SPF, DKIM, and DMARC Records

Learn more about SPF & DKIM records as well as how to add them correctly

Ira avatar
Written by Ira
Updated this week

As a marketer, you're likely familiar with the acronyms SPF, DKIM, and DMARC, but understanding their true impact can revolutionize your email strategy.

SPF guards against impersonation, DKIM adds an unforgeable seal to your emails, and DMARC is the overarching security strategy.

Now is the ideal moment to dive into these authentication protocols, ensuring your emails land in the inbox and do so securely.

This guide will explain the process, empowering you to enhance deliverability, protect your brand, and elevate your email marketing effectiveness.

About SPF Record

SPF (Sender Policy Framework) is an email authentication protocol that allows the owner of a domain to specify which mail servers they use to send emails from that domain. Brands sending their emails using different services need to publish SPF records in the DNS (Domain Name System)—these records list which IP addresses are authorized to send an email on behalf of their domains.

During the SPF check, email providers verify the SPF record by looking up the domain name listed in the "envelope from" address in the DNS. If the IP address sending an email on behalf of the "envelope from" domain isn't listed in that SPF record, the message fails SPF authentication.

Reasons to Implement

If a domain publishes an SPF record, spammers and phishers are less likely to forge emails pretending to be from that domain because the forged emails are more likely to be caught in the spam filters that check the SPF record. Therefore, an SPF-protected domain is less attractive to spammers and phishers. Because an SPF-protected domain is less attractive as a spoofed address, it is less likely to be blacklisted by spam filters. So, ultimately, the legitimate email from the domain is more likely to get through to your customer.

Duplicate SPF TXT Records

A commonly violated aspect of SPF is that one domain may only have a single SPF record. Why are multiple SPF records so common? Part of the cause is that when an organization deploys different services, each provider often instructs them to create an SPF record. For organizations that have multiple SPF records, this is quickly resolved by merging the records into a single statement. For example, if you had the following two records to authenticate:

Two SPF Records

“v=spf1 include:_spf.google.com ~all”

“v=spf1 include:mailgun.org ~all”

Two SPF Records Combined

“v=spf1 include:mailgun.org include:_spf.google.com ~all”

About DKIM Record

DKIM (DomainKeys Identified Mail) is a protocol that allows an organization to take responsibility for transmitting a message in a way that the mailbox providers can verify. This verification is made possible through cryptographic authentication. The primary advantage for email recipients is that it allows them to reliably identify a stream of legitimate emails, thereby allowing domain-based blacklists and whitelists to be more effective. This is also likely to make certain kinds of phishing attacks easier to detect.

DKIM lets an organization take responsibility for a message while it is in transit. The organization is a handler of the message, either as its originator or as an intermediary. Their reputation is the basis for evaluating whether to trust the message for delivery or not.

About DMARC Records

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a protocol that empowers domain owners like yourself to enhance email security. It achieves this by enabling you to define policies regarding email authentication and specifying actions to be taken when authentication fails.

DMARC Policies:

  • p=none (Monitoring Mode):

    In "none" mode, DMARC functions as an observer. It allows you to receive detailed reports on email authentication results without taking any action. This is akin to a diagnostic phase, where you can assess potential issues without impacting the delivery of emails.

  • p=quarantine (Quarantine Mode):

    When DMARC is configured with a "quarantine" policy, emails that fail authentication may be redirected to a separate folder, often the recipient's spam or quarantine folder. This provides a middle ground between monitoring and strict rejection, allowing you to identify potential threats without outright blocking them.

  • p=reject (Reject Mode):

    The "reject" policy is the most stringent. It instructs email receivers to reject messages that do not pass authentication outright. This level of enforcement ensures a higher degree of protection against unauthorized or malicious emails.

In Omnisend, we advise to set DMARC to p=none with SPF and DKIM alignment=relaxed. The choice of "none" with SPF and DKIM alignment set to "relaxed" is specifically tailored to meet the requirements of major email providers like Gmail and Yahoo. This configuration allows you to monitor authentication without adversely affecting email delivery.

For those seeking a more sophisticated DMARC implementation, third-party tools such as DMARCIAN offer comprehensive features and insights. This tool can provide a deeper understanding of email authentication, allowing for more fine-tuned control and enhanced security measures. For this you can watch video below.

In summary, DMARC equips you with the tools to strengthen your email domain against phishing and fraudulent activities. The choice of policies and configurations allows you to balance monitoring, action, and strict enforcement based on your security preferences.

Please note that to have your domain successfully verified for sending emails, at least one of SPF, DKIM, or DMARC must be valid. Failure of validation in any of these records will not allow you to verify the domain, and you won't be able to select it for email sending.

Important 💡 If a main domain (for example, shop.com) has a valid DMARC record, then all of its subdomains (such as newsletter.shop.com) will automatically inherit the same valid DMARC record unless you specifically choose to set up a different DMARC record for the subdomain.

Adding SPF & DKIM Records

Below, you will find a list of the most popular DNS providers. By clicking on the DNS provider name, you can find tutorials or basic information on How to add the given records to your provider. 

Important to note: When you search for a tutorial on adding records, remember that you need to look only at the TXT format parts.

Don't know who your DNS provider is? You can easily find it out here.

To check if your records are added correctly, we recommend you follow this link and paste your domain name into both SPF and DKIM parts. If something is not correct, you will be able to see all errors there.

Final Touches

A domain signature at Omnisend is free of charge for all users.

Important note: To add SPF and DKIM records, you need to think of a domain name you would like to use. You must add our provided records to your DNS, so we recommend using your store name. Also, for Automation emails, you can sign a subdomain or use the same domain; the subdomain could be @news.domainexample.com; @email.domainexample.com; @shop.domainexample.com, etc. The process of signing a subdomain is the same as with signing a domain. You must add our provided records to the subdomain in your DNS.

Always remember, using authentication will not guarantee that every email will reach your client's inbox - you need to focus on improving your email deliverability! However, it preserves your brand reputation and makes sure you have the best possible chance of having your messages reach their intended destination.


Something is wrong with DKIM records

If you are using GoDaddy as your DNS provider and while checking if the records are added correctly, you can not see any information about DKIM, take a better look at the "Name" part. We provide you with a fully-qualified name that ends with your domain name, DO NOT include your domain name in the "Name" field when you add the TXT record. If you are given something._domainkey.yourdomain.com only enter something._domainkey in the "Name" field.

SPF records are not found

  • This is a common issue if you have more than one SPF record added to your DNS. In such cases, we recommend that you combine those records. Go back to Duplicate SPF TXT records part, where you will find an example of how combined records should look.
    Use this service to verify the number of the SPF records: https://dmarcian.com/spf-survey/

  • If you are trying to add an SPF record for Subdomain, skip the main domain and include only Subdomains' name in a "Name" part.

  • Also, you might be asked to add only the @ symbol instead of the record name in some cases. In the DNS zone, @ - represents the domain, so replacing it with the @ sign might be sufficient.

Issues with DMARC Records

If you encounter difficulties verifying DMARC records, follow these steps:

  • Check if the record's Name value is set to _dmarc.yourdomain.com.

  • If verification issues persist, try changing the Name value to just _dmarc.

Did this answer your question?