What are SPF, DKIM, and DMARC?

SPF (Sender Policy Framework) specifies which servers can send email from your domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to verify email authenticity. DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on SPF and DKIM to tell receivers how to handle unauthenticated emails.

Why is email authentication important for cold email?

Email authentication proves you're authorized to send from your domain, prevents spoofing, and is required by major email providers. Without proper authentication, your emails are more likely to be marked as spam or rejected, significantly hurting deliverability.

How do I set up SPF, DKIM, and DMARC?

SPF requires adding a TXT record to your DNS listing authorized sending servers. DKIM requires generating keys and adding TXT records. DMARC requires adding a TXT record that references your SPF and DKIM policies. Most email providers provide specific setup instructions for their platforms.

What DMARC policy should I start with?

Start with DMARC policy p=none (monitoring only) to collect data without affecting delivery. After analyzing reports, move to p=quarantine (mark suspicious emails), then eventually p=reject (block unauthenticated emails) once you're confident in your setup.

Email authentication: SPF, DKIM, DMARC guide

# Email authentication for deliverability

Email authentication is the foundation of good deliverability. Without proper authentication, your emails are more likely to be marked as spam or rejected by receiving servers. This lesson covers the three core authentication protocols—SPF, DKIM, and DMARC—and how to implement them for cold email success.

Key Takeaways

- SPF, DKIM, and DMARC are essential for deliverability

* - Start with monitoring-only DMARC policy * - Authentication prevents domain spoofing * - Major providers require proper authentication

Authentication overview

Why authentication matters

Deliverability impact:

Proves you're authorized to send from your domain
Prevents email spoofing and phishing
Required by Gmail, Outlook, and other major providers
Significantly reduces spam classification

Security benefits:

Protects your brand reputation
Prevents others from sending as you
Builds trust with receiving servers
Reduces risk of being blacklisted

The three protocols

SPF (Sender Policy Framework):

Specifies authorized sending servers
Simple DNS TXT record
First line of authentication

DKIM (DomainKeys Identified Mail):

Cryptographic email signature
Verifies message integrity
Prevents message tampering

DMARC (Domain-based Message Authentication, Reporting, and Conformance):

Builds on SPF and DKIM
Specifies handling policy
Provides reporting

SPF (Sender Policy Framework)

How SPF works

Mechanism: 1. Receiving server looks up SPF record 2. Checks if sending server is authorized 3. Passes or fails based on match 4. Applies policy based on result

SPF record structure: ``` v=spf1 include:_spf.google.com ~all ```

`v=spf1`: SPF version
`include`: Authorized servers
`~all`: Soft fail (mark but don't reject)

SPF setup

Identify sending sources:

Email service provider servers
Corporate email servers
Third-party sending tools
Marketing automation platforms

Create SPF record:

List all authorized senders
Use `include` for external services
Use `ip4` for specific IP addresses
Set appropriate fail policy

Add to DNS:

Create TXT record for your domain
Set host to `@` or domain name
Paste SPF record as value
Wait for DNS propagation

SPF best practices

Keep it simple:

Limit number of lookups (max 10)
Avoid nested includes
Use `ip4` when possible
Regularly review and update

Policy choices:

`~all`: Soft fail (recommended start)
`-all`: Hard fail (after testing)
`+all`: No fail (never use)

Common mistakes:

Too many lookups (exceeds 10)
Missing authorized senders
Syntax errors
Not updating after changes

DKIM (DomainKeys Identified Mail)

How DKIM works

Mechanism: 1. Sending server signs message with private key 2. Public key published in DNS 3. Receiving server verifies signature 4. Confirms message integrity

DKIM benefits:

Verifies sender identity
Prevents message tampering
Survives forwarding
Works with SPF

DKIM setup

Generate keys:

Create DKIM key pair (private/public)
Use your email provider's tools
Or generate with third-party tools
Keep private key secure

Publish public key:

Add TXT record to DNS
Record name: `selector._domainkey`
Record value: public key
Wait for propagation

Configure signing:

Enable DKIM in email platform
Select the selector
Configure which domains to sign
Test with verification tools

DKIM best practices

Key management:

Use 1024-bit or longer keys
Rotate keys periodically (6-12 months)
Keep private keys secure
Document key rotation schedule

Selector strategy:

Use descriptive selectors
Different selectors for different services
Easy to identify and manage
Helps with troubleshooting

Testing:

Verify DNS record propagation
Test email authentication
Check authentication headers
Use authentication checkers

