Email Authentication With SPF, DKIM AND DMARC

Email Authentication With SPF, DKIM AND DMARC
Email Security

30 July, 2020

Email Authentication With SPF, DKIM, AND DMARC

Email addresses are easily spoofed. Spammers often take advantage of this to send email messages that impersonate trusted users, companies, organizations, and universities to mask their true identities. 

Email authentication helps to improve the delivery and credibility of your marketing emails by implementing protocols that verify your domain as the sender of your messages.

SPF, DKIM, and DMARC is the 3 Pillars of Email Authentication.



SPF (Sender Policy Framework) is a DNS text entry that shows a list of servers that should be considered allowed to send mail for a specific domain. Incidentally, the fact that SPF is a DNS entry can also consider a way to enforce the fact that the list is authoritative for the domain since the owners/administrators are the only people allowed to add/change that main domain zone.

  • Upon receipt, the HELLO message and the sender address are fetched by the   receiving mail server

  • The receiving mail server runs a TXT DNS query against the claimed domain SPF entry

  • The SPF entry data is then used to verify the sender server

  • In case the check fails a rejection message is given to the sender server





DKIM should be instead considered a method to verify that the content of the message is trustworthy meaning that they were not changed from the moment the message left the initial mail server. This additional layer of trustability is achieved by an implementation of the standard public/private key signing process. Once again the owners of the domain add a DNS entry with the public DKIM key which will be used by receivers to verify that the message DKIM signature is correct while on the sender side the server will sign the entitled mail messages with the corresponding private key.

  • When sending an outgoing message, the last server within the domain infrastructure checks against its internal settings if the domain used in the “From:” header is included in its “signing table”. If not the process stops here

  • A new header, called “DKIM-Signature”, is added to the mail message by using the private part of the key on the message content

  • From here on the message main content cannot be modified otherwise the DKIM header won’t match anymore

  • Upon reception, the receiving server will make a TXT DNS query to retrieve the key used in the DKIM-Signature field

  • The DKIM header check result can be then used when deciding if a message is fraudulent or trustworthy





DMARC (Domain-based Message Authentication, Reporting, and Conformance) empowers SPF and DKIM by stating a clear policy that should be used about both the aforementioned tools and allows them to set an address that can be used to send reports about the mail messages statistics gathered by receivers against the specific domain.

  • upon reception the receiving mail server checks if there is any existing DMARC policy published in the domain used by the SPF and/or DKIM checks

  • if one or both the SPF and DKIM checks succeed while still being aligned with the policy set by DMARC, then the check is considered successful, otherwise, it’s set as failed

  • if the check fails, based on the action published by the DMARC policy different actions are taken


Request Your Complimentary Domain Analysis