What are the best practices for setting up SPF, DKIM and DMARC for email authentication?

Key findings

• Universal authentication: All email traffic should be authenticated with SPF, DKIM, and DMARC to ensure optimal deliverability and security.
• DMARC as an auditing tool: A p=none DMARC policy with a monitored RUA mailbox is a powerful first step for auditing authentication practices and identifying unauthorized sending sources.
• Protocol roles: SPF authenticates the envelope from address, DKIM signs the mail from domain, and DMARC dictates policy for the client domain based on their alignment. For more details, see how these standards work.
• Correct SPF setup: It is crucial to include only authorized sending sources in your SPF record and to only have one SPF record per domain.
• Custom DKIM records: Configuring custom DKIM records at your email service provider (ESP) is a widely recommended practice to ensure proper domain alignment and DMARC compliance.

Key considerations

• Independent authentication: Do not solely rely on your ESP's authentication. It is strongly advised to set up your own SPF and DKIM records to achieve DMARC alignment.
• DMARC report monitoring: Even with a p=none policy, active monitoring of DMARC reports is essential to understand your email ecosystem and identify any authentication issues.
• Accurate SPF validation: Be cautious of free online SPF checkers that only confirm the record's presence but not its correctness. Incorrect SPF records can severely impact deliverability. You can learn more about SPF, DKIM, and DMARC best practices from authoritative sources.
• Subdomain coverage: Ensure that your DMARC policies cover all subdomains to prevent unauthorized use of your email infrastructure.

Key opinions

• Varying ESP guidance: ESPs like Mailchimp, Mailerlite, Convertkit, and ActiveCampaign provide differing SPF/DKIM/DMARC directions, sometimes discouraging or not fully supporting custom records.
• DKIM for third-party senders: For many third-party ESPs, focusing on DKIM with domain alignment is key, as some may not fully support SPF alignment for the visible From: address.
• DMARC p=none's value: Despite clients' limited time for report review, a p=none DMARC policy is still valuable for auditing and identifying authentication gaps.
• Mandatory authentication: Regardless of sending volume, authentication is considered a fundamental requirement for all email traffic.
• Custom DKIM at ESPs: Configuring custom DKIM records at the ESP is widely recommended and seeing increasing adoption.

Key considerations

• Client engagement with DMARC: Many clients may not have the resources or time to regularly review DMARC reports, requiring marketers to provide simplified insights or managed services.
• Avoiding ESP over-reliance: Relying solely on an ESP's don't worry, we got this approach to authentication may not achieve the necessary DMARC alignment for your domain. For more context, see our guide on sending marketing emails from a subdomain.
• Ensuring alignment: Even if DMARC reports aren't deeply analyzed, ensure your authentication (especially DKIM) aligns with the visible From: address for DMARC compliance.
• Progression to enforcement: Moving from p=none towards p=quarantine or p=reject is a valuable exercise, particularly as it paves the way for BIMI adoption, as detailed in this email security best practices guide. Consider our article on email domain authentication for corporate and marketing mail.

Key opinions

• Mandatory authentication: There is no debate; all email traffic must always be authenticated with SPF, DKIM, and DMARC.
• Domain-level authentication: While ESPs authenticate emails, it is strongly recommended that senders implement their own DKIM records on the same domain for proper alignment and DMARC compliance.
• DMARC p=none as a powerful tool: A p=none DMARC policy, especially when monitored, is critical for auditing and understanding authentication practices before moving to enforcement.
• Accurate SPF setup: Ensuring SPF records are set up correctly, including only authorized senders and maintaining a single SPF record, is paramount for preventing authentication failures.
• BIMI's increasing importance: BIMI is expected to gain more traction, driven by support from major mail clients like Apple Mail, offering a visual brand indicator when DMARC is enforced.

Key considerations

• Policy interpretation: Some mailbox providers (MBPs) may treat DMARC p=quarantine and p=reject policies similarly, impacting how unauthenticated emails are handled. Review our guide on DMARC policy setting.
• Verification tool limitations: Avoid free online tools that only check for the presence of SPF records without verifying their correctness, as this can lead to a false sense of security.
• DMARC maintenance: While initial DMARC setup can be complex, for most senders, it typically stabilizes and requires minimal ongoing monitoring once properly configured.
• BIMI as branding, not trust: While BIMI displays brand logos and rewards good authentication, experts caution against promoting it as a direct trust signal to end-users, as it could be exploited by phishers. For more on the topic, see Apple's perspective on BIMI and our article on the business value of BIMI.

Key findings

• SPF functionality: SPF (Sender Policy Framework) verifies the sending mail server's IP address against a list of authorized IPs published in the sender's DNS TXT record.
• DKIM functionality: DKIM (DomainKeys Identified Mail) uses a cryptographic signature embedded in the email header to verify that the email was not tampered with during transit and originated from the claimed domain.
• DMARC's role: DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds upon SPF and DKIM, providing instructions to receiving mail servers on how to handle emails that fail authentication and enabling senders to receive aggregate and forensic reports on their email streams.
• Domain alignment: For a DMARC check to pass, either the domain used in SPF's Return-Path or DKIM's d= tag must align with the organizational domain in the email's visible From: header.
• BIMI requirements: BIMI (Brand Indicators for Message Identification) requires a DMARC policy set to p=quarantine or p=reject for brand logos to be displayed in supporting email clients.

Key considerations

• DNS record accuracy: The accurate publication of DNS TXT records for SPF, DKIM, and DMARC is paramount, as misconfigurations can lead to authentication failures and email blocking.
• Phased DMARC deployment: Documentation advises a gradual rollout of DMARC policies, starting with p=none to gather data and ensure all legitimate sending sources are correctly authenticated before moving to stricter policies. See the list of DMARC tags for more details.
• Report analysis: Regular analysis of DMARC aggregate (RUA) and forensic (RUF) reports is crucial for identifying authentication issues, unauthorized senders, and overall email ecosystem health.
• Third-party senders: All third-party ESPs and services sending on behalf of your domain must be properly configured for SPF and DKIM to achieve DMARC alignment, as explained in email authentication basics. Check out our DMARC record and policy examples for more.