SPF, DKIM, DMARC: Email Authentication Explained

SPF, DKIM, DMARC: Email Authentication Explained

Ensuring seamless email deliverability is the first step to guaranteeing success for your cold email campaigns. Think about it: if your emails land in the spam folder, they’ll be a lot less likely to end up being opened or read.

In most cases, cold emails that don’t get delivered are flagged as spam or phishing messages by email filtering algorithms on the receiving end.

This happens when algorithms fail to verify that the email is genuine and from a legitimate sender address.

There are three email authentication methods you can use to ensure that your cold emails reach the inbox. These are SPF, DKIM, and DMARC.

In this blog post, we’ll break down each of these email authentication protocols, explain why they’re essential, and show you how to set them up properly.

The table of content will be generated here

Sender Policy Framework (SPF)

Sender Policy Framework (SPF) is an email verification protocol that specifies who can send emails using a particular domain.

This is done by adding the sender’s IP address or domain in an SPF record published on the website’s Domain Name System (DNS), which tells the receiving system which domains are allowed to send emails.

This record includes the approved IP addresses of email senders, plus the IP addresses of the email service providers (ESPs) that send emails on behalf of the website.

Why you need SPF

SPF authentication is how receiving servers spot and stop phishing and other email-based threats from email addresses or domain spoofing.

So, a recipient server checks the SPF record to ensure the sender is genuinely entitled to use the domain and email address the email message is from. The SPF record proves that you’re a legitimate and trustworthy sender.

Let’s say you created an SPF and added it as a TXT record to your DNS. Anytime an email is sent from your domain, the receiving system checks for a valid SPF record.

  • If the IP sending the email is on the list, it gives the email a PASS tag (in which case the email is properly delivered).
  • If the IP address sending the email is not on the list, it gives a FAIL tag (in which case the email bounces or lands in the spam folder).

Creating a SPF record ensures safe deliverability, but it also helps protect your domain’s reputation.

How to check if SPF is configured correctly

Here are two ways to check if SPF is configured correctly for your domain:

Using Gmail

Send a test email to yourself using your email address as the recipient. When the email lands in your inbox, click on the drop-down menu button at the top right corner to display its content.

Next, click on “Show original”.

How to check if SPF is configured correctly - Option 1

It will take you to a page where you can verify the sender’s IP address and the SPF authentication status.

How to check SPF authentication status

As you can see, it’s a PASS with a valid IP address, which means that the SPF is configured and authenticated correctly.

Using MxToolbox’s SPF Checker

Alternatively, you can use MxToolbox’s SPF Checker to check whether SPF is configured correctly for your domain. Here’s how:

Start by entering your domain name in the appropriate text box.

MxToolbox SPF Check tool

Then, hit enter or click the SPF Record Lookup button. You’ll be presented with a report that looks like this:

SPF Record Check tool report

You’ll then be able to see whether there are any issues with the way SPF is set up for your domain.

How to set up SPF

Follow these steps to create an SPF record and add it to your DNS:

List the email servers and their IP addresses

The first step is to list all the email servers and all the IP addresses you want to allow to send emails on your behalf.

In most cases, you’ll be provided with this information by your email service provider.

List the sending domains

At Hunter, we use both @hunter.io and @mail.hunter.io. If you use several domains, include them all and secure them.

Go to your DNS settings

Now, go to your DNS settings, and create your SPF record.

Here’s how to do it in Namecheap:

  1. Log in to your Namecheap account.
  2. Select Domain List. Next, click on the Manage button.
Namecheap domain list

3. Go to the Advanced DNS tab. There, click on Add New Record.

Namecheap advanced DNS records

Here is how to fill each field:

  • Type: select TXT Record
  • Host: add @ that corresponds to yourdomain.tld or a subdomain
  • Value: add the tag v=spf1
  • Follow v=spf1 with the IP addresses that are allowed to send emails using your domain. For example, v=spf1 ip4: ip4:
  • Specify legitimate third-party senders by adding an "include" statement to your SPF record (e.g., include:zoho.com).
  • End the record with an -all tag.
  • TTL: Select Automatic

4. Click on the Save all changes button.

Setting up SPF using Namecheap

DomainKeys Identified Mail (DKIM)

DomainKeys Identified Mail (DKIM) is an email authentication protocol that allows the recipient to verify that an email from a specific domain has been authorized by the domain owner.

