Summary
ESPs recommend SPF records, even when DKIM is implemented, due to a combination of historical practices, backward compatibility, simplified implementation, and perceived improvements in deliverability and security. Many ESPs initially recommended SPF before DKIM was widely adopted, and some older systems still rely on it. SPF is also easier to understand and implement for less technical users. Furthermore, including SPF can serve as an additional layer of security and may be checked by some email providers, even if DKIM is in place, to enhance deliverability. Some recommendations also stem from a desire to manage customer expectations and to set a first step towards full DMARC implementation. However, some sources note the landscape surrounding ESP SPF recommendations and documentation can be confusing and outdated.
Key findings
- Historical Context: SPF was the primary email authentication method before DKIM's widespread adoption.
- Backward Compatibility: Older systems and some email providers still rely on SPF for authentication.
- Simplicity and Ease of Implementation: SPF is easier to understand and implement for less technical users, serving as a starting point for email authentication.
- Supplementary Security Layer: SPF can provide an additional layer of security, supplementing DKIM and DMARC implementations.
- Perceived Deliverability Benefits: Including SPF records can improve email deliverability, as some providers still check SPF, even with DKIM.
- Customer Management: Recommending SPF can help manage customer expectations and demonstrate proactive security measures.
- Initial Step to DMARC: Implementing SPF can be a first step towards broader email authentication strategies, facilitating the adoption of DMARC.
- Outdated Documentation: Many ESPs provide poor outdated documentation, leading to confusion
Key considerations
- DKIM Validation: Determine whether DKIM is properly configured and validated across different email systems.
- Evaluate Redundancy: Assess the actual benefits of SPF in conjunction with DKIM and DMARC to avoid unnecessary complexity.
- Simplifying Complex Tasks: Offer simpler documentation which is up-to-date
- Target Audience Expertise: Tailor recommendations based on the technical expertise of the target audience, simplifying authentication methods where appropriate.
- Security: Adopt a holistic security strategy combining SPF, DKIM, and DMARC.
What email marketers say
14 marketer opinions
ESPs recommend SPF records, even when DKIM is implemented, for a variety of reasons. These include historical practices, backwards compatibility with older email systems, support for less technically savvy users, and as a supplementary measure for improved deliverability and security. Many ESPs initially recommended SPF before DKIM was widely adopted. Some email servers still weigh SPF results in spam filtering, especially for smaller senders. Additionally, ESPs may recommend SPF as a way to manage customer expectations and provide a sense of security. The practice of adding SPF records may also stem from inertia in documentation or to provide IT teams more information to work with, making it a stepping stone for implementing DMARC.
Key opinions
- Historical Practices: SPF was the primary authentication method before DKIM and is still recommended by some ESPs due to legacy systems and practices.
- Backward Compatibility: Older email systems may still rely on SPF, making it necessary for compatibility with a wider range of systems.
- Ease of Understanding: SPF is considered simpler to understand and implement for less technical users compared to DKIM.
- Supplementary Security: SPF can serve as an additional layer of security, supplementing DKIM and providing defense-in-depth.
- Deliverability Improvement: Including SPF records can improve email deliverability rates, as some email providers still check SPF, even with DKIM in place.
- Customer Reassurance: Recommending SPF can reassure clients and provide a sense of security, even if DKIM is sufficient.
- Initial DMARC Step: Implementing SPF alongside DKIM can be a first step for organizations towards implementing DMARC, as it gives IT teams more data to work with.
Key considerations
- DKIM Sufficiency: Evaluate whether DKIM alone is sufficient for email authentication, considering the target audience and the capabilities of their email systems.
- Potential Redundancy: Assess the potential redundancy of SPF when DKIM is properly configured, weighing the benefits against the complexity of managing SPF records.
- Target Audience Tech Savviness: Consider the technical proficiency of the target audience when deciding whether to recommend SPF, as it might simplify the setup process for less technical users.
- Backward Compatibility Needs: Evaluate the need for backward compatibility with older email systems that may still rely on SPF for authentication.
- Deliverability Enhancement: Determine whether including SPF records alongside DKIM provides a measurable improvement in email deliverability rates.
- Maintenance Overhead: Balance the benefits of including SPF with the maintenance overhead of managing SPF records, including DNS lookups and potential authentication issues.
- Security Layers: Consider whether a defense-in-depth approach with both SPF and DKIM is necessary for enhanced security, weighing the complexity and potential overlap.
Marketer view
Email marketer from Mailhardener Blog shares that SPF records were often recommended because they were the primary authentication method before DKIM became widespread. Some ESPs maintain this recommendation to support older systems or due to inertia in their documentation.
