Continuing our series of guides to outbound marketing, this post focuses on preventing email spoofing and spam with SPF (no, not sunscreen), DKIM and DMARC. We’ll unpack those momentarily. First, let’s review what we’ve covered in this series:
Why Do Emails Go to Spam? How to avoid CAN-SPAM (this stands for “controlling the assault of non-solicited marketing”), which includes seven factors that affect marketing emails being flagged as junk.
Why Do Emails Bounce? How to diagnose and fix email delivery issues so you can maintain a healthy email marketing list.
What Do Google’s New Email Spam Rules Mean? We summarize what we know so far about the February 2024 Google updates and what it means for Biscred’s B2B prospecting users.
In this post, we cover setting up SPF, DKIM and DMARC for IT teams and marketing email managers. These are practices that help protect your email domain and its reputation from being marked as spam.
Sender Policy Framework (SPF) Record
SPF meaning in email refers to “sender policy framework.” It's a security measure used in email marketing to prevent spammers from sending emails on behalf of your domain. If the email passes this check, it's more likely to reach the recipient's inbox instead of the spam folder. If it fails, it might be rejected or marked as spam.
If your customers are reporting that your emails are going to their spam or junk folders, ask your IT manager or whoever manages your email marketing platform if they have set up SPF for all the domains and IP addresses under your domain.
SPF networking is a way for domain owners and managers to let receiving email servers know they are legit. When you set up an SPF, you verify that your IP address(es) are part of your domain name system (DNS). Here is an example of what that might look like for a fictional site (“savvy CRE gal”) that has a United States domain plus several international domains:
US v=spf1 include:www.savvycregal.com
AU v=spf1 include:www.savvycregal.au
CA v=spf1 include:www.savvycregal.ca
EU v=spf1 include:www.savvycregal.eu
MX v=spf1 include:www.savvycregal.mx
When you set up SPF, you are identifying mail servers and domains that are allowed to send email on behalf of your domain. We’re not going to delve into the step-by-step process, as every email server differs from the next; however, if you use Google Workspace, you can go to their Admin Help, and learn how to prevent spoofing and spam with SPF. At the end of this article, we’ve linked to the knowledge bases of seven of the most-used marketing email platforms; it’s there that you should be able to find answers for setting up SPF, DMARC and DKIM.
DomainKey Identified Mail (DKIM)
DKIM stands for DomainKey identified mail. DomainKeys is an email authentication system. It adds a digital signature to the header of email messages, which ensures that the content of your emails remains unaltered from the time you send it until your recipients receive it.
How does DKIM work? Compare it to those old-school envelopes that would be snail mailed or hand-delivered with wax seals. The wax seal was unique to the sender, and if it had been broken, that was a sign that the envelope had been tampered with during transit. Similarly, the DKIM does the same thing, which could result in tampered-with emails being routed to junk or spam folders.
When an email is received, the recipient’s server checks this digital signature against a public cryptographic key that is published in your domain's DNS records. If the signature matches the key, it confirms that the email is legitimate and hasn’t been modified, thus helping to prevent forgery and improve trustworthiness.
This post on Postmarkapp explains how to set up DKIM on Google domains, Cloudflare, GoDaddy, and Gandy.
Domain-Based Message Authentication, Reporting & Conformance (DMARC)
DMARC protocol was introduced to protect domains from being spoofed and from email recipients from being victims of phishing. There are two valuable resources for understanding DMARC and getting started with it. The first is DMARC.org, a nonprofit started in 2010. The organization provides free resources for email authentication. The second is Google itself. Its Google Workspace Admin Help is packed with information and updated regularly.
How does DMARC work? In simple terms, the definition of DMARC is it ties the results of SPF and DKIM into a cohesive policy that enhances a domain’s security. It specifies exactly what should happen to emails that fail checks and provides feedback to help senders adjust their email messages.
Summary: SPF vs DMARC vs DKIM
If you’re not a technical guru, you may be scratching your head, thinking, “These all sound like the same thing. Why do I need all three?”
SPF, DKIM, and DMARC are all methods used to authenticate email and protect against spam and phishing. Each plays a distinct role in the email authentication process, and they complement each other to enhance email security. Here are the primary differences between them:
Purpose of SPF
To prevent spammers from sending messages on behalf of your domain
To allow domain owners to specify which mail servers are authorized to send mail for their domain
What SPF does
Recipients’ email servers check the SPF record in the DNS to verify that the sending server is authorized to send emails on behalf of the senders’ domains.
What SPF doesn’t do
SPF only validates the sender’s return-path domain (used during the transmission process), it does not validate the “From” header that the end user sees, which can still be forged.
Purpose of DKIM
To validate a domain name identity that is associated with a message through cryptographic authentication
What DKIM does
A DKIM generator uses a pair of cryptographic keys, one stored on the sending mail server and the other published in the DNS. The outgoing messages are signed with a digital signature derived from the private key, and recipients can verify this signature using the public key published in the sender’s DNS.
What DKIM doesn’t do
While DKIM confirms that an email was not altered from the point it was sent, it does not specify what to do if a message fails this check (that’s what DMARC does).
Purpose of DMARC
To tie the results of SPF and DKIM into a coherent policy that enhances email security
To specify how receivers should handle emails that fail these checks
What DMARC does
DMARC publishes policies in the DNS that specify how an email should be handled if it fails SPF or DKIM checks, and what actions should be taken (e.g., reject the email, quarantine it, or report the failure). DMARC also provides a mechanism for sending reports back to the sender about messages that pass and fail DMARC evaluation.
What DMARC doesn’t do
DMARC doesn’t do what SPF and DKIM do; it uses the results of these technologies to apply its policy.
Together, these three standards form a powerful trio that increases the security and reliability of email communications by making it harder for attackers to exploit email for spoofing and phishing attacks. Each standard covers aspects of security that the others do not, and thus they are complementary.
Setting Up SPF, DMARC and DKIM in Other Email Clients
This post from Zoho includes how to add SPF for GoDaddy, Cloudflare, eNom, JostHost, HostMonster, Ipage, Squarespace, WordPress, and Wix (which is what Biscred uses).
The links below will take you to email clients’ knowledge bases, which are the best places to start for self-guided setup for SPF, DMARC and DKIM. We tested all of them and easily found what we were looking for. If your email client isn’t listed below, do a quick internet search for “[name} + spf setup” or “dmarc setup” and you should be able to navigate quickly to their help center or knowledge base.
DKIM, DMARC and SPF Checkers
You will find many free tools to check whether DKIM, DMARC and SPF are working properly on their domains. DNSChecker.org is free to use and offers SPF Checker, DNS Lookup, DMARC Checker, DKIM Record Lookup, and more. They're sponsored by display ads, but their checkers are fast and easy to use.