  • Opt for a key size of at least 1024 bits
  • Implement an advanced hashing algorithm like SHA-256
  • Include the same domain name in the DKIM signature and email message headers.

DKIM Selectors and key size

When creating a DKIM key, you must choose a selector - that is, an ID name that uniquely identifies the specific key used to sign an email message. Selectors help differentiate between multiple DKIM keys for the same domain; thus, using a unique selector per DKIM key helps avoid key collisions.

When selecting a selector for DKIM, the recommended key size is at least 1024 bits. However, larger key sizes such as 2048 bits have become increasingly common due to their increased security benefits.

Common DKIM errors and how to fix them

Several common DKIM errors can arise, such as missing or incorrect DNS records, invalid key formats, and incorrect configuration settings. These issues may cause email messages to be rejected or marked as spam. Here is a list of some common DKIM issues and how to fix them:

  • Missing or Incorrect DNS Records: Confirm that your DKIM DNS records have been correctly configured and published.
  • Invalid Key Format: Make sure your DKIM key has the correct format with no typos or errors present.
  • Incorrect Configuration Settings: Verify that your email server is configured properly to sign outgoing email messages using the DKIM key.

Setting up Domain-based Message Authentication, Reporting & Conformance (DMARC)

DMARC (Domain-based Message Authentication, Reporting & Conformance) is an email authentication protocol that builds on top of SPF and DKIM to provide more comprehensive protection against email fraud and spoofing.

DMARC allows domain owners to specify a policy for how receivers should handle email messages that fail SPF or DKIM checks. This policy can range from monitoring and reporting failed messages to outright rejecting them.

Overview of DMARC and its purpose

DMARC is designed to address the shortcomings of SPF and DKIM, which attackers can circumvent by using spoofed or fraudulent email addresses. DMARC builds on top of these protocols by providing a mechanism for domain owners to assert their identity and specify how receivers should handle email messages that fail SPF or DKIM checks.

The primary purpose of DMARC is to prevent email fraud and phishing attacks by providing a way for domain owners to assert their identity and communicate their email authentication policies to receivers. DMARC allows domain owners to specify how they want receivers to handle email messages that fail SPF or DKIM checks, including whether to deliver, quarantine, or reject them.

How DMARC builds on top of SPF and DKIM

DMARC builds on top of SPF and DKIM by providing a way for domain owners to specify their email authentication policies and how receivers should handle email messages that fail SPF or DKIM checks. DMARC combines the results of SPF and DKIM checks and compares them to the policy specified in the DMARC record.

If a message fails both SPF and DKIM checks, DMARC allows domain owners to specify how the receiver should handle the message. This can include sending a report to the domain owner, delivering the message to the recipient's spam folder, or outright rejecting the message.

DMARC Record & Different Tags

DMARC policies are specified in DNS records that are published for the domain. These records are of the type "TXT" and are formatted as follows:

v=DMARC1; p=reject; sp=reject; rua=mailto:dmarc@example.com; ruf=mailto:dmarc-forensics@example.com; fo=1; adkim=s; aspf=s; pct=100; ri=86400

  • "v": This tag specifies the DMARC version being used. The value should always be "DMARC1".
  • "p": This tag specifies the policy to apply to messages that fail both SPF and DKIM checks. This can be set to one of three values: "none", "quarantine", or "reject".
  • "sp": This tag specifies the policy to apply only to messages that fail SPF checks. This can be set to one of three values: "none", "quarantine", or "reject". If this tag is not present, the value of the "p" tag will also be used for SPF failures.
  • "adkim": This tag specifies the alignment mode for DKIM. Valid values are "r" (relaxed) and "s" (strict). In "relaxed" mode, the DKIM signature can match even if some header fields have been modified, while in "strict" mode, the signature must match exactly.
  • "aspf": This tag specifies the alignment mode for SPF. Valid values are "r" (relaxed) and "s" (strict). In "relaxed" mode, the SPF check can pass even if the source IP address is not an exact match for the domain's SPF record, while in "strict" mode, the source IP address must be an exact match.
  • "pct": This tag specifies the percentage of messages that should be subject to the DMARC policy. Valid values are between 0 and 100. This can be useful for gradually implementing a DMARC policy and monitoring the impact on email deliverability.
  • "fo": This tag specifies the options for generating forensic reports. Valid values are "0" (off), "1" (on), and "d" (on-demand). Forensic reports contain detailed information about the authentication results for each email message and can be used for troubleshooting and analysis.
  • "rf": This tag specifies the format for forensic reports. Valid values are "afrf" (Authentication Failure Reporting Format) and "iodef" (Incident Object Description Exchange Format).
  • "ri": This tag specifies the interval at which aggregate reports should be sent in seconds.
  • "rua": This tag specifies the email address where DMARC aggregate reports should be sent. Multiple email addresses can be specified, separated by commas.

