Email Authentication: SPF, DKIM and DMARC Explained

A comprehensive guide to email authentication protocols and how they protect against spoofing and phishing

SpamBarometer Team
March 26, 2025
10 min read
Deliverability Authentication Best Practices Technical
Technical Guides

Email authentication is a critical component of modern email security, helping to protect both senders and recipients from spoofing, phishing, and other malicious activities. In this comprehensive guide, we'll dive deep into the three main email authentication protocols - SPF, DKIM, and DMARC - explaining what they are, how they work together, and best practices for implementing them effectively to secure your email communications.

What is Email Authentication?

Email authentication refers to a set of techniques and protocols used to verify the identity of an email sender and ensure that the email has not been altered in transit. Without proper authentication, it's relatively easy for attackers to send emails that appear to come from a trusted source, tricking recipients into revealing sensitive information, downloading malware, or falling victim to other scams.

The three main email authentication protocols are:

  • SPF (Sender Policy Framework): Specifies which mail servers are authorized to send email on behalf of a domain
  • DKIM (DomainKeys Identified Mail): Uses cryptographic signatures to verify that an email message was sent from an authorized source and has not been altered
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance): Builds upon SPF and DKIM to provide a clear policy for email authentication and reporting

The following diagram provides a high-level overview of how SPF, DKIM, and DMARC work together to authenticate email messages:

Diagram 1
Diagram 1

SPF: Sender Policy Framework

SPF is a DNS-based email authentication method that allows domain owners to specify which mail servers are permitted to send email on their behalf. By publishing an SPF record in their DNS settings, domain owners can help prevent unauthorized parties from sending emails that appear to originate from their domain.

How SPF Works

  1. A domain owner publishes an SPF record in their DNS settings, specifying which mail servers are authorized to send email for the domain.
  2. When an email is received, the receiving mail server performs an SPF check by querying the sender's DNS for the SPF record.
  3. The receiving server compares the IP address of the sending mail server to the list of authorized servers in the SPF record.
  4. If the sending server's IP is listed in the SPF record, the email passes SPF authentication. If not, the email fails SPF and may be flagged as suspicious.

Here's a simple example of an SPF record:

example.com IN TXT "v=spf1 ip4:192.0.2.0/24 ip6:2001:db8::/32 include:example.net -all"

This SPF record specifies that only servers with IP addresses in the ranges 192.0.2.0/24 or 2001:db8::/32, as well as any servers listed in the SPF record for example.net, are authorized to send email for the domain example.com. The -all at the end indicates a hard fail for any other servers attempting to send email for this domain.

Note: SPF alone is not sufficient for comprehensive email authentication, as it does not verify the content of the email itself. This is where DKIM comes in.

DKIM: DomainKeys Identified Mail

DKIM is an email authentication protocol that uses cryptographic signatures to verify that an email message was sent from an authorized source and has not been altered in transit. By signing emails with a private key and publishing the corresponding public key in the domain's DNS, email senders can provide recipients with a way to verify the authenticity of their messages.

The following diagram illustrates the DKIM signing and verification process:

Diagram 2
Diagram 2

How DKIM Works

  1. The email sender generates a public-private key pair and publishes the public key in their domain's DNS as a DKIM record.
  2. When sending an email, the sender's mail server uses the private key to create a digital signature of the email content and headers.
  3. The signature is added to the email headers as a DKIM-Signature field.
  4. Upon receiving the email, the recipient's mail server retrieves the sender's public key from their DNS and uses it to verify the DKIM signature.
  5. If the signature is valid, the email passes DKIM authentication, confirming that it was sent from an authorized source and has not been modified. If the signature is invalid or missing, the email fails DKIM.

Here's an example of a DKIM signature header:

DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=default; c=relaxed/relaxed; q=dns/txt; t=1617227164; h=from:to:subject:message-id:date:mime-version:content-type; bh=MjFhOTQzMjU2YThjZGU3NTk5MjhiNjA1ODg1MjI0NDA=; b=aIZW8xXqXTkMm0R7lz2ZnKcT7e9kVFOOJLSpJG1fWEsOiX5zs6OU5lXxOKPmSmXHgI9z0 w8f3U0GHPyyGc6yaTROgr5CrmRpgg9gyCmN+oAYXN+H2Aqyz9EE4GWzBNa0Xrpvwri6Af 4gMJzmp5RjRfUq8kWTE1j9oBdFcVDggyE=

Implementing DKIM

To implement DKIM for your domain, follow these steps:

  1. Generate a public-private key pair using a tool like OpenSSL.
  2. Publish the public key in your domain's DNS as a TXT record with a selector prefix (e.g., default._domainkey.example.com).
  3. Configure your mail server to sign outgoing emails using the private key.
  4. Test your DKIM implementation using a tool like MXToolbox or mail-tester.com.

Here's an example of a DKIM DNS record:

default._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHEfMCPyTS2ImOv5wN9lRnePgcq0lQ6i9Rd5k1JHto/AzdPexDQ8bF4Tm0PtWFmHDQ5wRnJXqNxDoVnx8EHFoRZrJU7N5wDVyKXNKsIQdLVqNPLLF9Bjb7uHAVVlFZymaLwVxqWdORKJ5Dn6oNMDuSBpKhNFmBc3UNo6lT3HNKQIDAQAB"
Tip: Use a longer RSA key (e.g., 2048 bits) for better security, and rotate your keys periodically to maintain strong protection.

