Published:

What is SPF, DMARC and DKIM in simple terms?

This is mostly just a quick memo for myself.

Context: Two weeks ago or so I was involved in clarifying why some emails of a new domain landed in the spam folder of some addressees. Hence, I had the pleasure to refresh my memory about those protocols. (Just as a side node, DKIM wasn't set up in this case).

The following is just a very condensed view from which one could start further research.

SPF — Sender Policy Framework

SPF is used to tell receiving mail servers which mail servers are allowed to send emails for the domain in question.

If your domain provider offers an email package and you use it, the mail servers of the provider will be listed in the SPF DNS record. If the CMS of your website sends emails, the IP of the webhost shall be included. And so on and so forth.

DMARC — Domain-based Message Authentication Reporting & Conformance

It's a protocol (also controlled via DNS records) to tell receiving mail servers where to send reports about received emails. With this you can get an idea if your emails land in spam or not.

For my domains, I've published an email address in the respective DMARC DNS records to which reports can be sent. Hence, I regularly get DMARC reports from big email providers like Google, Microsoft and Yahoo. The reports are in XML format. Therefore, you need a viewer tool. I know and already used the DMARC Report Analyzer. However, downloading the XML attachment to the local disk, unpacking it (they're compressed most of the time), and uploading it to the tool is rather cumbersome. Hence, I'd love a tool to which I can automatically forward those emails and visualize the reports nicely.

DKIM — DomainKeys Identified Mail

With DKIM set up, the emails you send are cryptographically signed by your mail server. Receiving mail servers can then check the authenticity of the sending mail server through its public key.

To be sure it is set up, watch out for the DKIM-Signature email header. In its value you should see a s=<host-name> tag. Use dig <host-name> TXT to see if the DKIM DNS is set up correctly for this mail server.

You see that while SPF and DMARC are defined by DNS records in your own DNS zone, DKIM DNS records are (most of the time, I guess) to be found somewhere else.

Simple checking tool(s)

I recommend https://mail-tester.com for simply checking if DKIM, SPF and DMARC are set up properly.

GMail also offers a pretty comprehensive view of "authentication results" for an email. Thus, you can also use GMail. Just use the "<> Show Source" feature in the GMail client.

Published by Robert Möstl

« Back to Blog