SPF, DKIM and DMARC

Email revolutionised how people and businesses all around the world communicate. But how can you be sure the sender is who they say they are?

SPF, DKIM and DMARC has now become really important, not only to stop people spoofing your email addresses but also to ensure your legitimate emails are delivered to an inbox, not a junk folder.

Why add SPF, DKIM and DMARC records?

With email now the primary method of communicating with your clients and prospects, as well as a major form of digital marketing, it’s important to take all the steps you can to validate that your emails are legitimate. 

From 1st February 2024, changes are being enforced by Google and Yahoo, which will mean that emails that don’t comply with SPF, DKIM and DMARC will end up in Junk. Larger companies will be targeted first using Google’s email intelligence, but this will filter down over time. 

Domains without SPF are already rejected by Google and and other platforms automatically, and we believe that this will happen over time with DKIM and DMARC too.

What is SPF?

Sender Policy Framework (SPF) is a publicly available list of internet locations that are authorised to send emails from your domain. 

For example you may want to declare that only your email provider and your marketing platform are allowed to send as your domain and emails received from any other sources should be rejected.

What is DKIM?

DomainKeys Identified Mail (DKIM) is a way of verifying that an email hasn’t been amended in transit. This uses cryptography to sign emails as they are sent, then the recipient’s server checks the signature to make sure no changes have occurred.

What is DMARC

Domain-based Message Authentication, Reporting, and Conformance (DMARC) verifies the sender’s domain in the From field by matching it with the domain in DKIM and SPF checks. It also defines how email servers should deal with a message that fails both DKIM and SPF — whether to deliver, reject, or mark it as spam.

SPF DKIM DMARC
SPF DKIM DMARC

What do I need to set up SPF?

To set up SPF you need access to your DNS Control panel and a list of IP address or DDNS records that you want to authorise, in a TXT record. This should include your email system (such as Microsoft 365) and any other email services you use to send emails from, or through. For example, your website may need to be added, as well as any email security gateways.

If you only use Microsoft 365 for email, then yours will need to look something like this:

“v=spf1 include:spf.protection.outlook.com -all”

How do I set up DKIM?

To set up DKIM you need access to your DNS control panel and the service that sends email needs to support it. A public and private security key will need to be generated, and then the relevant DNS records containing the public key will need to be added to your domain.

What do I need to set up DMARC?

To set up DMARC you need to have SPF and DKIM setup already. These are required for DMARC to function. You then add a TXT record to your domain, containing your DMARC policy. This will start with “v=DMARC1;” and will then contain a Policy (“p”) section, which can be set to “reject”, “quarantine” or “none”.

What is a CNAME record?

A CNAME record is a type of DNS record that maps one domain name (an alias) to another (the canonical name). A CNAME record must always point to a domain name, not an IP address.

What is a TXT record?

A TXT record is a type of DNS record that contains text information for various purposes. For example, a TXT record can be used to verify domain ownership, implement email security protocols, or provide other data. A TXT record consists of a name and a value, which can be anything from a single word to a long string of characters.

Need more help?

If you need help implementing these records, or would like more advice, complete the form or get in touch using the details below.

Share

Recent Posts