What are the best practices for setting up SPF, DKIM and DMARC for email authentication?
Summary
What email marketers say19Marketer opinions
Email marketer from Postmark recommends using tools like MXToolbox or online SPF/DKIM checkers to verify that your SPF and DKIM records are set up correctly and are valid. This helps to identify and resolve any syntax errors or configuration issues.
Email marketer from Sendinblue highlights the importance of SPF and DKIM alignment for DMARC compliance. This means that the domain used in the 'From' address must match the domain used for SPF and DKIM authentication. Alignment is crucial for passing DMARC checks.
Email marketer from Email on Acid emphasises the importance of regularly monitoring DMARC reports to identify potential authentication issues and unauthorized use of your domain. Adjustments to your SPF and DKIM records, as well as your DMARC policy, can be made based on these reports.
Email marketer from Email Marketing Forum suggests sending marketing emails from a subdomain (e.g., mail.example.com) rather than the primary domain (example.com). This isolates the reputation of marketing emails from transactional emails, protecting the main domain's reputation.
Email marketer from Mailjet shares that implementing SPF, DKIM, and DMARC not only enhances your sender reputation but also improves email deliverability. A correct implementation helps to prevent your emails from being marked as spam, ensuring they reach the intended recipients.
Marketer from Email Geeks advises ensuring authentication passes alignment tests with at least one domain matching the visible 'from' and recommends DKIM as the easiest and most universal solution.
Email marketer from Reddit suggests starting with a DMARC policy of 'p=none' to monitor email traffic and identify legitimate sending sources before enforcing stricter policies like 'p=quarantine' or 'p=reject'. This reduces the risk of blocking legitimate emails.
Email marketer from GlockApps suggests working with third-party senders to ensure they support SPF and DKIM authentication with your domain. If they don't, consider using a different provider or implementing a dedicated sending domain for those services.
Email marketer from Cloudflare advises keeping your SPF record below the 10 DNS lookup limit by using 'include' mechanisms sparingly. Too many lookups can cause SPF checks to fail, impacting deliverability.
Marketer from Email Geeks explains that p=none is a valid interim step for DMARC, especially with a monitored rua mailbox for auditing authentication practices.
Email marketer from ProofPoint advocates for implementing BIMI (Brand Indicators for Message Identification) after setting up SPF, DKIM, and DMARC. BIMI allows your brand logo to be displayed in the inbox, increasing brand recognition and trust.
Marketer from Email Geeks states email traffic should always be authenticated.
Email marketer from SparkPost advises to implement SPF first, then DKIM, and finally DMARC. This allows you to gradually test and monitor your authentication setup before moving to a stricter DMARC policy.
Marketer from Email Geeks says every sender should configure custom DKIM records at their ESP and that DMARC none is a stepping stone to DMARC reject.
Marketer from Email Geeks points out that of MailChimp, MailerLite, ConvertKit, and Active Campaign, only ConvertKit supports alignment of Return-Path and visible From: address, so only ConvertKit needs a SPF record. Everything else just needs DKIM.
Marketer from Email Geeks says monitoring DMARC (p=none) provides reporting to remediate missed authentication problems and identifies shadow IT.
Marketer from Email Geeks strongly recommends implementing DKIM on the same domain to provide DKIM domain alignment and DMARC compliance.
Marketer from Email Geeks recommends setting up authentication and reviewing it for correctness, especially SPF, and cautions against relying solely on free online testing sites.
Marketer from Email Geeks says to include sending sources you want to authorize, exclude those you don't, limit the number of inclusions, and have only one SPF record.
What the experts say6Expert opinions
Expert from Email Geeks outlines the authentication setup: SPF for envelope from, DKIM for mail from domain, and DMARC for the client domain; suggests starting with p=none and moving to quarantine/reject.
Expert from Spamresource.com explains that DMARC allows domain owners to tell receiving mail systems what to do with email that fails authentication. You can tell the receiving server to reject the message, to quarantine it or to do nothing. DMARC also provides a feedback loop that allows domain owners to receive reports about mail that is using their domain name. This feedback loop is critical.
Expert from Spamresource.com explains that your SPF record needs to include all possible sending sources. This commonly includes your office IP address, any mailservers on your network, and also mailservers your ESP uses. If you do not include the ESP mailserver in your SPF record, many recipients will reject your email.
Expert from Spamresource.com shares that DKIM implementations usually require that you generate a public and private key. The public key goes into your DNS record. When you send a message, the email server then signs the outgoing message using the private key. The recipient server can then verify the signature by looking up the public key.
Expert from Wordtothewise.com emphasizes that you should never have multiple SPF records. Instead, consolidate all SPF mechanisms into a single record to avoid authentication failures.
Expert from Email Geeks suggests looking at alignment for authentication, setting up custom DKIM domains, and indicates every competent ESP signs with DKIM and authenticates with SPF.
What the documentation says5Technical articles
Documentation from Microsoft Defender explains that DKIM lets you add a digital signature to outgoing email messages. This signature is verified by receiving email servers to confirm that the message wasn't forged or altered in transit.
Documentation from Google Workspace Admin Help explains that an SPF record is a TXT record that lists all the servers authorized to send email from your domain. It is created at your domain registrar. It helps prevent spammers from forging the 'From' addresses on your messages.
Documentation from DMARC.org explains that DMARC builds upon SPF and DKIM by adding a reporting function that allows domain owners to receive feedback about emails using their domain, even those sent by unauthorized sources. It allows domain owners to specify how receiving mail servers should handle messages that fail authentication checks (none, quarantine, reject).
Documentation from AuthSMTP recommends using a DKIM key size of at least 2048 bits for improved security. While 1024-bit keys are still supported, they are considered less secure and may not be sufficient in the future.
Documentation from RFC explains that proper syntax for SPF records involves using the 'v=spf1' version tag, followed by mechanisms like 'include', 'a', 'mx', 'ip4', 'ip6', and qualifiers like '+', '-', '~', '?', ending with an 'all' mechanism to specify how to handle non-matching emails.