As a marketer, you're likely familiar with the acronyms SPF, DKIM, and DMARC, but understanding their true impact can revolutionize your email strategy.

SPF guards against impersonation, DKIM adds an unforgeable seal to your emails, and DMARC is the overarching security strategy.

Now is the ideal moment to dive into these authentication protocols, ensuring your emails land in the inbox and do so securely.

This guide will explain the process, empowering you to enhance deliverability, protect your brand, and elevate your email marketing effectiveness.

SPF (Sender Policy Framework) is an email authentication protocol that allows the owner of a domain to specify which mail servers they use to send emails from that domain. Brands sending their emails using different services need to publish SPF records in the DNS (Domain Name System). These records list which IP addresses are authorized to send emails on behalf of their domains.

During the SPF check, email providers verify the SPF record by looking up the domain name listed in the "envelope from" address in the DNS. If the IP address sending an email on behalf of the "envelope from" domain isn't listed in that SPF record, the message fails SPF authentication.
​

If a domain publishes an SPF record, spammers and phishers are less likely to forge emails pretending to be from that domain because the forged emails are more likely to be caught in the spam filters that check the SPF record. Therefore, an SPF-protected domain is less attractive to spammers and phishers. Because an SPF-protected domain is less attractive as a spoofed address, it is less likely to be blacklisted by spam filters. So, ultimately, the legitimate email from the domain is more likely to get through to your customer.

DKIM (DomainKeys Identified Mail) is a protocol that allows an organization to take responsibility for transmitting a message in a way that the mailbox providers can verify. This verification is made possible through cryptographic authentication. The primary advantage for email recipients is that it allows them to reliably identify a stream of legitimate emails, thereby allowing domain-based blacklists and whitelists to be more effective. This is also likely to make certain kinds of phishing attacks easier to detect.

DKIM lets an organization take responsibility for a message while it is in transit. The organization handles the message, either as its originator or as an intermediary. Its reputation is the basis for evaluating whether to trust the message for delivery.

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is a protocol that empowers domain owners like yourself to enhance email security. It achieves this by enabling you to define policies regarding email authentication and specifying actions to be taken when authentication fails.

DMARC Policies:

In Omnisend, we advise to set DMARC to p=none with SPF and DKIM alignment=relaxed. The choice of "none" with SPF and DKIM alignment set to "relaxed" is specifically tailored to meet the requirements of major email providers like Gmail and Yahoo. This configuration allows you to monitor authentication without adversely affecting email delivery.

In summary, DMARC equips you with the tools to strengthen your email domain against phishing and fraudulent activities. The choice of policies and configurations allows you to balance monitoring, action, and strict enforcement based on your security preferences.

Below, you will find a list of the most popular DNS providers. By clicking on the DNS provider name, you can find tutorials or basic information on How to add the given records to your provider. 

To check if your records are added correctly, we recommend you follow this link and paste your domain name into both SPF and DKIM parts. If something is not correct, you will be able to see all errors there.
​

A domain signature at Omnisend is free of charge for all users.

​Important note: To add SPF and DKIM records, you need to think of a domain name you would like to use. You must add our provided records to your DNS, so we recommend using your store name. Also, for Automation emails, you can sign a subdomain or use the same domain; the subdomain could be @news.domainexample.com; @email.domainexample.com; @shop.domainexample.com, etc. The process of signing a subdomain is the same as with signing a domain. You must add our provided records to the subdomain in your DNS.

Always remember that using authentication will not guarantee that every email will reach your client's inbox—you need to focus on improving your email deliverability! However, it preserves your brand reputation and ensures that you have the best possible chance of having your messages reach their intended destination.
​  

If you are using GoDaddy as your DNS provider and while checking if the records are added correctly, you can not see any information about DKIM, take a better look at the "Name" part. We provide you with a fully-qualified name that ends with your domain name, DO NOT include your domain name in the "Name" field when you add the TXT record. If you are given something._domainkey.yourdomain.com only enter something._domainkey in the "Name" field.

A commonly violated aspect of SPF is that one domain may only have a single SPF record. Why are multiple SPF records so common? Part of the cause is that when an organization deploys different services, each provider often instructs them to create an SPF record. For organizations that have multiple SPF records, this is quickly resolved by merging the records into a single statement. For example, if you had the following two records to authenticate:

Two SPF Records

“v=spf1 include:_spf.google.com ~all”

“v=spf1 include:mailgun.org ~all”

Two SPF Records Combined

“v=spf1 include:mailgun.org include:_spf.google.com ~all”

If you encounter difficulties verifying DMARC records, follow these steps: