November 27, 2021

DKIM, SPF and DMARC – Everything you need to know

As an email marketer, you’ve probably come across these terms on different occasions. DKIM, SPF and DMARC, and you wonder what they mean or what they actually do. These technologies are put in place to serve one purpose which is email security (i.e., they help prevent email spoofing, email phishing, and spam emails). You might also wonder what spoofing, phishing, and spam mean. In this post, you’ll learn everything you need to know about DKIM, SPF, and DMARC.

dkim, spf, dmarc

To better understand these technologies, you should know what spoofing, phishing, and spam are…

Note: You can only use these technologies if you have a domain or website that you own (i.e., for business emails like Not for free email addresses like or So if you want to use them, then you have to buy a domain. You can get a cheap domain on Namecheap, Bluehost, Godaddy and many more.


Email spoofing is when the content of an email is altered so that the message appears from someone or somewhere other than the actual source. A third party can change your email, deceive the recipients by sending them to different sites. Because of the common fraudulent use of spoofed emails, some email servers require DKIM to prevent email spoofing.


When someone impersonates a trusted individual or entity in an email or other form of communication, this is called email phishing. It is also a form of social engineering in which attackers send fraudulent messages designed to deceive humans. The recipients of these emails are tricked to release sensitive data to attackers or sending malicious software, such as ransomware, to the victim’s infrastructure.


When email phishing or email spoofing are used to send an email, the email is called spam. Although spam can also occur in a different scenario other than phishing and spoofing. To be brief, email spam is an unwelcome email message.

Now that you understand what spoofing, phishing, and spam are, you can now understand the technologies put in place to control them.

Domain Keys Identified Mail (DKIM)

DKIM is one of the technologies that can authenticate the messages that your organization sends by email. Using DKIM, email servers prevent email spoofing. A technical way to verify the sender’s domain using an encrypted signature. You generate a DKIM key from your email service provider like gmail, getresponse, etc. Then you go to your domain provider dashboard and find the page for updating the domain’s DNS records. It also can be called DNS Management, Record Server Management or Advanced Settings, etc. The following section explains how DKIM works.

How Does DKIM Work

DKIM uses a digital signature to provide email security. It works by adding a signature to the header of your email message. The steps below show how DKIM works:

  1. The email service provider generates a public (DKIM) key. The public key is given to you to be added to your domain’s full DNS record and it is formatted as a TXT record.
  2. After the message is sent by the outgoing mail server or the email service provider. The server generates a unique DKIM signature and attaches it to the header of the message.
  3. The recipients email server key finds the digital signature in the header and validates the signature by decrypting the signature using the public key in your domain DNS records. The result of the decryption is compared it with the email message.
  4. If the email message and the decrypted signature values ​​match, the message is not tampered with as it did not change during transmission. Otherwise a email spoofing is detected.

Will DKIM increase the deliverability of emails?

It depends on the receiving server that validates the email.  When you sign your emails with DKIM, the recipient will look at the credentials of the company that signed the message and validate the message then it will then decide what to do with the email. Messages from companies with a good reputation will undergo less thorough filtering on the recipient’s end. If receiving server has issues validating your message. Then it might be sent to the spam folder. So it helps deliverability.

How to setup DKIM

To show how to set up DKIM, you’ll need an email service provider and a domain provider. I’ll use SendPulse as the email sender to show you how to set up DKIM. This might be different if you are using another email service provider

Step 1: Sign in to your SendPulse or your email sender platform and navigate to the service settings under the email tab.

sendpulse dkim

Step 2: On the “Domain authentication (SPF and DKIM records)”. Click on activate to enter your business domain and generate DKIM domain keys. Copy the keys.

set up dkim and spf

Step 3: After copying the DKIM keys, log in to the dashboard on your domain provider website. Find the page where you can update the DNS records of your domain. It also can be called Advanced DNS, DNS Management, Record Server Management or Advanced Settings, etc.

