Summary
Proper setup of SPF, DKIM, and DMARC is critical for email authentication, sender reputation, and deliverability. It involves creating accurate SPF records listing authorized sending sources, implementing DKIM with appropriate key sizes and secure signatures, and configuring DMARC policies to handle unauthenticated emails while monitoring reports. Gradual implementation, DKIM alignment, and adherence to SPF record limitations are essential. Competent ESPs sign with DKIM and authenticate with SPF, consolidating to a single SPF record
Key findings
- Authentication Imperative: Email traffic must be authenticated via SPF, DKIM, and DMARC to ensure deliverability and sender reputation.
- SPF Configuration: SPF records are TXT records that should authorize all sending sources including office IP and ESP mailservers, consolidating to one record.
- DKIM Implementation: DKIM involves generating a public/private key pair; receiving mail servers verify signatures against the public key.
- DMARC Policy & Reporting: DMARC allows domain owners to specify policies on handling unauthenticated emails and gives feedback via reports.
- DKIM Alignment: Implementing DKIM on the same domain provides DKIM domain alignment which is critical for passing DMARC validation.
- Implementation importance: Setting up authentication and reviewing it for correctness, especially SPF, is critical.
- Third-Party Senders: When using third-party senders, you must ensure they support SPF and DKIM authentication with your domain.
Key considerations
- Gradual Rollout: Implement SPF, then DKIM, then DMARC, monitoring at each stage.
- DKIM key size: Ensuring a DKIM key of at least 2048 bit should be a minimum requirement
- SPF Limit Adherence: Care should be taken to keep SPF records below the limit of 10 DNS lookups to avoid authentication failures
- TXT record usage: SPF record is a TXT record that should authorize all sending sources.
- Competent signers: Competent ESPs sign with DKIM and authenticate with SPF.
- Initial state: Starting with DMARC p=none helps you determine if there are configuration errors.
What email marketers say
19 marketer opinions
Implementing SPF, DKIM, and DMARC is crucial for email authentication and improving deliverability. Best practices include ensuring all sending sources are included in the SPF record, implementing DKIM with a sufficient key size and proper signature, and setting up DMARC to instruct receiving servers on how to handle unauthenticated emails while monitoring reports for issues. Gradual implementation, starting with SPF, then DKIM, and finally DMARC with a 'p=none' policy, is recommended. Maintaining SPF record limits, verifying record correctness, and aligning SPF and DKIM domains are vital for success.
Key opinions
- Authentication Importance: Email traffic should always be authenticated with SPF, DKIM, and DMARC to improve deliverability and sender reputation.
- DKIM Alignment: Implementing DKIM on the same domain provides DKIM domain alignment, which is crucial for DMARC compliance.
- DMARC Initial Policy: Start with a DMARC policy of 'p=none' to monitor email traffic and identify legitimate sending sources before enforcing stricter policies.
- Authentication Review: Regularly review authentication setups, especially SPF, for correctness and avoid relying solely on free online testing sites.
- Third-Party Senders: When using third-party senders, ensure they support SPF and DKIM authentication with your domain.
- SPF/DKIM alignment importance: SPF and DKIM alignment for DMARC compliance is very important for passing DMARC checks
- DMARC reporting: Monitoring DMARC reports can help you remediate missed authentication problems
- Using DKIM records: Every sender should configure custom DKIM records at their ESP and that DMARC none is a stepping stone to DMARC reject
Key considerations
- Gradual Implementation: Implement SPF first, then DKIM, and finally DMARC, to gradually test and monitor your authentication setup.
- SPF Record Limits: Keep your SPF record below the 10 DNS lookup limit to avoid authentication failures.
- Record Verification: Use tools to verify that your SPF and DKIM records are set up correctly and are valid.
- Subdomain Usage: Consider sending marketing emails from a subdomain to isolate the reputation of marketing emails from transactional emails.
- DKIM Key Size: Use a DKIM key size of at least 2048 bits for improved security.
- Using DKIM records: Every sender should configure custom DKIM records at their ESP and that DMARC none is a stepping stone to DMARC reject
Marketer view
Email marketer from Postmark recommends using tools like MXToolbox or online SPF/DKIM checkers to verify that your SPF and DKIM records are set up correctly and are valid. This helps to identify and resolve any syntax errors or configuration issues.
