What are best practices and costs for implementing DKIM, SPF, and DMARC?

Summary

Implementing DKIM, SPF, and DMARC requires careful planning, understanding of costs, and adherence to best practices. A missing DMARC record can negatively impact DMARC reporting. The implementation should ideally start with a 'p=none' policy for monitoring and identifying authentication gaps, even though this setting incurs costs related to reporting and management. A phased approach is advised: ensure mail authentication, implement 'p=none', and then move to 'p=quarantine pct=0'. The correct DMARC setup can be expensive, varying significantly depending on the business size and complexity, potentially reaching tens of thousands of dollars. Moving beyond the 'p=none' policy involves substantial costs for process development, vendor management, and continuous monitoring. SPF records prevent email forgery by specifying authorized mail servers, improving email classification. DMARC policies protect the domain by instructing receivers on handling authentication failures, while DKIM adds an encrypted signature for verifying email integrity. Proper alignment between SPF and DKIM is crucial for the correct functioning of DMARC. SPF hard fail signifies an unauthorized sending host, likely resulting in spam classification.

Key findings

  • Missing DMARC Issues: A missing DMARC record can impact reporting.
  • Start with p=none: Initial DMARC implementation should begin with a 'p=none' policy.
  • Hidden p=none Costs: Even with 'p=none', there are costs for setup and maintenance.
  • Phased Approach: Implement in phases: authentication, 'p=none', 'p=quarantine'.
  • DMARC Expense: Correct DMARC implementation is expensive.
  • Size Matters: Costs vary by business size and complexity.
  • Moving Beyond None: Significant costs for process, vendors, monitoring beyond 'p=none'.
  • SPF Prevention: SPF records prevent email forgery.
  • DMARC Protection: DMARC protects the domain and instructs receivers.
  • DKIM Integrity: DKIM ensures email integrity.
  • SPF, DKIM Alignment: Proper SPF/DKIM alignment crucial for DMARC.
  • Hard Fail Impact: SPF hard fail indicates an unauthorized host.

Key considerations

  • DMARC Presence: Ensure DMARC record is present for accurate reporting.
  • Phased Deployment: Follow a phased deployment for thoroughness.
  • Budgeting: Budget adequately for DMARC implementation.
  • Scalability: Account for costs associated with business size.
  • Comprehensive Planning: Plan for costs beyond 'p=none': process, vendors, monitoring.
  • Protect Against Forgery: Implement SPF to prevent email forgery.
  • Policy Definition: Define DMARC policy to safeguard domain.
  • Email Integrity: Use DKIM to ensure email integrity.
  • DNS Configuration: SPF,DKIM configurations need careful planning.
  • Consider DMARC p=none: Consider the costs of the p=none when first implementing.

What email marketers say
8Marketer opinions

Implementing DKIM, SPF, and DMARC involves several best practices and cost considerations. DMARC reporting provides visibility into email authentication issues, while costs vary based on organizational size and complexity, ranging from a few hundred to several thousand dollars per month. SPF implementation should include only authorized sending sources and a single record per domain. Monitoring DMARC reports is vital for addressing authentication problems and preventing domain spoofing. A phased DMARC setup, starting with a 'p=none' policy, is recommended. SPF helps prevent address forging by specifying authorized mail servers, and DKIM ensures email integrity. Proper alignment between SPF and DKIM is crucial for effective DMARC implementation.

Key opinions

  • DMARC Reporting: DMARC reporting helps identify authentication issues and provides visibility into email traffic.
  • Cost Variation: DMARC implementation costs vary based on organizational size and complexity.
  • SPF Best Practice: SPF should only include authorized sending sources and maintain a single record per domain.
  • DMARC Monitoring: Monitoring DMARC reports is essential for addressing authentication problems and preventing spoofing.
  • Phased DMARC Setup: Start with a 'p=none' policy when setting up DMARC.
  • SPF Purpose: SPF helps prevent email address forging by specifying authorized mail servers.
  • DKIM Integrity: DKIM ensures email integrity by verifying that the content hasn't been altered.
  • DMARC Alignment: Proper alignment between SPF and DKIM is crucial for effective DMARC implementation.