When you send an email, your email server attaches a DKIM signature so the receiving server can authenticate you.

This is achieved by creating a pair of electronic keys—a public and a private key—using cryptographic authentication.

You own the private key, and it's specific to your domain. That private key corresponds to a public key registered in your DNS. Here is how the keys work and why DKIM is important for email deliverability.

Why you need DKIM

DKIM helps compensate for SPF limitations that concern the authentication of the message source. For instance, the SPF record breaks when the email is forwarded.

This leaves room for malicious actors to spoof the display name or the sender’s address.

A DKIM signature fixes this. When you send a message, the receiving server analyzes your public key. Next, it checks if the private key was used to write the cryptographic signature when sending the message.

If the private key was used, the message is considered legitimate, and the receiving server gives it a PASS and lets it in the inbox.

On the other hand, if it wasn't used, then the message is considered not legitimate, in which case the receiving server gives it a FAIL, rejecting or sending it to the spam folder.

With that in mind, a DKIM signature helps you prove three things:

  • The email content is original and unaltered.
  • The headers have not changed since the original sender sent the email.
  • The email sender has the DKIM domain, or the domain owner allows it.

As a result, you can ensure that your emails are not tampered with by anyone in the middle while in transit from server to server. This helps protect you from spoofers and keeps you away from spam folders and bounces.

How to check if DKIM is configured correctly

Here are two ways to check if DKIM is configured correctly for your domain:

Option 1

Start by sending yourself a test email. Click on the collapsible menu button under the sender's name.

Check the signed-by field.

Checking the signed-by field to verify DKIM setup

Option 2

Send yourself a test email. Click on the drop-down menu button at the top right corner, and then on Show original.

Checking DKIM using Gmail

You’ll then be able to see which domain signed the DKIM.

DKIM check in Gmail

For our example here, it’s a PASS—meaning that our DKIM is fine. If it were a FAIL, deliverability would suffer because of it.

How to set up DKIM

Here’s how to set up DKIM if you’re using Google/Gmail as your email provider:

  1. Head over to the Google Admin Console and log in.
  2. Click on the top left menu and select Apps.
Google admin console

3. Go to Google Workspace > Gmail > Authenticate email.

Email authentication section in Google admin console

4. Select your domain and generate a new record.

DKIM authentication in Google Admin console

5. Select 1024 as the bit length and check the Prefix selector field.

Generating a DKIM record

6. Validate and get your new DKIM record

Generated DKIM record

7. Go to your DNS provider and add the DKIM record.

Adding a new DNS record in Namecheap

Here is how to fill each field:

  • Type: Select TXT Record.
  • Host: Paste the DNS Host name from Google.
  • Value: Paste the new TXT record value from Google.
  • TTL: Select Automatic.

Here’s what it’ll look like:

Adding DKIM record in Namecheap

Click on the green check button and wait a bit for Google and your DNS to sync the new changes.

8. Go back to Google and click on Start authentication.

Start DKIM authentication in Google Admin console

9. Get your results.

The authentication might fail a few times before working. Upon completion, the status changes to Authenticating email.

DKIM authentication configured correctly

That’s it. You’re good to go.

Domain-based Message Authentication, Reporting & Conformance (DMARC)

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is an authentication, policy, and reporting protocol that works by matching the validity of SPF and DKIM records.

For DMARC rules to apply, both SPF and DKIM must work, and at least one must align:

  • If both SPF and DKIM align, it means that it's a valid email from an authorized server with header information intact.
  • If at least one aligns, it still indicates that the sender owns the “Friendly-From” DNS space and thus is who they claim to be.

Why you need DMARC

SPF and DKIM allow mailbox providers to determine whether an email belongs in the inbox or the spam folder, or whether it should be rejected.

