What are SPF, DMARC, and DKIM? Fixing Email Security & Bounce Backs with Best Practices in Configuration

Learn more about SPF, DMARC, and DKIM records, and discover best practices to improve your email deliverability.

Email deliverability is a premium indicator of your email marketing success. It measures the rate at which your emails land in your recipients’ inboxes, with the caveat that they do not bounce or get marked as spam. Ensuring excellent email deliverability can push your email marketing campaigns to succeed as it brings several advantages including:

✓ Strong return on investment

✓ Proper exposure for your business

✓ Consumer trust

✓ Increased conversions

✓ Guaranteed successful email marketing campaigns

All these, however, start by properly setting up or optimizing email deliverability, specifically by creating and optimizing your SPF, DMARC, and DKIM records.

SPF, DMARC, and DKIM are the three acronyms every business should be familiar with if they want to achieve excellent email deliverability. Each authentication protocol has a unique role, but all three work together to keep your email infrastructure safe and your emails from being added to Real-Time Blacklist.

Lumenvo has been setting up and optimizing these DNS records for various clients and has achieved desirable results for the clients’ email deliverability using the best practices.

Table of Content

What is SPF?

How to Set Up SPF
How to Test an SPF Record

What is DMARC?

How to Set Up DMARC
How to Test a DMARC Record
How to Read DMARC Reports

What is DKIM?

How to Set Up DKIM
How to Test a DKIM Record

Why you should follow these email security protocols

What is SPF?

Short for Sender Policy Framework, the SPF is your first line of defense against spammers who intend to use your domain to send messages. The SPF record determines the mail servers that your domain uses.

Here is another example of an SPF record:

v=spf1 include:sendgrid.net include:_spf.google.com include:cust-spf.exacttarget.com include:_spf.salesforce.com ~all

How to Set Up SPF

#1 Identify mail servers.

List down all the mail servers you use and their IP addresses. Keep in mind that your business may be using several mail servers. Consider determining which of them sends email on behalf of your business. Check your email service provider or IT System Administrator for all your IP addresses if necessary.

#2 List your sending domains.

Creating SPF records for your sending and non-sending domains is essential. Compiling all the domains for your business is valuable to complete this step.

#3 Create your SPF record.

Start the record with “v=spf1” followed by the mail servers used by your website to send out emails. These emails can be transactional, newsletters, and internal such as Outlook or Gmail. If necessary, add the IP addresses authorized to send emails using your domain and the ‘include’ statement for each third-party organization you have allowed to send emails. End the SPF record with the ‘all’ mechanism using any of the four qualifiers below based on your preferred settings.

Qualifier	Results	Description
+	Pass	Indicates that any server can send emails from your domain
?	Neutral	Specifies nothing about validity
=	Fail	Explicitly indicates that all unauthorized emails will be rejected
~	Soft Fail	Allows unauthorized emails but will be marked nonetheless

Ensure that your SPF record does not exceed 255 characters nor have over 10 ‘include’ statements.

#4 Add your SPF record to DNS.

Your DNS server administrator can publish your SPF record to DNS.

How to Test an SPF Record

#1 Use an SPF check tool.

Remember to validate your SPF record after adding it to your DNS. Use an SPF check tool like MX Toolbox. If the record is not verified, investigate what went wrong.

#2 Update your SPF record, if necessary.

If you forgot to include a legitimate sending IP address, feel free to update the record. Then re-test it using MX Toolbox to confirm its validity.

What is DMARC?

Domain-based Message Authentication Reporting and Conformance (DMARC) is an email security protocol that tells recipient email servers what to do with incoming emails that either pass or fail their SPF and DKIM checks. It prevents domain spoofing and phishing.

Here is an example of a DMARC record:

v=DMARC1; p=none; rua=mailto:jane@gmail.com

For a more in-depth look at DMARC elements, click here.

How to Set Up DMARC

#1 Use a third-party tool.

You have the option to use a third-party tool like the Postmark app to create a DMARC record. Remember to add your email in the rua section after Postmark’s email to receive aggregate reports.

#2 Add your DMARC record to DNS.

Copy and paste the host and value from the Postmark app, then set the TTL to 1 hour.

How to Test a DMARC Record

#1 Use a DMARC check tool.

Test your DMARC record after adding it to DNS using MX Toolbox to see for any mistakes in the record.

How to Read DMARC Reports

The Postmark app makes this easy and that’s why it’s our favorite DMARC tool! It sends DMARC reports on a weekly basis where you should check the following:

✓ Number of emails processed

✓ List of domains used to send emails on your behalf

✓ SPF and DKIM alignment

#1 Check the number of emails processed.

You should know at least a ballpark figure of the emails your company sent in a given date range. If the DMARC report shows a close number of emails, then you have nothing to worry about.

#2 Check the domains or sources.

Review the sources of your emails and investigate suspicious or unfamiliar domains.

#3 Check the SPF and DKIM alignment.

The target is 100%. Look into the failed alignment and fix it if there’s any outstanding issues.

What is DKIM?

DomainKeys Identified Mail (DKIM) works hand in hand with DMARC. A DKIM record instructs your sending mail server to stamp a cryptographic digital signature to each email, telling the recipient email server that no changes occurred during transmission and who sent the email. DKIM records require setting up in both DNS and your servers such as GSuite, Outlook, and MailChimp.

Here is an example of a DKIM record:

Hostname: k1._domainkey.sciunitedllp.com

Value: v=DKIM1; k=rsa; p=ABcDE12345fgHij67589

How to Set Up DKIM

Creating DKIM records varies with the server you use. For example:

#1 Using Google Workspace

1. Log in to your dashboard.
2. Search for DKIM Authentication.
3. Select a domain.
4. Tap on Generate New Record, then Generate.
5. Copy and paste the host and value into DNS.
6. Click Start Authentication.

#2 Using MailChimp

1. Log in to your dashboard and click Domains.
2. Click Start Authentication for your chosen Custom Email Domain.
3. Select the domain provider from the drop-down menu, then click Next.
4. Go to your domain provider’s website to access your domain’s records.
5. Return to MailChimp and click Next.
6. Copy and paste the Hostname name and domain name address of CNAME1 to your domain provider’s website. Repeat the steps for CNAME2.
7. Click Next, then wait for MailChimp’s update.

How to Test a DKIM Record

#1 Use a third-party tool.

Checking your domain’s DKIM record can be done easily with the help of third-party tools such as MailTester or MX Toolbox.

#2 Update your DKIM record.

If the DKIM record is not verified, investigate what went wrong then update the record using the steps required by the server you use.

Why you should follow these email security protocols

Creating SPF, DMARC, and DKIM records is not a walk in the park. Besides knowing which of the three records to set up first, you also need to create records for each domain you have. Let us also not forget that the steps on setting up DKIM records vary based on your server.

All these require a lot of work for businesses, especially those that own several domains. Moreover, email authentication setup requires thorough knowledge – a luxury that not all brands and businesses possess. This kind of job calls for Lumenvo’s expertise.

Lumenvo is adept at setting up email deliverability for clients. We have experience creating and checking said records and have positive results and client feedback to validate our expertise. Need help in email deliverability setup? Talk to us and let us get started.