Key considerations

  • Implementation Costs: Consider the cost of implementation, which can vary from a few hundred to several thousand dollars per month.
  • Complexity Assessment: Assess the complexity of your email infrastructure to determine the resources needed for DMARC implementation.
  • Monitoring Resources: Allocate resources for continuous monitoring and analysis of DMARC reports.
  • Phased Rollout Planning: Plan a phased rollout of DMARC policies, starting with monitoring before enforcement.
  • SPF Configuration: Carefully configure SPF records to accurately reflect authorized sending sources.
  • Vendor Management: Consider costs associated with managing vendors and systems that send email on your behalf, including their compliance with authentication standards.
  • Resource Allocation: Factor in the time and expertise required for configuring and maintaining DKIM, SPF, and DMARC records.
Marketer view

Email marketer from Mailjet explains that a best practice for SPF implementation is to only include the domains and IP addresses from which you actually send email. Also, ensure you only have one SPF record per domain.

June 2023 - Mailjet
Marketer view

Email marketer from SparkPost stresses that proper alignment between SPF and DKIM is essential for DMARC to function correctly. Your 'From' address domain must match the domain used for SPF and DKIM validation.

May 2023 - SparkPost
Marketer view

Marketer from Email Geeks shares that DMARC reporting allows you to identify mailstreams and where you aren't being authenticated against your domain, providing visibility to where mail providers see your mail coming from and how it's being authenticated.

April 2024 - Email Geeks
Marketer view

Email marketer from EasyDMARC shares that DMARC implementation costs can vary widely depending on factors like the size of your organization, the complexity of your email infrastructure, and whether you choose to implement DMARC yourself or use a managed service. Costs can range from a few hundred dollars per month to several thousand.

March 2022 - EasyDMARC
Marketer view

Email marketer from StackExchange notes that DKIM provides email integrity by verifying that the content of the email hasn't been altered during transit, in addition to authenticating the sender.

December 2023 - StackExchange
Marketer view

Email marketer from MXToolbox explains that SPF (Sender Policy Framework) allows you to specify which mail servers are authorized to send email on behalf of your domain. This helps prevent spammers from forging your email address.

December 2022 - MXToolbox
Marketer view

Email marketer from Validity shares that monitoring DMARC reports is crucial for identifying and addressing authentication issues. This helps ensure legitimate emails are properly authenticated and prevents malicious actors from spoofing your domain.

November 2024 - Validity
Marketer view

Email marketer from Reddit shares that when setting up DMARC, it's best to start with a policy of 'p=none' to monitor your email traffic and identify any issues before enforcing stricter policies like 'quarantine' or 'reject'.

January 2024 - Reddit

What the experts say
9Expert opinions

Implementing DKIM, SPF, and DMARC involves careful planning and consideration of costs. A missing DMARC record can lead to reporting issues. It's advisable to initiate DMARC implementation with a 'p=none' policy to avoid unexpected problems. Setting 'p=none' still has costs related to reporting and management. Before any DMARC record, ensure all mail is authenticated, then use 'p=none' to identify unknowns, followed by 'p=quarantine pct=0' for further discovery. Implementing DMARC correctly can be expensive, with costs relative to business size and complexity, potentially reaching significant figures. When moving beyond 'p=none', there are considerable costs for process development, vendor management, and monitoring. SPF hard fails indicate unauthorized sending hosts and can result in spam classification.

Key opinions

  • DMARC Record Importance: A missing DMARC record can cause issues with DMARC reporting.
  • Initial DMARC Policy: Start DMARC implementation with a 'p=none' policy to avoid surprises.
  • Cost of 'p=none': Even with 'p=none', there are costs for reporting system setup and maintenance.
  • Phased Implementation: Implement DMARC in phases: authentication check, 'p=none', then 'p=quarantine pct=0'.
  • DMARC Expense: Correct DMARC implementation can be expensive.
  • Cost Relativity: Costs are relative to business size and complexity.
  • Beyond 'p=none' Costs: Moving past 'p=none' entails considerable costs for process, vendors, and monitoring.
  • SPF Hard Fail: SPF hard fail indicates an unauthorized sending host.

Key considerations

  • Missing DMARC Impact: Ensure a DMARC record is present to avoid reporting issues.
  • 'p=none' Benefits: Utilize 'p=none' initially to monitor and identify authentication gaps.
  • Hidden Costs: Account for the costs associated with reporting and management, even with 'p=none'.
  • Phased Approach: Follow a phased implementation for thoroughness.
  • DMARC Budget: Budget adequately for correct DMARC implementation.
  • Scalability: Recognize the cost implications related to business size and complexity.
  • Expanded Costs: Plan for process, vendor, and monitoring costs when moving past 'p=none'.
  • SPF Hard Fail Implications: Understand the implications of SPF hard fails on deliverability.
Expert view

Expert from Email Geeks explains that before setting any DMARC record, you should do a round of "is all our mail authenticated?" then go p=none to find whatever bits you didn’t know about, then go p=quarantine pct=0 and discover the next set of mail you didn’t know about.