When you located the DNS management. Click on “Add” to another TXT record , you can then copy the key you generated from your email service provider to the TXT Value, the email service provider will also give you what to enter in the Host. Note that this process can take up to 72 hours to propagate.

dkim and spf setup

Sender Policy Framework (SPF)

(Sender Policy Framework SPF) is an email authentication method that helps verify that the sending IP allows sending on behalf of the sender domain. SPF technology is one means of identifying the sender of an email and provides an additional means of filtering email to determine whether spam exists. To illustrate, let’s say you are a business(domain) owner and you’re using Getresponse or SendPulse to send emails to your customers or subscribers. SPF tells your subscribers (recipients) email server e.g., Gmail that Getresponse or SendPulse is allowed to send emails on your behalf.

How to setup SPF

To set up SPF for your domain is just like DKIM setup as shown above. Just follow the steps for DKIM setup to step 3. The host and TXT value differ from DKIM for SPF configuration. You get the values from an email service provider and paste them in.

How Does SPF Work

SPF offers a way to authenticate that mail from a particular domain is actually sent from the administrator of the domain. The following steps show how SPF works.

  1. Administrators define which mail servers are permitted to send email for their domain by publishing policies. This policy is called an SPF record and it is included in your domain’s overall DNS records.
  2. When the recipients mail server receives your emails. It looks up the “Return-Path” header of the email, ensuring the sender domain’s public DNS lists this specific sending IP. The receiving server then makes comparison of the email sender IP address and the IP address(es) defined in the SPF record.
  3. The incoming mail server then decides whether to approve, reject, or flag the email message using the rules defined in the SPF record for the sending domain.

Will SPF increase email deliverability?

Your domain must employ SPF to prevent spam from being sent from it. Without SPF, accepting mail servers cannot verify that messages appearing to come from your domain come from you. Emails might end up in spam folders or be rejected if your server doesn’t use SPF. Even though it still depends on the receiving server, SPF does increase deliverability.

Domain-based Message Authentication, Reporting, and Conformance (DMARC)

A policy for handling failed email recipients is published by DMARC, an email authentication, policy, and reporting protocol. It is based on DKIM and SPF protocols. It helps protect domains against fraudulent emails and makes policies available for handling failed recipients or emails. It also allows domain owners to request reports from recipient email servers about messages that appear to be sent from their domain but are not properly verified.

Data contained in these reports can be used to identify potential authentication problems for messages received from your domain and malicious behaviour. DKIM and SPF are the key authentication standards behind DMARC, rather than DMARC itself. Due to the lack of means of defining policies for email authentication in SMTP, this protocol is used in conjunction with SMTP, the core protocol that delivers email.

How Does DMARC Work

DKIM and SPF are the key standards behind DMARC email authentication. It also utilizes the Domain Name System (DNS). In general, the DMARC validation steps are as follow:

  1. Domain administrator publishes a policy. The policy defines the domain email authentication practices and how receiving mail servers should handle mail that does not conform to this policy defined. This DMARC policy is listed as part of the domain’s overall DNS records.
  2. When a receiving mail server receives an incoming email, it checks DNS record to find the DMARC policy for the domain contained in the header of the message. The receiving server then checks the message the DNS for DKIM and SPF for authentication.
  3. When the message has been evaluated. The server is ready to apply the sending DMARC policy to decide whether to accept, reject, or otherwise flag the email message.
  4. The receiving mail server will report the result to the sending domain owner after using DMARC policy to determine the message disposition.


To sum up everything in this post. DKIM and SPF are essential to prevent spoofing, phishing, and spam. They also play an important role in determining the deliverability of emails. Businesses that send emails every time must put these technologies in place to protect and build a good reputation to avoid spam folders. Both SPF and DKIM must be configured properly before DMARC is to be configured. Implementing DMARC without SPF and DKIM working properly will result in messages landing in spam or being rejected. For brand or domain protection, DMARC is a fantastic addition.


Digital marketer, B.Tech in Computer science

View all posts by admin →

Leave a Reply

Your email address will not be published. Required fields are marked *