Comprehensive Guide to SPF, DKIM and DMARC – Step-by-Step Email Authentication

SPF, DKIM and DMARC are three key mechanisms that protect us from spam, phishing and other threats. Each of these protocols plays a different role in the process of message verification. Their shared goal is to ensure that an email comes from a trusted source.

In light of the latest requirements from Google, Yahoo and Microsoft, the use of SPF, DKIM and DMARC has become a mandatory standard for any sender who wants to run effective email communication. Incorrect configuration may lead to deliverability issues, causing messages to end up in the SPAM folder or be rejected entirely instead of reaching the inbox.

A poorly secured domain can also be used by cybercriminals to impersonate your brand. Such actions negatively affect your brand’s reputation and weaken the trust your recipients have in you.

If you want to secure your emails and avoid deliverability problems, keep reading. You will learn how SPF, DKIM and DMARC protocols work and why each of them is important.

Introduction to email security

Since its inception, email has been a key communication channel. However, it quickly revealed its limitations when it comes to security. Although encryption provides protection for data transmitted between servers, its capabilities are limited. It is not sufficient to prevent abuses such as spam, phishing or spoofing. These techniques allow cybercriminals to impersonate trusted brands and mislead recipients.

When the SMTP protocol was created in 1982, its designers did not anticipate the need to authenticate email senders. Over time, email began to incorporate solutions such as TLS, which provided encryption for connections between servers and improved the security of data transmission. However, these did not solve the problem of sender verification, leaving a significant gap in the email security system.

In response to the growing threats of spam, phishing and spoofing, three fundamental email authentication mechanisms were developed. Their purpose is to strengthen protection for both senders and recipients of email messages.

• SPF (Sender Policy Framework) – Checks in the DNS system whether the server sending the message is authorized to send on behalf of the given domain.
• DKIM (DomainKeys Identified Mail) – Adds a digital signature to the message that allows the recipient to confirm that the message was authorized by the domain owner and was not modified in transit.
• DMARC (Domain-based Message Authentication, Reporting and Conformance) – Defines how messages that fail SPF or DKIM verification should be handled and enables the collection of reports about abuse attempts.

How does SPF work?

Sender Policy Framework (SPF) is an email authentication protocol developed in response to vulnerabilities in the operation of SMTP. Its purpose is to protect domains from unauthorized use in email communication. Since 2014, SPF has been widely used by senders around the world as one of the fundamental tools for reducing abuse.

The protocol operates based on a DNS record, in which the domain owner specifies which IP addresses or servers are allowed to send messages on behalf of the domain. When a receiving server gets an email, it compares the sender’s information with the data stored in the SPF record. A match means the message comes from an authorized source.

Proper SPF configuration helps reduce spam and effectively detect phishing messages. Each domain can have only one SPF record, and its structure should include no more than ten lookups. Receiving servers first search for the SPF record in DNS and then verify whether the sending infrastructure meets the authorization requirements.

What do specific SPF responses mean?

When receiving servers analyze a domain’s SPF record, they may return one of seven responses. Each response indicates the result of the verification and influences the decision on whether the message should be delivered.

• Pass – The message was sent from an authorized server. The sender’s mail server is allowed to send emails on behalf of the domain.
• Fail – The sending server is not on the list of authorized IP addresses. The message will be rejected as unauthorized.
• None – The domain does not have an SPF record. There are no guidelines regarding server authorization.
• Neutral – An SPF record exists, but it does not specify any permissions. The final outcome depends on the DMARC configuration for the domain.
• Soft fail – The message was sent from a server that likely is not authorized. It may be marked as suspicious but not necessarily rejected. The final result depends on the recipient server’s policy or DMARC settings.
• Temporary error – A technical error occurred, such as a DNS access problem. SPF verification was not completed and the message may be delayed.
• Permanent error – The SPF record is invalid. It may contain syntax errors or exceed allowed limits. The message will not be considered SPF-compliant.

SPF can operate independently, but its full effectiveness is revealed when combined with DKIM and DMARC. In the following sections of the article, you will see how these mechanisms complement each other.