Publishing a DMARC policy

To publish your DMARC policy, you must create a TXT record in your domain's DNS settings. The record should contain the DMARC policy as described above. Once the record is published, receivers will be able to use it to determine how to handle email messages that fail SPF or DKIM checks.

To add a DMARC record to your Cloudflare account, navigate to DNS settings & click on add record.

Best practices for designing and implementing DMARC

When implementing DMARC, there are a few best practices that can help ensure its effectiveness:

  • Start with a "none" policy: When first implementing DMARC, start with a "none" policy to monitor the results of SPF and DKIM checks without taking any action. This can help you identify any misconfigured email systems or legitimate emails that fail the checks.
  • Monitor DMARC reports: Regularly review the DMARC reports sent to your designated email addresses to identify any potential issues or suspicious activity.
  • Gradually tighten the policy: Once you understand the SPF and DKIM authentication status of your email, gradually tighten your DMARC policy. Start by specifying a "quarantine" policy for messages that fail SPF and DKIM checks, and then eventually move to an outright "reject" policy.
  • Use subdomains for testing: Before implementing it on your main domain, use subdomains to test your DMARC policy. This can help you identify any issues before they affect your primary email flow.

Analyzing DMARC feedback

One of the advantages of DMARC is that it provides domain owners with feedback regarding email authentication checks performed by receivers. This information can be utilized to identify and resolve problems with email authentication as well as monitor for fraudulent activity.

DMARC feedback comes in two forms: aggregate reports and forensic reports. Aggregate reports provide statistical data about the results of email authentication checks for a domain, while forensic reports offer detailed insights into individual messages that have failed these tests.

Analyzing DMARC feedback requires configuring a system to collect and process reports. Several third-party tools and services can assist with this, or you could build your system using open-source software.

Evaluating DMARC Feedback

Once you have access to DMARC feedback, there are several things you can do with it, such as:

  • Detect and address authentication failures: Utilize DMARC feedback to identify any email systems or senders that are failing SPF and DKIM checks, then collaborate with them to solve these issues.
  • Monitor for Fraudulent Activity: Utilize DMARC feedback to monitor for fraudulent activities, such as phishing attacks or spam campaigns, and take steps to prevent them.
  • Enhance Email Deliverability: Utilize DMARC feedback to identify and address any issues with email delivery, such as messages being marked as spam or rejected by receivers.

Email Authentication methods comparison

Email authentication methods are critical to ensuring the security and integrity of email messages. SPF, DKIM, and DMARC are three widely-used email authentication methods that can help prevent email fraud, phishing, and other malicious attacks.

Feature SPF DKIM DMARC
Authentication Sender IP address Digital signature of email message Both SPF and DKIM are checked and aligned against the sender domain in DMARC policy.
Use cases Prevents email spoofing from unauthorized domains Prevents email spoofing by validating email contents Provides a reporting mechanism for failed authentications and provides instructions for handling email from unauthorized domains.
Record Type DNS TXT record DNS TXT record PDNS TXT record
Record Format v=spf1 include:domain.com -all No fixed format, but typically a long string of random characters No fixed format, but typically includes policy statements and alignment requirements
Record Location Sender domain DNS record Sender domain DNS record Sender domain DNS record
DNS Lookup Type Forward lookup Forward lookup Forward lookup
Mechanism Specifies which IPs/domains are authorized to send email Adds a digital signature to the email header Provides a policy for handling email from unauthorized sources.
Result Specifies which IPs/domains are authorized to send email Adds a digital signature to the email header Provides a policy for handling email from unauthorized sources.
Email header field None DKIM-Signature header field None.

Here's a comparison of the advantages and disadvantages of each method:

SPF

Advantages:

  • Helps prevent spammers from sending messages that appear to come from your domain.
  • Relatively easy to set up and configure.
  • It helps prevent email spoofing and improves email deliverability.

Disadvantages:

  • Limited to validating the envelope sender of the message.
  • Does not provide end-to-end authentication and does not protect against email forgery.

DKIM

Advantages:

  • Provides end-to-end authentication of the message and protects against email forgery.
  • Helps prevent email spoofing and improves email deliverability.
  • Can be used to sign both the message body and message headers.

Disadvantages:

  • More complex to set up and configure than SPF.
  • Requires the use of a private and public key pair, which must be properly secured.

DMARC

Advantages:

  • Builds on top of SPF and DKIM to provide a more comprehensive email authentication solution.
  • Provides visibility into who is sending emails on your behalf and how your messages are handled.
  • Allows you to specify what action to take when messages fail authentication checks.

Disadvantages:

  • More complex to set up and configure than SPF or DKIM alone.
  • Requires more resources to manage and monitor.