2 Jun 2025 - Postmark
Marketer view
Email marketer from Sendinblue highlights the importance of SPF and DKIM alignment for DMARC compliance. This means that the domain used in the 'From' address must match the domain used for SPF and DKIM authentication. Alignment is crucial for passing DMARC checks.
9 Sep 2022 - Sendinblue
What the experts say
6 expert opinions
Setting up SPF, DKIM, and DMARC involves authenticating email using distinct mechanisms and requires careful configuration. SPF records need to include all possible sending sources, DKIM relies on public/private key pairs for signing and verification, and DMARC allows domain owners to define policies for handling unauthenticated emails and receiving feedback. Competent ESPs use both SPF and DKIM authentication and competent senders ensure alignment for authentication. It is also important to ensure you have only one SPF record.
Key opinions
- SPF Sources: SPF records must include all possible sending sources, such as office IP addresses and ESP mailservers.
- DKIM Keys: DKIM implementation requires generating a public and private key pair, with the public key stored in DNS.
- DMARC Policies: DMARC allows specifying policies for handling unauthenticated emails (reject, quarantine, or do nothing) and provides a feedback loop.
- Competent ESP: Competent ESPs sign with DKIM and authenticate with SPF
- SPF Record: Consolidate all SPF mechanisms into a single record
Key considerations
- Authentication Setup: Set up SPF for the envelope from, DKIM for the mail from domain, and DMARC for the client domain.
- Alignment: Aim for alignment for authentication, including setting up custom DKIM domains.
- Policy Enforcement: Start with a DMARC policy of p=none and move to quarantine/reject as confidence increases.
Expert view
Expert from Email Geeks outlines the authentication setup: SPF for envelope from, DKIM for mail from domain, and DMARC for the client domain; suggests starting with p=none and moving to quarantine/reject.
10 Feb 2023 - Email Geeks
Expert view
Expert from Spamresource.com explains that DMARC allows domain owners to tell receiving mail systems what to do with email that fails authentication. You can tell the receiving server to reject the message, to quarantine it or to do nothing. DMARC also provides a feedback loop that allows domain owners to receive reports about mail that is using their domain name. This feedback loop is critical.
24 Aug 2024 - Spamresource.com
What the documentation says
5 technical articles
SPF, DKIM, and DMARC are essential for email authentication. SPF records, created as TXT records, authorize sending servers to prevent 'From' address forgery. DKIM adds digital signatures verified by receiving servers to ensure message integrity. DMARC builds on SPF and DKIM by providing reporting and enabling domain owners to specify how to handle authentication failures. A DKIM key size of at least 2048 bits is recommended, and proper SPF syntax is crucial.
Key findings
- SPF Definition: SPF records authorize sending servers and prevent 'From' address forgery.
- DKIM Signature: DKIM adds digital signatures to ensure messages haven't been forged or altered.
- DMARC Reporting: DMARC provides reporting and enables policies for handling authentication failures.
- Strong DKIM Key: DKIM requires a key size of at least 2048 bits.
- Authentication Implementation: Implement SPF, DKIM, and DMARC to stop unauthorized use and increase trust
Key considerations
- SPF Record Creation: Create SPF records as TXT records at your domain registrar.
- DKIM Verification: Ensure receiving servers can verify DKIM signatures.
- DMARC Policy Setting: Specify how receiving mail servers should handle authentication failures (none, quarantine, reject).
- SPF Record Syntax: Follow RFC specifications for proper SPF record syntax.
Technical article
Documentation from Microsoft Defender explains that DKIM lets you add a digital signature to outgoing email messages. This signature is verified by receiving email servers to confirm that the message wasn't forged or altered in transit.
6 Jul 2021 - Microsoft Defender
Technical article
Documentation from Google Workspace Admin Help explains that an SPF record is a TXT record that lists all the servers authorized to send email from your domain. It is created at your domain registrar. It helps prevent spammers from forging the 'From' addresses on your messages.
19 Aug 2023 - Google Workspace Admin Help
Against which domain is SPF checked?
Are DMARC RUA and RUF tags mandatory for compliance and what are their benefits?
Are SPF, DKIM, and DMARC as important in B2B as in B2C email marketing?
Are SPF, DKIM, and DMARC records necessary for transactional email servers not used for marketing?
Do SPF and DKIM records need to be aligned for all email service providers?
How do SPF, DKIM, and DMARC affect email deliverability with Cvent?