But they don't allow domain owners to specify how to handle an email when authentication checks fail to validate.

At the same time, any email that does not pass the SPF and DKIM checks is considered spoofing or phishing and is not delivered. Unfortunately, this means that a legitimate email can also be rejected.

Adding a DMARC record to your DNS lets you set policies that dictate how email service providers should treat your emails in case DKIM or SPF checks fail.

DMARC records give you three policy options:

  1. None: Unauthenticated emails should be treated as the receiving server sees fit.
  2. Quarantine: The receiving server should accept the email but send it somewhere other than the recipient’s inbox (typically the spam folder).
  3. Reject: Reject the email altogether.

You should routinely monitor DMARC reports as a sender, especially if you send mass emails and run multiple email campaigns regularly.

DMARC reports will inform you of any phishing or spoofing attempts to your domain. These reports will also let you know if your own emails are being rejected due to failed DKIM or SPF checks.

How to check if DMARC is configured correctly

You can use MxToolbox’s free DMARC Check Tool to check if DMARC is configured correctly for your domain.

Simply enter your domain name into the tool, and you’ll get a report that looks like this:

DMARC Check Tool

Hit enter or click on the “DMARC Lookup” button.

The result will look like this:

DMARC check tool report

For our example, you can see the DMARC record is appropriately configured. But for a site that hasn’t configured its DMARC record, you’ll see something like this:

Incorrectly configured DMARC

How to set up DMARC

Setting up your DMARC record requires setting several protocols against domain spoofing. Google recommends this order:

  1. SPF
  2. DKIM
  3. Checking MX (mailbox for reports)
  4. Getting the domain host sign-in information (You can use ICANN Lookup for this).
  5. Checking for an existing DMARC policy, as we’ve done using MxToolbox.
  6. Finally, setting up or changing the DMARC policy.

Here’s how to set up a DMARC record if you’re using Namecheap:

Click on your domain name in the Namecheap dashboard, and then go to Advanced DNS > Add a New Record.

Adding new DNS record in Namecheap

Here's how to fill each field:

  • Type: select TXT Record
  • Host: Add your domain host name preceded by "_dmarc". (i.e., _dmarc.mail.hunter.io)
  • Value: Use MxToolbox’s DMARC generator to quickly generate a DMARC record sample.

Here’s how to get a DMARC record from MxToolbox’s DMARC generator:

  1. Enter your hostname.
DMARC record generator

2. Hit enter or select Check DMARC Record. You'll then get a DMARC value suggestion.

Generated DMARC record

3. Set up your DMARC policy.

As explained earlier, you have three options:

  • None: Letting the receiving server decide.
  • Quarantine: Indicating the spam folder.
  • Reject: Indicating a rejection.
DMARC policy settings

As you change the DMARC policy, the tool modifies the value to align with your chosen policy.

4. Fill in the remaining information (optional).

Additional DMARC policy settings

5. Finalize the record or add it to your DNS records.

If you decide to fill in the remaining information and receive reports from MxToolbox, you should click on the Finalize record button at the bottom. Otherwise, simply copy the value and go back to your DNS.

Here’s our DMARC value sample:

v=DMARC1; p=reject; pct=100; rua=mailto:re+fokv6ipbzu1@dmarc.postmarkapp.com; sp=none; aspf=r;

Here’s how to make sense of it:

Explanation of DMARC policy values

Now that you have the DMARC value, paste it into the value field.

  • TTL: Select Automatic.

Click on Save all changes.

Ensure cold email deliverability with SPF, DKIM, and DMARC

Authenticating your emails using the SPF, DKIM, and DMARC protocols is an easy way to give your cold emails an instant deliverability boost.

Use the instructions provided above to set up your SPF, DKIM, and DMARC records and help your emails land in the inbox.

Then, check out this post to improve deliverability even further.

Ernest Bio Bogore
Ernest Bio Bogore

Ernest is the founder of Nerdy Joe, an email marketing agency for SaaS brands. He's run hundreds of campaigns that have generated 1000s of signups, and MILLIONS in the sales pipeline for his clients.