May 2024 - Email Geeks
Expert view

Expert from Email Geeks advises to start DMARC with p=none to avoid unpleasant surprises.

March 2025 - Email Geeks
Expert view

Expert from Email Geeks explains that not seeing a DMARC record for intouchhealth.com might explain the 0% DMARC reporting.

February 2024 - Email Geeks
Expert view

Expert from Email Geeks shares setting p=none has significant cost associated with either paying someone to create/maintain a reporting system or paying a 3rd party provider to manage the mail, including the ongoing cost of someone reviewing reports and acting on identified problems.

April 2021 - Email Geeks
Expert view

Expert from Email Geeks explains cost is relative to the size and complexity of the business; simple for an individual, potentially costly and time-consuming for a large corporation.

August 2021 - Email Geeks
Expert view

Expert from Email Geeks calculated it would cost around $40K to do DMARC here at WttW.

August 2024 - Email Geeks
Expert view

Expert from Word to the Wise emphasizes that implementing DMARC, especially moving beyond a 'p=none' policy, involves significant costs related to process development, vendor management, and ongoing monitoring. Companies should carefully consider the value of stricter DMARC policies against these costs.

July 2022 - Word to the Wise
Expert view

Expert from Email Geeks states it is expensive to implement DMARC correctly.

March 2024 - Email Geeks
Expert view

Expert from Spamresource.com explains that the SPF hard fail mechanism indicates that a host is definitively not authorized to send mail for a domain and will likely be marked as spam.

June 2023 - Spamresource.com

What the documentation says
4Technical articles

Implementing DKIM, SPF, and DMARC is crucial for email security and deliverability. SPF records prevent spammers from forging 'From' addresses, increasing the likelihood that your emails are correctly classified and not marked as spam. DMARC policies allow senders to indicate that their emails are protected by SPF and/or DKIM, instructing receivers on how to handle messages that fail authentication (e.g., junk or reject). DKIM adds an encrypted digital signature, enabling receiving servers to verify the message's origin and authenticity. A DMARC record, a TXT record in your DNS, informs receiving mail servers on actions to take when emails fail SPF or DKIM checks.

Key findings

  • SPF Prevents Forgery: SPF records prevent spammers from using forged 'From' addresses.
  • SPF Improves Classification: SPF compliance increases the chance of emails being correctly classified and not marked as spam.
  • DMARC Policy Protection: DMARC policies indicate email protection by SPF/DKIM.
  • DMARC Handling Instructions: DMARC instructs receivers on handling failed authentication.
  • DKIM Verification: DKIM adds a signature to verify the message's origin and authenticity.
  • DMARC DNS Record: DMARC is implemented via a TXT record in DNS.

Key considerations

  • SPF Implementation: Implement SPF to prevent address forging and improve deliverability.
  • DMARC Policy Definition: Define a DMARC policy to protect your domain and provide instructions to receivers.
  • DKIM Configuration: Configure DKIM to add digital signatures to outgoing emails.
  • DMARC Record Creation: Create a DMARC TXT record in your DNS zone.
  • Testing: Test your implementation before going live.
  • Consider DNS Changes: Be careful with making changes to DNS, as this can effect your mail delivery.
Technical article

Documentation from Google explains that SPF records can prevent spammers from sending messages with forged 'From' addresses at your domain. When a receiving mail server checks that messages from your domain comply with the SPF record, messages are more likely to be correctly classified and not marked as spam.

September 2022 - Google
Technical article

Documentation from Cloudflare explains that a DMARC record is a TXT record in your DNS that tells receiving mail servers what to do with emails that fail SPF or DKIM checks, such as quarantining or rejecting them.

September 2021 - Cloudflare
Technical article

Documentation from Microsoft explains that DKIM adds an encrypted digital signature to outbound email messages. This signature allows receiving email servers to verify that the message was indeed sent by your organization and wasn't spoofed.

December 2023 - Microsoft
Technical article

Documentation from DMARC.org shares that a DMARC policy enables a sender to indicate that their emails are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message.

September 2021 - DMARC.org