SPF and DKIM: Essential Email Authentication
Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are critical standards for email authentication. SPF lets you define which mail servers are permitted to send email on behalf of your domain, thereby preventing spoofing. DKIM adds a cryptographic digital signature to your emails, ensuring that messages are sent by an authorized source and that their content remains unchanged during transit.
These protocols are widely implemented by platforms such as Microsoft 365, Google Workspace, Salesforce, HubSpot, Mailchimp, and more. Proper configuration improves email deliverability and protects your brand reputation against phishing and spoofing.
Deep Dive into DKIM: How It Works and Why It Matters
DKIM (DomainKeys Identified Mail) provides a method to validate an email's authenticity by using cryptographic signatures. When an email is sent, the originating server creates a unique DKIM signature by encrypting selected header fields and the message body with a private key. This signature is then attached to the email in a header field named DKIM-Signature.
The public key corresponding to the private key is published in the DNS as a TXT record under a specific selector (e.g., selector._domainkey.example.com). When the recipient server receives the email, it retrieves the public key from DNS and uses it to verify the signature. A successful verification ensures that the email was sent by an authorized sender and has not been altered during transit.
Implementing DKIM correctly is crucial. It not only increases the trustworthiness of your emails but also plays a vital role when combined with SPF and DMARC, helping to further secure your email communications.
Understanding SPF Notation and Configurations
SPF records are published as TXT records in DNS and begin with v=spf1. They consist of mechanisms and qualifiers that specify which servers are authorized to send email on your behalf. For example, a typical SPF record might look like: v=spf1 ip4:192.168.0.1 include:example.com -all.
| Qualifier | Meaning | Effect |
|---|---|---|
| + | Pass | The server is authorized to send mail on behalf of the domain. |
| - | Fail | The server is not authorized; the email should be rejected. |
| ~ | Soft Fail | The server is not authorized; the email is accepted but tagged as suspicious. |
| ? | Neutral | No definitive policy is applied. |
Understanding DMARC Policies and Configuration
DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on SPF and DKIM to instruct receiving mail servers on how to handle emails that fail authentication. A DMARC record is published as a TXT record in DNS (typically under _dmarc.example.com). For example: v=DMARC1; p=reject; rua=mailto:reports@example.com.
DMARC not only defines the policy—whether to take no action (none), quarantine, or reject emails—but also specifies reporting options that allow you to monitor your email traffic and adjust your configuration over time.
| Policy | Description | Effect |
|---|---|---|
| p=none | No enforcement | Emails are delivered, but DMARC reports are generated. |
| p=quarantine | Mark as suspicious | Emails failing DMARC checks are typically sent to spam or junk folders. |
| p=reject | Strict enforcement | Emails failing DMARC checks are rejected outright. |
DMARC Notation Guide
| DMARC Tag | Notation | Description | Recommended Usage |
|---|---|---|---|
| aspf | r | Relaxed SPF alignment. | Typically used unless strict SPF alignment is needed. |
| aspf | s | Strict SPF alignment. | Use if SPF is correctly set up and you want tighter control. |
| adkim | r | Relaxed DKIM alignment. | Typically used as default. |
| adkim | s | Strict DKIM alignment. | Use when DKIM signing is reliable and you want stricter control. |
Verifying Your DNS Records with nslookup and dig
We of course want to encourage you to continue to use DNSai for nslookup, IP lookup and AI assisted DNS lookups. However, you can also use command-line tools like nslookup and dig to verify and troubleshoot your DNS records on your own workstation with no additional software. Native nslookup and dig lookup commands are fantastic knowledge points to ensure that your SPF, DKIM, DMARC, MX, and A records are correctly configured.
Using nslookup
nslookup -type=A example.com
Retrieves the A record (IPv4 address) for example.com.nslookup -type=MX example.com
Displays the MX (Mail Exchange) records for example.com.nslookup -type=TXT example.com
Returns the TXT records, which include SPF, DKIM, and DMARC information.nslookup -type=PTR 203.0.113.5
Performs a reverse DNS lookup on the IP address 203.0.113.5.nslookup example.com
Provides general DNS information about example.com.
Using dig
dig example.com A +short
Retrieves the A record for example.com in a concise format.dig example.com MX +short
Retrieves the MX records for example.com.dig example.com TXT +short
Displays the TXT records (including SPF, DKIM, and DMARC) for example.com.dig -x 203.0.113.5 +short
Performs a reverse DNS lookup on the IP address 203.0.113.5.dig example.com ANY +short
Shows all available DNS records for example.com.