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

How DMARC works

Mechanism: 1. Receiving server checks SPF and DKIM 2. Applies DMARC policy 3. Takes action based on policy 4. Sends report to domain owner

DMARC benefits:

Unifies SPF and DKIM
Specifies handling policy
Provides visibility via reports
Enables enforcement over time

DMARC setup

Create DMARC record: ``` v=DMARC1; p=none; rua=mailto:dmarc@example.com ```

`v=DMARC1`: DMARC version
`p=none`: Policy (monitoring only)
`rua`: Report destination

Policy progression: 1. Start with `p=none` (monitoring) 2. Analyze reports for 2-4 weeks 3. Move to `p=quarantine` (soft enforcement) 4. Eventually `p=reject` (full enforcement)

Add to DNS:

Create TXT record for `_dmarc.domain.com`
Paste DMARC record as value
Wait for propagation
Monitor reports

DMARC reporting

Report types:

RUA: Aggregate reports (summary)
RUF: Forensic reports (detailed failures)

Report analysis:

Identify unauthorized senders
Check authentication failures
Monitor volume trends
Spot configuration issues

Report tools:

DMARC report analyzers
Built-in provider dashboards
Third-party monitoring services
Custom parsing solutions

Implementation strategy

Phase 1: Assessment

Current state:

Check existing authentication
Identify all sending sources
Review DNS configuration
Assess current deliverability

Gap analysis:

Missing SPF/DKIM/DMARC
Misconfigured records
Outdated records
Missing authorized senders

Phase 2: Implementation

SPF first:

Implement or update SPF
Include all senders
Test with verification tools
Monitor for issues

DKIM second:

Generate and publish keys
Enable signing
Test authentication
Verify proper setup

DMARC third:

Start with p=none
Set up reporting
Monitor reports
Analyze results

Phase 3: Optimization

Analyze reports:

Review DMARC reports
Identify issues
Fix configuration problems
Remove unauthorized senders

Progress policy:

Move to p=quarantine when ready
Monitor quarantine results
Eventually move to p=reject
Maintain ongoing monitoring

Common issues

SPF issues

Too many lookups:

Exceeds 10 DNS lookups
Causes SPF failures
Solution: Consolidate includes, use ip4

Missing senders:

New sending source not added
Causes authentication failures
Solution: Regularly review and update

Syntax errors:

Invalid SPF record format
Causes record to be ignored
Solution: Validate with SPF checkers

DKIM issues

Key mismatch:

Public key doesn't match private
Causes signature failures
Solution: Regenerate and republish keys

DNS propagation:

Key not yet propagated
Causes temporary failures
Solution: Wait for full propagation

Selector issues:

Wrong selector configured
Signature not found
Solution: Verify selector in email platform

DMARC issues

Policy too strict too soon:

Rejecting before ready
Blocks legitimate email
Solution: Progress through policies gradually

Report delivery issues:

Reports not being received
Can't monitor authentication
Solution: Verify report email address

Alignment failures:

SPF/DKIM domains don't align
DMARC fails even with valid auth
Solution: Ensure domain alignment

Monitoring and maintenance

Ongoing monitoring

Authentication checks:

Regular SPF/DKIM/DMARC verification
Monitor authentication rates
Check for failures
Review provider dashboards

DMARC reports:

Review aggregate reports regularly
Analyze failure patterns
Identify new senders
Track compliance rates

Maintenance tasks

Regular updates:

Update SPF when adding senders
Rotate DKIM keys periodically
Review DMARC policy quarterly
Update documentation

Documentation:

Maintain authentication records
Document key rotation schedule
Track authorized senders
Keep configuration history

Tools and resources

Verification tools

Authentication checkers:

MXToolbox
DMARC Analyzer
Google Postmaster Tools
Microsoft SNDS

DNS tools:

DIG
NSLookup
Online DNS lookup tools
Provider DNS management

Documentation

Official resources:

SPF RFC 7208
DKIM RFC 6376
DMARC RFC 7489
Provider documentation

Implementation guides:

DMARC.org implementation guide
Provider-specific guides
Industry best practices
Security recommendations

Conclusion

Email authentication is non-negotiable for cold email deliverability. By implementing SPF, DKIM, and DMARC correctly, progressing through DMARC policies gradually, and maintaining ongoing monitoring, you can ensure your emails are authenticated properly and maximize your chances of reaching the inbox.

Your next step should be to audit your current email authentication setup and implement any missing protocols.

Email authentication for deliverability