How does DKIM work?

DomainKeys Identified Mail (DKIM) is an email authentication protocol that uses the DNS system to publish public keys needed to verify the sender. This mechanism enables the addition of a DKIM digital signature to the message. With this signature, it is possible to confirm that the message was sent from a specific domain and was not modified during transmission.

The signature is created using public key cryptography. The sender’s server generates a unique signature using a private key, and the recipient’s server compares it with the public key published in the DNS record of the sending domain. If the signature matches, the message is considered authentic.

How is a DKIM record created?

For an email message to be considered trustworthy, it must go through the signing and verification process. DKIM operates in the background, automatically securing each outgoing message. It uses a pair of keys for this purpose. The private key is used to sign the message, and the public key is used to verify it.

1. Publishing the public key in DNS.

The sender’s domain makes the public key available in its DNS settings. Receiving servers can retrieve it from there.

2. Signing the message.

When the sender transmits an email, their server adds a signature created using the private key. Only the sender has access to this private key.

3. Verifying the signature.

After receiving the message, the recipient’s server fetches the public key from DNS and compares it with the signature in the email. If everything matches, the message is treated as authentic.

The DKIM protocol enables digital signatures to be attached to outgoing messages, which makes it possible to confirm their authenticity. The signature is automatically placed in the message header and is recognized by email servers that support DKIM.

The domain owner can assign different signing keys to various email providers. This allows both internal teams and external partners to legally send messages on behalf of the brand.

The private key used for signing remains with the sender. The public key is published in DNS, where it can be accessed by receiving servers. Such a setup provides an effective and transparent way to verify whether a message truly originates from a given domain.

What is domain alignment and why does it matter?

Domain alignment refers to ensuring consistency between the domain visible in the sender’s address and the domain specified in the SPF and/or DKIM records. This alignment is required by DMARC, which may reject messages if the domains do not match. Depending on the configuration, alignment can take two forms.

• Relaxed alignment means that the primary domain must match, even if the subdomain is different. For example, if the message comes from the address news.example.com and the SPF or DKIM record refers to example.com, the alignment is still considered valid.
• Strict alignment requires the sender’s domain to match exactly the domain used in the SPF or DKIM record. For instance, if the message originates from marketing.example.com, then the SPF or DKIM record must also refer specifically to marketing.example.com, not just example.com.

A lack of domain alignment is a common reason why messages are rejected by receiving servers, even if they pass SPF and DKIM checks. Maintaining alignment is one of the key factors for effective authentication and high email deliverability.

How does DMARC work?

DMARC (Domain-based Message Authentication, Reporting and Conformance) is a protocol that defines how mail servers should respond to messages that fail SPF, DKIM or both forms of authentication. Its rules are defined in a DNS record belonging to the domain from which emails are sent.

After receiving a message, the recipient server checks its authenticity. If verification fails, DMARC instructs what to do next. You can choose to deliver the message anyway, mark it as suspicious, or reject it entirely.

In addition to protection, DMARC provides senders with access to reports that show how recipient servers are handling authentication. These reports can be aggregated or tied to specific messages. They help detect attempts to impersonate the domain and improve security configuration.

What actions can DMARC take?

A DMARC record allows domain owners to specify how recipient servers should handle messages that fail SPF or DKIM checks.

• None – Indicates no specific action. Messages are delivered without changes. This mode is typically used during the early stages of DMARC implementation for monitoring and data collection.
• Quarantine – The message is considered suspicious and is placed in the spam folder or another location for manual review. This is an intermediate option that does not block the message outright.
• Reject – The message is denied and not delivered to the recipient. In this case, the server is informed that the message came from an unauthorized source and may pose a potential threat.

DMARC and reporting

A DMARC record can include information about where to send reports related to the results of email authentication. There are two types of reports:

• RUA refers to aggregate reports that provide statistics on SPF and DKIM compliance. They help analyze the overall effectiveness of security measures.
• RUF refers to forensic reports that contain detailed information about specific messages that failed authentication. These reports make it easier to identify errors and potential threats quickly.