19 May 2023 - Mailhardener Blog
Marketer view
Email marketer from EmailDudes Forum shares that ESPs might suggest SPF records to reassure less tech-savvy clients. They suggest that the continued advice provides a sense of security, even though DKIM effectively handles the authentication process.
17 Dec 2024 - EmailDudes Forum
What the experts say
3 expert opinions
The provided answers suggest varied reasons for ESPs recommending SPF records even when they aren't strictly necessary. One viewpoint is that the landscape of ESP SPF records and related documentation is confusing and problematic. Another perspective is that ESPs use SPF recommendations to manage customer expectations by showing proactive security measures. Finally, a more strategic reason is offered: SPF serves as a simplified initial step, or a gateway for less technical clients to understand email authentication before moving onto more complex systems like DKIM.
Key opinions
- Confused Landscape: The handling of SPF records by ESPs and their associated documentation are often confusing and poorly implemented.
- Customer Expectation: SPF recommendations can be a way for ESPs to demonstrate proactive security measures to their customers.
- Simplified First Step: SPF provides an easier, less complex introduction to email authentication for non-technical users before adopting DKIM.
Key considerations
- Documentation Clarity: ESPs should strive for clearer, more accurate, and up-to-date documentation regarding SPF and DKIM.
- Alternative Security Communication: ESPs should explore alternative ways to communicate security measures to customers without relying solely on potentially redundant SPF recommendations.
- User Education Path: ESPs should create a clear educational path for users to transition from SPF to DKIM as they become more familiar with email authentication.
Expert view
Expert from Email Geeks succinctly states that ESP SPF records and their documentation are a train wreck.
16 Sep 2022 - Email Geeks
Expert view
Expert from SpamResource explains that some ESPs may recommend SPF records to manage customer expectations, providing a checklist item to demonstrate proactive security measures, even when DKIM offers more comprehensive authentication.
15 Dec 2024 - SpamResource
What the documentation says
6 technical articles
Documentation sources indicate that SPF records, while seemingly redundant with DKIM, are still recommended by some ESPs for historical reasons, backward compatibility, and as a fallback mechanism. SPF was an earlier authentication method, and older systems or poorly configured servers may still rely on it. It can act as a quick check for receiving servers or provide additional authentication even with DKIM implemented. Moreover, SPF is simpler to implement and understand, serving as a first step towards broader email authentication strategies and giving IT teams more information to manage email security.
Key findings
- Historical Significance: SPF served as the primary email authentication method before DKIM became widespread.
- Backward Compatibility: Older systems and poorly configured email servers may still rely on SPF for authentication.
- Fallback Mechanism: SPF can act as a fallback for systems that do not fully support DKIM, ensuring broader compatibility.
- Simplified Implementation: SPF is easier to implement and understand, making it a useful starting point for email authentication.
- Additional Information: Implementing both SPF and DKIM gives IT teams more information to work with when managing email security.
Key considerations
- DKIM Support: Assess whether the receiving systems fully support DKIM before relying solely on it.
- Authentication Strategy: Determine a comprehensive email authentication strategy, considering both SPF and DKIM.
- Implementation Complexity: Evaluate the complexity of implementing and managing SPF records.
- Security Risk: Weigh the potential security risks of relying solely on SPF if DKIM is not properly configured.
- IT Knowledge: Consider IT's knowledge and understanding of SPF implementation if the clients need to set up SPF themselves.
Technical article
Documentation from dmarcian explains that ESPs sometimes recommend SPF records because email authentication practices can be complex. While DMARC is the standard for protecting against spoofing, implementing SPF and DKIM gives IT teams more information to work with. It provides a first step to implementing DMARC.
22 Dec 2024 - dmarcian
Technical article
Documentation from EasyDMARC explains that SPF records might seem redundant with DKIM but historically addressed issues with email forwarding and compatibility. Some ESPs may still recommend it for legacy reasons or to cover edge cases, even though DKIM is generally sufficient for authentication.
9 Aug 2024 - EasyDMARC
Besides Spamhaus, what blocklists are important for email marketers to monitor?
Do small email senders need their own SPF/DKIM records or can they rely on their ESP?
Do I need to include Mailchimp's SPF record in my domain's SPF if Mailchimp handles the bounce address?
How do I set up an SPF record when using multiple email sending services?
How do I properly set up SPF and DKIM records for email marketing, including handling multiple SPF records, IP ranges, bounce capturing, and Google Postmaster Tools verification?
How do SPF records and DKIM keys work with multiple email services like Klaviyo and Shopify?
