If you have heard the terms DKIM, SPF, or DMARC, you or your organization likely use a domain with email authentication mechanisms in place, or are planning to implement it.
When we say “email authentication”, it means validating the legitimacy and originality of an email, so it can be differentiated from spoofed emails. SPF, DKIM, and DMARC are three email authentication methods that show that the domain (eg. “itechtics.com“) is serious about its online security by allowing only legitimate emails to land in their inbox and rejecting or filtering the rest.
Although not important, the full forms of these acronyms are as follows:
- SPF: Sender Policy Framework
- DKIM: DomainKeys Identified Mail
- DMARC: Domain-based Message Authentication Reporting And Conformance
You do not need to remember these full names, but only the acronym, so you know which method is responsible for what.
SPF and DKIM are identifiers, which means that they determine whether an email is authentic or not. However, these methods do not possess the power to make a decision based on the authentication results. DMARC, on the other hand, is responsible for handling the emails that couldn’t be authenticated, meaning that they failed the tests.
Together, these three pillars of email security work together to increase the email security for your domain, and in turn, your organization. The hackers pretending to be a part of your domain or impersonate someone else, are easily filtered out automatically when these three email authentication methods are in place.
Let me explain to you how SPF, DKIM, and DMARC work to build a better understanding of this combination of email authentication. Before that, I want you to keep in mind an analogy of a physical letter and an envelope, like in the old days. Although outdated, it is the perfect example for developing an understanding of how email authentication works.
Table of Contents
How SPF works
The function of SPF is to verify whether the sending mail server is allowed to send emails to a certain domain. Think of it as a bouncer outside a party – if your name isn’t on the list, you won’t be allowed in.
SPF records are TXT records stored on the DNS server. When a mail server sends out an email, for example to “itechtics.com”, the receiving mail server will perform two tasks:
- Look at the header of the envelope and see which domain the email came from, and
- Perform a DNS SPF lookup and check whether the sending domain is in the allowed list.
If the two domain names match, the SPF check passes, and the email lands in the recipient’s inbox. This authentication is known as SPF alignment.
How DKIM works
While SPF focuses on the sender’s domain written on the envelope, DKIM focuses on verifying whether the contents of the letter (email) inside the envelope haven’t been tampered with. This is verified with the help of a digital signature.
When an email is sent out, the sending mail server adds an encrypted digital signature using a private key. This key is embedded in the email header, known as the DKIM header.
When the email reaches the receiving mail server, it performs the following three tasks. Note that these tasks are performed in the given order since one is dependent on the other:
- Look at the domain of the incoming email.
- Perform a DNS DKIM lookup for the domain and fetch the public key, and
- Decrypt the digital signature for authentication.
If the digital signature matches the one from the sending domain, the email passes the DKIM check, and the email lands in the recipient’s inbox. However, if the signature is not a match, or a DKIM record is not found, or a matching DKIM record for the associated private key does not exist, the email will either be rejected, or flagged and sent to the spam folder.
How DMARC works
DMARC works on top of the SPF and DKIM technologies and is responsible for handling unauthenticated emails. It uses SPF and DKIM checks as indicators and then makes a decision based on the results.
If the DMARC DNS records exist, they instruct the email server on how to handle the emails. They either do nothing and let the emails pass, send them to the spam folder of the recipient, or reject the email altogether.
Moreover, the DMARC records are also used to generate reports of unauthenticated emails, which in turn help tighten email security further.
How are SPF, DKIM, and DMARC records stored?
The Domain Name Server (DNS) stores the records for SPF, DKIM, and DMARC. These are TXT (text) records stored with special instructions with the help of mechanisms, qualifiers, tags, and other values. Moreover, DKIM and DMARC DNS records must also have special names that help the mail servers identify them.
Not only that, but the values for the tags and mechanisms have different options as well. Regardless, these records look something like this:
| DNS Record | Name example | Record/values example |
| SPF | itechtics.com. | v=spf1 +a +mx ip4:65.181.111.142 ip4:65.181.111.145 include:spf.examplesender.email ~all |
| DKIM | selector._domainkey.domain.com | v=DKIM1; k=rsa; p=76E629F05F709EF665853333EEC3F5ADE69A2362BECE40658267AB2FC3CB6CBE |
| DMARC | _dmarc.yourdomain.com | v=DMARC1;p=quarantine;pct=100;adkim=s;aspf=r;rua=mailto:postmaster@itechtics.org;ruf=mailto:postmaster@itechtics.org |
Along with this information, you might also need to configure the Time To Live (TTL) for these records when setting up.
How to check if email passed DKIM, SPF, DMARC
When you receive an email in your inbox, or the spam folder, you can find its metadata in the email header. It includes information about the sender of the email, the receiver, and other information, including information about the SPF, DKIM, and DMARC checks.
Most email providers allow you to expand the email header and look at the minute details. For example, in Gmail, you can click the dots in the top-right corner of the email and click “Show original“.
Note that the envelope header cannot be seen; only the email header.
Once you have opened the email header, it can be difficult to find the email authentication information. It is like finding a needle in a haystack. The DKIM, SPF, and DMARC information can be seen like this:
If you experience trouble finding this information, you may use the CTRL + F shortcut keys to search for DMARC, DKIM, or SPF information.
That said, as can be seen in the image above, the “pass” after the equals-to indicates that this particular email passed all 3 email authentication checks, which means that the email should land in my inbox (which it did).
Configuring SPF, DKIM, DMARC records
SPF, DKIM, and DMARC records can be configured by administrators of the DNS for your domain. There, you must add the TXT record, name it appropriately as per standards, and add the record. We have separate detailed guides on what these 3 email authentication mechanisms are and how to set them up. To learn more about them, click the respective link:
That said, it is important that you set up these policies correctly. Incorrect configurations will lead to legitimate emails not reaching the end user inbox, and spoofed emails getting through the mail server.
Closing words
This article explains the functionalities of SPF, DKIM, and DMARC in email authentication. You should now be able to differentiate between these technologies, and know that each of them is important in developing a complete email authentication solution.
Know that many email providers only deploy SPF and think it is sufficient for email security. However, Google and Yahoo have recently made changes to their email servers and made DMARC compulsory as well, starting February 2024. At the moment, emails from non-DMARC domains are being sent to spam. However, soon, they will be rejected entirely.
Therefore, it is a good time to learn about the 3 pillars of email authentication and deploy them.
