Email Authentication: SPF, DKIM,&  DMARC, Oh My!

mail app with two unread messages badge

Through the years, email spam has been an issue, and as time goes on, the solutions have evolved. One of the earlier solutions were to block any servers sending high amounts of spam. Eventually you would have groupings of these where an email administrator could subscribe and anyone in that group would have their emails blocked. You will still see this today when using some email service providers. This might happen when you try to send someone an email and it is rejected, commonly referred to as a bounced email.

There are several lists for a variety of email service providers, that are still part of this line of defense.  The major downside is obvious, if your email “neighbor” starts sending out spam, ether on purpose or someone got their password. Now everyone using that same email service provider might start having issues until their administrator reaches out and requests removal from ether one of those public block lists, or that provider’s internal block list.

Sender Policy Framework

Shortly after this, came SPF in 2003, which stands for Sender Policy Framework. SPF tells everyone who is allowed to send email out as that name. A very common one may look like this:

v=spf1 a ~all

That may not look like much, but it says that you have SPF setup, and that the same server that hosts your website, and Google, are allowed to send emails out as your business. The “~all” at the end is called a softfail, and it tells the provider to not block anything not matching it. You can also change the ending from “~all” to “–all” and that means if you forget to add a service, such as MailChimp, to automatically reject those emails. SPF records can also include a direct IP address, and a few other values as well, depending on your use case.

DomainKeys Identified Mail

After SPF came DKIM which was released publicly in 2007, this stands for DomainKeys Identified Mail. It goes a step further and adds a method to validate if an email claiming to be from your business actually came thru your authorized email servers or if it was tampered with in the delivery process. It does this by adding to each email a signature of sorts that matches with one published for your domain. If it doesn’t match, they know ether the email didn’t come from your business, or it has been tampered with. Some providers will give you a DNS record to copy & paste to set this up.

What is DMARC?

DKIM also goes hand-in-hand with DMARC and SPF, this came out in 2012, and many email service providers such as Google and Yahoo! are just now requiring this to be active. This expands on SPF and almost requires you to have DKIM and SPF enabled before adding this. Many providers will state to wait at least a day after enabling DKIM before turning DMARC on as if an email comes thru and DKIM fails, it will not pass. DMARC makes it where it has to pass both SPF and DKIM while providing a report to an email administrator. An example DMARC record may look like this:


Just like SPF, the first part just states that you have DMARC setup, and the important part is the next segment, “p.” If this is set to none, then all it will do is email a report of all your email activities for you to monitor. But to take full advantage this needs to be either quarantine (which will typically mark a failed email as spam) or reject (which should make the email bounce back to sender). “rua” is who should be emailed the report.

Other Ways to Authenticate Your Email

There are a few other optional parameters, but those are not talked about as much, adding pct=90 will subject 90% of your unauthenticated emails to your DMARC policy, for a lot of people this would be 100 and some services would require this to be 100 as well, to force every message to follow your policy. “ruf” is used to define an email that would send a failure report, but this isn’t supported by everyone, including Gmail. Adding “sp” is used to set the policy on any subdomains you have, it follows the same rule as p, can be none, quarantine, or reject. Normally any subdomains will follow your main one.

The last two I will mention is adkim and aspf, these sets how strict (s is strict, r is relaxed) enforcement is for your email address matching who the email is from. A common example is someone may own two domains, and Or they may have and In nearly every case if you are just forwarding to your email and you try to send out as, it will almost always fail with adkim and aspf set, as the email will be from a different domain entirely.

If adkim and aspf is set and they are set to relaxed, then you can typically mail from your address as there will be a partial match.

Notes and Resources:,domain%20to%20impersonate%20its%20employees..