Enabling both types of reports allows for continuous monitoring of domain protection and enables a swift response in case of any issues.

How does BIMI work?

Brand Indicators for Message Identification (BIMI) is a relatively new standard that allows the sender’s logo to be displayed directly in the recipient’s inbox next to the subject line. This enhances brand recognition and gives the recipient an additional signal of trust even before opening the email.

To implement BIMI, several conditions must be met.

• An active and properly configured DMARC policy.
• An encrypted logo in SVG format hosted at a publicly accessible URL.
• (Optional) Identity verification of the organization through a Verified Mark Certificate, which is required by some email providers.

Although implementing BIMI does not directly affect email deliverability, it can significantly improve click-through rates and open rates, while also reinforcing a professional brand image in the eyes of the recipient.

How do SPF, DKIM and DMARC work together to ensure email deliverability?

The email authentication process begins with SPF, which checks whether the server sending the message is authorized to act on behalf of a given domain. This is the first step and is essential for the proper functioning of both DMARC and DKIM. SPF relies on DNS records, but it does not verify the content of the message or prevent message spoofing.

The next component is DKIM. It allows the message to be digitally signed, and that signature can be verified using a public key published in the sender’s DNS. This confirms that the message comes from an authorized source and has not been altered during transmission.

At the end of the chain is DMARC, which analyzes the results of SPF and DKIM authentication. Based on those results, the domain owner can specify how receiving servers should handle messages that fail verification. DMARC also uses DNS, but its role focuses on enforcing policy and collecting reports.

The cooperation of these three mechanisms enables:

• sender identity confirmation through SPF,
• message integrity verification via DKIM,
• enforcement of delivery rules and reporting through DMARC.

Together, they form an effective defense system against fraudulent messages and increase the chances of your email landing in the inbox rather than the spam folder.

Where are DMARC, DKIM and SPF records located?

To use SPF, DKIM and DMARC mechanisms, your domain must have correctly configured DNS records. These records are stored in what is known as the DNS zone, which holds the data required for their operation.

DNS, or Domain Name System, functions as a public directory for the internet. While it is most commonly associated with mapping domain names to IP addresses, it can also store other types of information. Among these are TXT records, which are used to define authentication protocol configurations.

SPF, DKIM and DMARC records are added as TXT entries in the DNS settings of a domain. This allows recipient mail servers to verify whether a message was sent from an authorized source and whether it remained unaltered during transmission.

Access to these settings is typically provided through the admin panel of your hosting provider or domain registrar. From there, you can add, edit and monitor the appropriate records for your domain.

How do you set up SPF, DKIM and DMARC and build a complete email authentication system?

SPF, DKIM and DMARC are three complementary protocols that together provide strong protection for both the sender and the recipient. To implement them, you need to configure the appropriate records in your domain’s DNS settings. This can be done manually through your hosting provider’s control panel or with the help of a DNS administrator.

It is important to note that these protocols only work if you send emails from your own domain. Popular free email services do not support SPF, DKIM and DMARC configuration, so full authentication will not be possible in those cases.

SPF configuration

The first step is to add an SPF record. This involves specifying which IP addresses and servers are authorized to send emails on behalf of your domain. This allows recipients to verify that the message originated from an approved source.

DKIM configuration

Next, set up DKIM. The public key should be published in a DNS record, while the private key is used by the sending server. This enables the recipient to confirm that the message was not altered during transmission.

DMARC configuration

Finally, configure DMARC, which defines what the receiving server should do if a message fails SPF and DKIM authentication. In the DMARC record, you must specify the preferred policy and provide the addresses to which authentication reports should be sent. Regular analysis of these reports will help you better understand how your email system functions and how to improve it.

Email authentication is the foundation of effective communication

The SPF, DKIM and DMARC protocols together form a system that protects your domain, improves message deliverability and builds trust with your recipients. Proper configuration of these protocols is essential if you want to avoid issues with security, spam filtering or brand impersonation.

If you need support in implementing these mechanisms or want to review the configuration of your domain, feel free to contact our team of experts. We will guide you through the process step by step and help ensure that your communication is not only effective but also fully secure.