Skip to main content
    Email Infrastructure
    Technical

    DKIM, SPF & DMARC: Email Authentication Guide

    Ensure your emails actually reach the inbox. Learn how to correctly configure SPF, DKIM, and DMARC to improve deliverability and protect your domain.

    DutchifyApril 10, 20264 min read
    DKIM, SPF & DMARC: Email Authentication Guide

    Email authentication is no longer a luxury — it is an absolute necessity. Since February 2024, Gmail and Yahoo require bulk senders to have SPF, DKIM, and DMARC correctly configured. At Dutchify, we configure these protocols for all our clients as part of our email infrastructure services.

    Why Email Authentication Is Crucial

    Without proper authentication:

    • Your emails end up in spam
    • Your domain can be spoofed for phishing
    • You lose reputation with email providers
    • Your open rates and conversions drop

    Email authentication consists of three complementary protocols that together provide watertight protection.

    SPF (Sender Policy Framework)

    SPF defines which mail servers are allowed to send on behalf of your domain. It works via a DNS TXT record.

    How SPF Works

    1. You publish an SPF record in your DNS
    2. The receiving mail server checks if the sending server is listed in the SPF record
    3. If the server is not authorized, the email can be rejected

    SPF DNS Record Example

    v=spf1 include:_spf.google.com include:sendgrid.net include:mailgun.org -all

    Explanation of the mechanisms:

    • v=spf1 — Version identifier
    • include: — Authorizes the mail servers of an external service
    • ip4: — Authorizes a specific IP address
    • -all — Reject all other servers (hard fail)
    • ~all — Soft fail (mark as suspicious but do not reject)

    Common SPF Mistakes

    1. Too many DNS lookups: SPF allows a maximum of 10 DNS lookups. Every include: counts as a lookup.
    2. Forgotten services: All systems that send email must be included in the SPF record.
    3. Using +all: This authorizes everyone — never do this!

    DKIM (DomainKeys Identified Mail)

    DKIM adds a cryptographic signature to every outgoing email. The recipient can verify this signature using a public key in your DNS.

    How DKIM Works

    1. Signing: Your mail server signs the email with a private key
    2. DNS Publication: The corresponding public key is in a DNS TXT record
    3. Verification: The recipient retrieves the public key and verifies the signature

    DKIM DNS Record Example

    selector1._domainkey.dutchify.ai  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNA..."

    Record components:

    • selector1 — The selector indicating which key to use
    • _domainkey — Fixed prefix for DKIM records
    • v=DKIM1 — DKIM version
    • k=rsa — The type of cryptography (RSA)
    • p= — The public key (Base64 encoded)

    DKIM Best Practices

    • Use 2048-bit RSA keys (minimum)
    • Rotate keys periodically (every 6-12 months)
    • Configure DKIM for each sending service separately
    • Test signatures with tools like mail-tester.com

    DMARC (Domain-based Message Authentication, Reporting and Conformance)

    DMARC builds on SPF and DKIM and adds policy and reporting. It tells receiving mail servers what to do with emails that fail SPF or DKIM checks.

    DMARC DNS Record Example

    _dmarc.dutchify.ai  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc@dutchify.ai; ruf=mailto:dmarc-forensic@dutchify.ai; pct=100; adkim=s; aspf=s"

    Policy options:

    • p=none — No action, reporting only (start here!)
    • p=quarantine — Send suspicious emails to spam
    • p=reject — Reject suspicious emails

    Alignment modes:

    • adkim=r (relaxed) or adkim=s (strict) — DKIM domain alignment
    • aspf=r (relaxed) or aspf=s (strict) — SPF domain alignment

    DMARC Implementation Roadmap

    1. Start with p=none — Collect data without impact
    2. Analyze reports — Identify all legitimate sending services
    3. Fix SPF and DKIM — Ensure all services are correctly configured
    4. Increase to p=quarantine — Begin enforcement
    5. Ultimate goal: p=reject — Full protection

    Monitoring and Reporting

    Reading DMARC Reports

    DMARC generates two types of reports:

    • Aggregate (rua): Daily XML reports with statistics on all emails
    • Forensic (ruf): Detailed reports on individual failed emails

    Use tools like DMARC Analyzer, Postmark DMARC, or dmarcian to visualize reports.

    Deliverability Monitoring

    In addition to DMARC monitoring, we advise:

    • Blacklist monitoring — Check if your IP/domain is on blacklists
    • Inbox placement testing — Test if emails actually land in the inbox
    • Bounce rate tracking — Monitor hard and soft bounces
    • Reputation scoring — Track your sender reputation

    Common Mistakes

    1. Going straight to p=reject — Always start with p=none and build up
    2. Forgetting subdomains — Also configure sp= for subdomains
    3. Not testing forwarding — Email forwarding often breaks SPF
    4. No monitoring — Without reporting, you’re flying blind
    5. Not rotating keys — Outdated DKIM keys are a security risk

    The Three Protocols Summarized

    Protocol Function DNS Record Purpose
    SPF Authorization TXT on domain Who is allowed to send?
    DKIM Authentication TXT on selector._domainkey Is the email unaltered?
    DMARC Policy + Reporting TXT on _dmarc What to do on failure?

    Conclusion

    Correctly configured email authentication is the foundation of any professional email infrastructure. At Dutchify, we ensure that SPF, DKIM, and DMARC work together seamlessly so that your emails arrive reliably and your domain is protected from abuse. Contact us for a free email authentication audit.

    email deliverability
    SPF
    DKIM
    DMARC
    email security

    Ready to Get Started?

    Tell us about your project and we'll get back to you within 24 hours for a no-obligation conversation.

    We use cookies 🍪

    We use cookies to provide the best experience. You can choose which cookie categories you accept. Read our cookie policy