SPF and DKIM: Better Together

While SPF and DKIM are powerful tools on their own, they work best when used together. SPF verifies the sender's identity at the server level, while DKIM verifies the authenticity and integrity of the email content itself. By implementing both, you can provide a more comprehensive level of email authentication and security.

The following diagram shows how SPF and DKIM work together to authenticate an email message:

Diagram 3
Diagram 3

DMARC: Tying It All Together

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that builds upon SPF and DKIM to provide domain owners with a clear way to specify their email authentication policies and receive reports on the results.

How DMARC Works

  1. Domain owners publish a DMARC policy in their DNS as a TXT record.
  2. When an email is received, the recipient's mail server performs SPF and DKIM checks and compares the results to the sender's DMARC policy.
  3. Based on the DMARC policy, the receiving server takes the specified action (e.g., deliver, quarantine, or reject) and sends a report to the domain owner.
  4. Domain owners can use DMARC reports to monitor their email authentication results and identify potential security issues.

Here's an example of a DMARC record:

_dmarc.example.com IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-forensics@example.com; fo=1; adkim=s; aspf=s;"

This DMARC record specifies the following policies:

  • p=reject: Emails that fail SPF and DKIM should be rejected
  • rua=mailto:dmarc-reports@example.com: Aggregate reports should be sent to the specified email address
  • ruf=mailto:dmarc-forensics@example.com: Forensic reports should be sent to the specified email address
  • fo=1: Forensic reports should be generated for all failures
  • adkim=s and aspf=s: Strict alignment should be used for DKIM and SPF checks

The following diagram illustrates the complete DMARC process, from policy publication to reporting:

Diagram 4
Diagram 4

Implementing DMARC

To implement DMARC for your domain, follow these steps:

  1. Ensure that you have SPF and DKIM properly set up for your domain.
  2. Decide on your DMARC policy (e.g., none, quarantine, or reject) and reporting preferences.
  3. Create a DMARC record with your chosen policy and reporting settings, and publish it in your DNS as a TXT record at _dmarc.yourdomain.com.
  4. Monitor your DMARC reports to track your email authentication results and identify any issues.
Note: When first implementing DMARC, it's a good idea to start with a none policy and gradually move to quarantine and reject as you gain confidence in your SPF and DKIM setup. This can help you avoid accidentally blocking legitimate emails.

Best Practices for Email Authentication

To ensure the most effective email authentication and security, consider the following best practices:

  • Implement SPF, DKIM, and DMARC for all domains you use to send email
  • Use strict alignment for SPF and DKIM checks in your DMARC policy
  • Monitor your DMARC reports regularly and act on any issues identified
  • Keep your SPF and DKIM records up to date as your email infrastructure changes
  • Use strong, unique DKIM keys for each domain and rotate them periodically
  • Educate your users about email security best practices, such as identifying and reporting suspicious emails
Tip: Consider using a DMARC monitoring and management service to help simplify the process of implementing and maintaining your email authentication policies.

Case Study: Implementing Email Authentication at Example Inc.

To illustrate the benefits of comprehensive email authentication, let's look at a case study of Example Inc., a mid-sized company that recently implemented SPF, DKIM, and DMARC.

Before implementing email authentication, Example Inc. was experiencing a high volume of spoofed emails targeting their customers and employees. These emails, which appeared to come from Example Inc.'s domain, contained phishing links and malware attachments, damaging the company's reputation and putting their users at risk.

To address this issue, Example Inc. followed these steps:

  1. Implemented SPF by identifying all authorized mail servers and creating an SPF record for their domain
  2. Set up DKIM by generating key pairs for each domain, publishing the public keys in DNS, and configuring their mail servers to sign outgoing emails
  3. Published a DMARC record with a p=none policy to start monitoring their email authentication results
  4. Gradually moved to a p=quarantine and then a p=reject policy as they refined their SPF and DKIM configuration

As a result of implementing email authentication, Example Inc. saw a significant reduction in spoofed emails and an improvement in their email deliverability. They also gained valuable insights into their email traffic through DMARC reports, allowing them to identify and address potential security issues more quickly.

The following chart shows the decrease in spoofed emails and increase in DMARC compliance after Example Inc. implemented email authentication:

Diagram 5
Diagram 5

Conclusion and Next Steps

Email authentication is a crucial aspect of modern email security, helping protect both senders and recipients from spoofing, phishing, and other email-based threats. By implementing SPF, DKIM, and DMARC, you can significantly improve your email security posture and protect your reputation as an email sender.

To get started with email authentication, follow these steps:

  1. Assess your current email infrastructure and identify all authorized mail servers and sending domains
  2. Implement SPF by creating SPF records for each sending domain
  3. Set up DKIM by generating key pairs, publishing public keys in DNS, and configuring your mail servers to sign outgoing emails
  4. Publish a DMARC record with a p=none policy to start monitoring your email authentication results
  5. Gradually move to a p=quarantine and then a p=reject policy as you refine your SPF and D
Was this guide helpful?
Related Tools
Try SpamBarometer Test
Need More Help?

Our team of email deliverability experts is available to help you implement these best practices.

Contact Us