Choosing the right authentication method for different use cases

When it comes to email authentication, there is no one-size-fits-all solution. The right authentication method for your organization will depend on your specific needs and use cases. Here are some factors to consider:

  • Level of security required: If you need to ensure the highest level of security for your emails, then DKIM is the best choice, as it provides end-to-end authentication.
  • Ease of implementation: If you're looking for a relatively easy-to-implement solution, then SPF may be the right choice for you.
  • Visibility into email sending: If you want to gain visibility into who is sending emails on your behalf and how your messages are handled, then DMARC is the right choice.
  • In most cases, a combination of authentication methods can provide the best protection against email fraud and malicious attacks.

How to use multiple authentication methods for better results

Using multiple authentication methods can provide a more comprehensive solution to email authentication. For example, you could use SPF to validate the envelope sender, DKIM to provide end-to-end authentication, and DMARC to monitor and manage your email authentication policies. 

Combining these methods can improve your email deliverability, prevent email fraud, and protect your brand reputation.

Email Authentication standard and future possibilities

Email authentication standards are continuously being refined to stay abreast of the newest email threats and technologies. Shortly, we may see new authentication methods offering even greater security and flexibility.

For example, the Authenticated Received Chain (ARC) protocol is an emerging email authentication standard that could address some of the drawbacks of SPF and DKIM. With email authentication technologies constantly developing, staying up-to-date with current best practices and solutions is essential to safeguard your organization's email security and ensure success in this digital age.

SuprSend Integration

Looking for an easy-to-use solution to manage your email providers and ensure their authentication is up to par? SuprSend has got you covered. Here are the key benefits of using SuprSend:

Seamless Integration with Email Providers

SuprSend integrates with multiple email providers, including Gmail, SendGrid, Mailgun, and many more. With SuprSend, you can easily set up, manage, and maintain your email providers that have already figured out the authentication process. This means you can focus on delivering your messages without worrying about authentication issues.

Troubleshooting and Debugging Tools

SuprSend offers a range of powerful tools to help businesses troubleshoot and debug email authentication issues. Whether you're facing SPF, DKIM, or DMARC issues, SuprSend provides detailed feedback and guidance on resolving them. With SuprSend's powerful reporting and analytics capabilities, you can quickly identify and fix authentication issues, ensuring your emails are delivered to your customers' inboxes.

Easy-to-Use Interface

With SuprSend's user-friendly interface, you can easily manage your email notifications and track their performance. The platform is designed to be intuitive and straightforward, allowing you to focus on delivering great content to your customers without worrying about technical details.

Conclusion

In conclusion, email authentication is critical to email marketing and communication. By using authentication methods like SPF, DKIM, and DMARC, businesses can protect their reputation, increase deliverability rates, and prevent email fraud. Each authentication method has advantages and disadvantages; the right choice depends on the use case. However, using multiple authentication methods can provide an additional layer of security and increase the chances of emails reaching the inbox.

Implementing and maintaining email authentication can be a daunting task for developers. Still, SuprSend makes it easy by offering seamless integration with multiple email providers and powerful tools for troubleshooting and debugging issues with email authentication. With SuprSend, businesses can focus on delivering great content to their customers without worrying about technical details.


We hope this guide has given you a better understanding of SPF, DKIM, DMARC, and their role in email authentication. By following the best practices outlined in this guide and using SuprSend's powerful tools, you can ensure that your emails are delivered to your customers' inboxes and build stronger relationships. 
Regularly monitor your email authentication and make necessary updates to avoid potential issues. With the right approach and tools, email authentication can be a simple and effective way to improve the success of your email marketing and communication efforts.

Email Authentication is Not The Only Issue

Email authentication affects your email deliverability to a larger extent but it's not the only issue. We have outlined 9 major factors with their solutions that affects email deliverability. Check it out here - The Ultimate Guide to Improving Email Deliverability for Product Teams in 2024

Those 9 factors are:

  1. Email authentication
  2. Email throttling
  3. Spam filter evasion
  4. Blacklists
  5. ++ and more are given in that article. Go through that once.

Written by:
Nikita Navral
Co-Founder, SuprSend
ABOUT THE AUTHOR

What’s a Rich Text element?

The rich text element allows you to create and format headings, paragraphs, blockquotes, images, and video all in one place instead of having to add and format them individually. Just double-click and easily create content.

Static and dynamic content editing

A rich text element can be used with static or dynamic content. For static content, just drop it into any page and begin editing. For dynamic content, add a rich text field to any collection and then connect a rich text element to that field in the settings panel. Voila!

How to customize formatting for each rich text

Headings, paragraphs, blockquotes, figures, images, and figure captions can all be styled after a class is added to the rich text element using the "When inside of" nested selector system.

Implement a powerful stack for your notifications

By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.