SPF, DKIM and DMARC are 3 types of DNS (Domain Name System) record that authenticate your domain name, and tell the servers that your emails are coming from your domain, and are ruled out as spam.
SPF stands for ‘Sender Policy Framework’
The Sender Policy Framework (SPF) can be used to determine whether an email is actually coming from the domain server that appears as the sender. This authentication method allows mail servers to verify the authenticity of sender addresses, that it is actually from the specified host server. This SPF check runs automatically in the background without you having to do anything. The SPF exists as a txt record in the DNS.
Put simply, the SPF determines which mail servers are allowed to send mail for the domain. The mail servers are identified by their name or their IP address. For example, an email from john.doe@gmx.com may only be sent via one of the following IP addresses: 213.165.64.0, 74.208.5.64, 74.208.122.0, 212.227.126.128, 212.227.15.0, 212.227.17.0, 74.208.4.192, 82.165.159.0, 217.72.207.0. These IP addresses are therefore listed in the SPF record for the domain gmx.com. The incoming mail server can then check whether the IP address that it reads in the header of the mail is on this list or not.
The list of authorised mail servers is stored on the domain name server (DNS) of the sending domain (gmx.com in this example) and can be accessed by any incoming mail server.
DKIM stands for ‘DomainKeys Identified Mail’
DKIM is used for the authentication of an email that’s being sent. Like SPF, DKIM is an open standard for email authentication that is used for DMARC alignment. A DKIM record also exists in the DNS as a txt record.
DKIM adds a signature header secured with encryption to the email. Each DKIM signature contains all the information needed for an email server to verify that the signature is real, and it is encrypted by a pair of DKIM keys. The originating email server has what is called the “private DKIM key,” which can be verified by the receiving mail server or ISP with the other half of the keypair, called the “public DKIM key.”
These signatures travel with the emails and are verified along the way by the email servers that move the emails toward their final destination.
DMARC stands for ‘Domain-based Message Authentication, Reporting & Conformance’
DMARC is vital in combating spam, phishing, and spoofing. Paired with SPF and DKIM, DMARC verifies sender legitimacy and ensures email authenticity.
DMARC outlines authentication practices and actions for failed authentication, safeguarding email senders and recipients from advanced threats. DMARC notifies recipients of protected messages and guides email handling to defend against impersonation fraud. DMARC also exist as a txt record in the DNS.
DNS records can be accessed under ‘domain settings’ on your dashboard on your domain provider’s website.
