Where should SPF, DKIM, and DMARC records be placed for email authentication?

Key findings

• DNS records: All SPF, DKIM, and DMARC configurations are implemented as DNS TXT records within your domain's zone file.
• Sending domain specific: These records should be published on the specific domain or subdomain from which emails are actually sent.
• SPF validation: SPF (Sender Policy Framework) authenticates the sending server's IP address against a list of authorized IPs for the domain in the Return-Path (or Mail From) header.
• DKIM authentication: DKIM (DomainKeys Identified Mail) uses cryptographic signatures to verify that an email's content has not been tampered with in transit and that it originates from an authorized sender.
• DMARC policy: DMARC (Domain-based Message Authentication, Reporting, and Conformance) dictates how receiving servers should handle emails that fail SPF or DKIM authentication, based on your defined policy.

Key considerations

• Domain alignment: DMARC relies on domain alignment, meaning the 'From' domain must match the SPF or DKIM authenticated domain. This is often the trickiest part of the setup.
• Subdomain requirements: If you send emails from a subdomain (e.g., email.yourdomain.com), it requires its own SPF and DKIM records, separate from your primary domain.
• Deliverability impact: Correctly configuring these records is essential for preventing your emails from being marked as spam or rejected, thereby improving overall email deliverability.
• DNS host management: The exact steps for adding these TXT records will depend on your DNS hosting provider (e.g., GoDaddy, Cloudflare, etc.).

Key opinions

• Vendor management: Some ESPs manage the sender and return-path domains, which may reduce the need for marketers to set up authentication records directly on their primary domain.
• Organizational responsibility: In large organizations, there can be a lack of clarity regarding who is responsible for managing email authentication settings, potentially leading to misconfigurations.
• Subdomain setup: While not ideal, some marketers have observed cases where SPF records are not explicitly set up for mailing subdomains, which can be a point of confusion or oversight.
• Deliverability protection: Marketers recognize that proper authentication protocols like SPF, DKIM, and DMARC are fundamental for protecting emails from spoofing and enhancing deliverability.

Key considerations

• ESP relationship: Always clarify with your email service provider which aspects of email authentication they manage, and which you are responsible for configuring in your DNS.
• Internal accountability: Establish clear internal protocols and responsibilities for managing DNS records related to email authentication to prevent oversight.
• Comprehensive subdomain coverage: Ensure that every domain or subdomain used for sending emails has its own correctly configured SPF, DKIM, and DMARC records to maintain optimal inbox placement.
• Proactive testing: Regularly test your email authentication setup to catch any issues early, preventing deliverability problems.

Key opinions

• Alignment is paramount: Experts stress that authentication records must align with the Fromdomain to ensure DMARC passes.
• Subdomain independence: Any subdomain used for sending mail (e.g., for marketing or transactional emails) requires its own dedicated SPF and DKIM records, distinct from the primary domain.
• DMARC at organizational level: While subdomains need their own SPF/DKIM, DMARC is typically set up on the organizational domain, with policies often inherited by or explicitly defined for subdomains.
• Avoiding failures: Failing to properly configure these records on sending subdomains can lead to email rejection or misclassification as spam, directly impacting sender reputation.

Key considerations

• Regular audits: Periodically audit your DNS records to ensure all authentication entries are accurate, current, and correctly configured, especially after any changes to your sending infrastructure.
• Inter-domain interaction: Understand how your primary domain's authentication settings interact with those of any sending subdomains to avoid conflicts or misalignments.
• Utilize DMARC reports: Leverage DMARC reports to gain insight into authentication failures, helping to pinpoint and correct misconfigurations on your sending domains.
• ESP DNS management: When using an ESP, clarify their role in managing your DNS records and adjust your own DNS configurations accordingly to ensure proper authentication.

Key findings

• SPF record structure: SPF records are published as TXT records in the DNS, located at the domain name they are intended to protect. They list all authorized hosts or IP addresses permitted to send mail on behalf of that domain, referencing RFC 7208 guidelines.
• DKIM record structure: DKIM records are also TXT records and contain the public key necessary for verifying email signatures. These records are typically found at a specific hostname, such as selector._domainkey.domain.com, as defined by RFC 6376.
• DMARC record structure: A DMARC record is published as a TXT record at the subdomain _dmarc.domain.com. This record defines the policy for handling unauthenticated mail, along with reporting mechanisms, as outlined in RFC 7489.
• Domain association: All three record types must be placed in the DNS zone of the domain or subdomain that is serving as the Return-Path domain (for SPF) or the Header From domain (for DKIM and DMARC).

Key considerations

• DNS propagation: The DNS TTL (Time To Live) setting on these records dictates how quickly changes propagate across the internet. A lower TTL can facilitate faster updates during initial setup or troubleshooting.
• SPF lookup limits: Overly complex SPF records, with too many lookups, can lead to SPF 'PermError' failures, which can negatively impact deliverability.
• DMARC alignment requirements: DMARC explicitly mandates domain alignment for both SPF and DKIM authentication to pass, ensuring the visible 'From' domain matches the authenticated identity.
• Subdomain configuration: Any subdomain that sends email must have its own, distinct SPF and DKIM DNS entries to properly authenticate mail originating from it.