SPF, DKIM, and DMARC Explained
A complete guide to email authentication protocols
SPF (Sender Policy Framework)
SPF is an email authentication method that specifies which mail servers are authorized to send emails on behalf of your domain.
How SPF Works
When an email is received, the receiving server checks the SPF record in your DNS to verify that the email came from an authorized server.
Example SPF Record:
v=spf1 include:_spf.google.com include:amazonses.com ~allPro Tip: Use the tilde (~) for soft fail rather than dash (-) for hard fail while testing your SPF configuration.
DKIM (DomainKeys Identified Mail)
DKIM adds a digital signature to your emails, allowing receiving servers to verify that the email hasn't been tampered with in transit.
How DKIM Works
Your mail server adds an encrypted signature to the email header. The receiving server uses your public key (published in DNS) to decrypt and verify the signature.
Important: Use at least 2048-bit keys for DKIM. 1024-bit keys are being deprecated by major email providers.
DMARC (Domain-based Message Authentication)
DMARC builds on SPF and DKIM, telling receiving servers what to do when authentication fails and providing reporting on email authentication results.
DMARC Policies
None
Monitor mode. Collect reports but don't enforce policy.
Quarantine
Send failed emails to spam folder.
Reject
Reject failed emails entirely.
Example DMARC Record:
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; pct=100; adkim=r; aspf=rImplementation Checklist
- 1
Set up SPF
List all servers authorized to send email
- 2
Configure DKIM
Generate keys and publish public key in DNS
- 3
Start DMARC monitoring
Begin with p=none to collect data
- 4
Analyze reports
Review DMARC reports for issues
- 5
Enforce policy
Move to p=quarantine then p=reject
Let InboxGreen Handle the Complexity
We'll automatically configure and maintain your authentication records
Get Started Free