Skip to content
Home » Blog » SPF, DKIM, and DMARC: DNS records to make sure email arrives

SPF, DKIM, and DMARC: DNS records to make sure email arrives

I bet you’ve never seen so many anachronisms in one place! Let’s really quickly unpack the SPF, DKIM and DMARC DNS records.

DNS records

Think of DNS as the address book of the internet. It helps route different types of traffic like web requests or email to the correct servers. As far as we are concerned, the DNS records for SPF, DKIM, and DMARC are all types of TXT records.

SPF, DKIM, and DMARC all work together to help keep email secure and spam-free.

SPF

This is basically a list of the servers allowed to send email in your name. This is not the same as sending email from your phone, laptop, or webmail. These all connect to the same email server. An SPF records typically refers the following examples of email servers:

  • Your primary email server (e.g., your mail provider’s SMTP server).
    • The website hosting company
    • Microsoft
    • Google etc.
  • The platform you use for mailing lists
    • Mailchimp
    • Kajabi
    • Sender etc.

Example

v=spf1 include:sendersrv.com include:relay.k.io ~all

We can see here, for instance, that email is allowed to be sent in my name by servers with the addresses sendersrv.com and a relay.k.io.

sendersrv.com is the platform used to send newsletters, and relay.k.io refers to the email server of the hosting company for the website in question.

For instance, if a spammer sends an email from their own server in your name, their email server won’t be listed in the SPF record. If an email is sent from a server not listed in your SPF record, the recipient’s email system can flag it as suspicious or reject it based on the DMARC policy (see below).

DKIM

This TXT record contains a digital signature that is added to the headers of an email. This signature is generated using a private key and can be verified by recipients using a public key published in the sender’s DNS records. This ensures that the email was indeed sent by the domain it claims to be from and that its content has not been altered in transit.

DMARC

The DMARC record tells the recipient’s mail server how to handle emails that fail SPF or DKIM checks.

The laziest response it can have is, “meh .. 🤷🏼”.

v=DMARC1; p=none;

The “p” tag stands for Policy, and here there isn’t any. This basically just tells the recipient server, “Let the email go through. If it’s phishy ( 😉 ), just use your best judgement.”

A much wiser use of the DMARC record could be something like:

v=DMARC1; p=quarantine; pct=50; rua=mailto:dmarc-reports@example.com;

Source: https://www.emailtooltester.com/en/blog/dmarc-record-example/

This tells the recipient server to apply the policy to 50% of emails that fail SPF and DKIM checks: Quarantine them, and send failure reports to dmarc-reports@example.com.

How strict you make things is up to you, and also depends on how much energy you personally have to wade through the reports, which from my experience need a tools decider. My personal go-to is MXToolbox.com.

Read more here: https://mxtoolbox.com/dmarc/details/what-is-a-dmarc-record

If all this still seems like gobbledygook, I am here to help you make sure your email has the best chance landing in the recipients inbox!

Would you like to know more?

Let me buy you a coffee!
Tags:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.