May 5, 2015

Understanding Email Security: SPF, DKIM, and DMARC

Reading time about 3 min

Email security has improved significantly in the past few years thanks to new authentication protocols like SPF, DKIM, and DMARC. Learn more about how these frameworks keep you and your recipients safe on the web!

Don’t you hate it when an email comes from what looks like your bank or credit card company it’s NOT legit? What about when these emails attempt to solicit sensitive information from you by impersonating these companies?

These are scams, known as spoofing and phishing respectively, and they can lead to big problems for unsuspecting recipients.

Thankfully, there have been several authentication frameworks put in place to ensure sending emails via SMTP servers is much more secure, making it much harder to impersonate a third party and phish for information.

Knowing more about the way SPF, DKIM, and DMARC email authentication tools work together to keep your emails secure is the perfect first step to protecting yourself and your email contacts!

Once you have a better understanding of these authentication frameworks, you’ll be able to properly configure the SPF, DKIM, and DMARC policies for your own sending domain and IP to boost your email deliverability and make your communications more secure.

SPF Authenticates

Internet Service Providers (ISPs) are the companies that provide the world with access to the internet and the ability to send and receive email. With email marketing, we are most concerned with email inbox providers like Gmail and Yahoo, who fall into this category.

ISPs guard against malicious attackers intent on spamming and masquerading behind another company’s sending domain or email address using filters and security protocols to identify them.

One of the most important tools in this fight against email fraud is an authentication system called the Sender Policy Framework (SPF).

SPF allows you to designate specific sending hosts (IP addresses) that are authorized to send emails using your domain (e.g. This enables ISPs to check whether or not the sending IP matches you SPF record and reject any spoofers using your domain to send from unauthorized hosts in an effort to protect against fraud and spoofing.

DKIM Validates

The next link in the defensive chain is DKIM which stands for DomainKeys Identified Mail.

DKIM is a method for validating the message content with the domain name of the sender using cryptographic authentication. It consists of a digital signature that is affixed to an email and can be verified using the public cryptographic key that is available in the DNS records of the domain used to send the message.

This lets inbox providers verify that the content of an email message hasn’t been tampered with while being routed through different SMTP servers after being sent. Think of it as a super-secret password used to get into the hottest nightclub (only in this case, the nightclub is your recipient’s email inbox).

DMARC Adds Additional Instructions

Finally, DMARC, or Domain-based Message Authentication, Reporting & Conformance, builds on these two processes to close the loop on email authentication.

Essentially, DMARC allows senders to set up instructions in their DNS records for how email inbox providers should handle messages that fail either SPF or DKIM checks. This provides another layer of protection for readers from potentially harmful email content.

It also provides a reporting mechanism that lets you, the sender, know if someone is using your domain name for sending malicious content.

That’s a lot of protection!

Now that you’ve mastered your understanding of how these secret handshakes work together to protect your domain, it’s time to put your new knowledge into practice! Employing these authentication systems on your domain is a sure way to improve your email campaign deliverability and add to your cred as a fighter of evil email pirates.

At Sendinblue, we provide users the ability to configure all of these frameworks (SPF, DKIM, and DMARC) into their domain’s public records so they can be added to the SMTP sending envelope for each email you send, ensuring better email deliverability and increased security.

Have questions? Ask away in the comments. Happy Sending!

Ready to find your marketing zen?

Take the stress out of your work day with a solution that’s built for you!

Get started free