SPF, DKIM, DMARC explained [Infographic]

Share on your site (please include attribution to https://www.inboxally.com with this graphic). Permalink here.

Understanding SPF, DKIM, and DMARC

What are SPF, DKIM, and DMARC?

SPF, DKIM, and DMARC are the three main email security protocols that complement one another. They are methods to authenticate a mail server and prove to Internet Service Providers (ISPs), mail services, and other mail servers that senders are truly authorized to send an email.

SPF: Sender Policy Framework

Sender Policy Framework (SPF) works by strictly determining the number of allowed IP addresses that can send emails from your domain. It’s like the return address on a postcard or letter that lets the receiver know who sent the communication.

The idea behind SPF is that if the recipient knows who sent the email, they are more likely to open it. This email protocol hardens your Domain Name System (DNS) server and converts web addresses into IP addresses; without it, you can’t connect to any website. SPF also prevents domain spoofing.

SPF has three major elements: (1) the policy frame, as the name implies; (2) the authentication method; and (3) the specialized headers in the email itself that convey the data.

DKIM: DomainKeys Identified Mail

Meanwhile, DKIM authentication makes sure that the content of the email is trusted and has not been compromised or tampered with during the delivery. Similar to SPF, the DKIM is added as a TXT record by adding it to the domain panel.

If SPF is like the return address of a postcard or letter, DKIM is likened to sending that postcard or letter through Certified Mail, which further builds trust between the receiver and the sender server.

DMARC: Domain-based Message Authentication, Reporting, and Conformance

Lastly, the Domain-based Message Authentication, Reporting, and Conformance (DMARC) is also referred to as “email signing.” It ties the first two email security protocols (the SPF and DKIM) together with a more consistent set of policies.

DMARC has three basic purposes:

1. To verify that the sender’s email message is protected by both DKIM and SPF protocols
2. To inform the receiving mail server what it should do if neither of those email security protocols passes and
3. To provide a way for the receiver server to report to the sender about the email message or messages that fail or pass the DMARC evaluation.

Since DMARC uses DKIM and SPF email authentication methods, you may wonder if it’s even necessary. Well, the answer is yes.

DMARC builds on both authentication methods to ensure that should a message be received, the data contained in both SPF record and DKIM record matches the “friendly from” domain. An example of that is me@my-domain.com.

Combining these three pillars of email authentication provides you or your company with the best protection necessary.

Now that we know the concept, we now focus on how these three work.

How do they work?

SPF – By adding an SPF record to your DNS records or DNS txt record, it will list all of the approved servers that mail is allowed to come from.

• And what does it look like?

v=spf1 a ip4:12.34.56.78/28 include:marketingemailserver.com ~all

• In this example, such an SPF authentication record allows emails from 12.34.56.78/28 and marketingemailserver.com. If the email comes from other addresses, it will be considered an SPF soft fail.

DKIM – At the most basic level, DKIM works by adding a digital signature to the email message header. DKIM also uses an encryption algorithm that creates a secure key pair, which is a private key and a public key.

DMARC – This policy relies on the established standards of SPF and DKIM for email authentication. Generally, DMARC validation works by deciding whether to reject, accept, or flag the email message. To deploy this authentication policy, you need to publish a DMARC record (text entry within the DNS record).

Why should you set them up?

When you set up SPF, DKIM, and DMARC records, it will drastically enhance your email security posture. For example, it will improve your email deliverability. It will also avoid the spam folder since attackers can no longer use your domain to send spam.

Setting up these three can also keep your domain off the global blacklists, which consequently improves the overall deliverability of the sending mail server.

Another benefit is to combat phishing and spoofing as you’re verifying the IP address of the sender. Lastly, having these email security policies gives your domain an elevated reputation. In effect, it shows to blacklist sites and other servers that you are indeed committed to email security.

How to Set Them Up: A Brief Synopsis of the Process

To set up your SPF record, gather the IP addresses used to send emails from your domain. If your company owns many domains, also list all of the sending domains.

Next, create your SPF record. This TXT record specifies which servers or IPs are allowed to send mail from that domain.

The fourth step is to publish your SPF to the DNS; the last is to test your SPF record to see what your recipients will see.

To set up DKIM:

1) Generate a domain key

2) Add a public key to the DNS records of your domain and

3) Start adding a DKIM signature to your outgoing messages.

To set up DMARC, first, create a DMARC record, select the TXT record type, and enter _dmarc as the “host” in the Host Value box. Lastly, enter the record in the TXT Value box.

Key Takeaway

ESPs and SMTP senders make it easy to set up SPF, DKIM, and DMARC. However, understanding the technical details of these authentication mechanisms is essential to ensure you maintain the best outcomes for your email deliverability.

Are you currently searching for an email deliverability tool to increase your open, deliverability, and conversion rates? You may want to give InboxAlly a try!