SPF, DKIM, and DMARC are email authentication protocols that help prevent email spoofing and improve your email deliverability. Setting them up correctly ensures your emails reach recipients' inboxes rather than their spam folders.
SPF (Sender Policy Framework)
SPF tells receiving mail servers which servers are authorized to send email on behalf of your domain. Without SPF, anyone could send emails pretending to be from your domain.
How SPF works:
1. You publish a TXT record in your domain's DNS.
2. When someone receives an email from your domain, their server checks the SPF record.
3. If the sending server is listed in your SPF record, the email passes. If not, it may be flagged as spam.
Example SPF record:
v=spf1 a mx include:_spf.google.com ~all
This record authorizes your domain's A record IP, MX servers, and Google's servers to send email. The ~all means emails from other servers get a soft fail.
DKIM (DomainKeys Identified Mail)
DKIM adds a digital signature to every email you send. The recipient's server verifies this signature against a public key published in your DNS, confirming the email was not altered in transit.
How DKIM works:
1. Your mail server signs outgoing emails with a private key.
2. A corresponding public key is published as a TXT record in DNS.
3. Receiving servers use the public key to verify the signature.
DKIM records look like:
default._domainkey.yourdomain.com -> "v=DKIM1; k=rsa; p=MIGfMA0G..."
Your hosting control panel typically sets up DKIM automatically when you create an email account.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC builds on SPF and DKIM by telling receiving servers what to do when authentication fails. It also provides reporting so you can monitor authentication results.
Example DMARC record:
_dmarc.yourdomain.com -> "v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com"
The p= tag sets the policy:
- none: Monitor only, take no action
- quarantine: Send failing emails to spam
- reject: Block failing emails entirely
Setup Recommendations
1. Start with SPF: Add the TXT record and test with online SPF checking tools.
2. Enable DKIM: Activate it in your control panel and verify the DNS record is published.
3. Add DMARC: Start with p=none to monitor, then gradually move to quarantine or reject.
Testing: Use tools like mail-tester.com or mxtoolbox.com to verify your records are configured correctly.