Email Marketing

Email Authentication Protocols (SPF, DKIM, DMARC) – A Brief Overview

Email Authentication Protocols
  • Have you ever tried to improve your email marketing strategies but your emails keep ending up in the spam folder?
  • Have you ever been blocked by google spam filters?
  • Have you ever faced your company reputation going downhill due to your bad email strategies?
  • Are you unsure of what email authentication is all about?

You’ve always been advised to adhere to “best email practices” as a sender to maximize the benefits of your email service. Industry experts, top marketers, email platforms – everyone keeps talking about these practices.

What exactly are these “practices” and how to go about the same?
Let’s find out.

There’s a list of things that you need to take care of – including the number of emails, time of sending, open rates, subject lines, and the email copy itself.

But before all of it – you need to get your systems ready.

The first step towards a successful cold email campaign is setting up anti-spam policies for your own domain address. This is important to establish your authenticity as an email user, and that you care about the entire ecosystem.

This is done by following the three most effective email authentication pillars namely:

  • SPF: Sender Policy Framework.
  • DKIM: DomainKeys Identified Mail.
  • DMARC: Domain-Based Message Authentication Reporting and Conformance

These three protocols are developed to fight the flood of spam, phishing, and email spoofing. These are the email accounts’ DNS records which together identify fake sender addresses and verify emails that have been sent out.

In this article, we will walk you through a brief introduction of these three protocols. But before that, let us dig into some important technical terms.

Domain Name – It is a group of letters and numbers that corresponds to an IP address. The text that a user types into a browser window to access a certain website is known as a domain name. For instance, Google’s domain name is “”.

Domain Name System – It is used to convert a domain name into an IP Address. People can just enter the name of the website, and the DNS will find the IP address for them, saving them from having to memorize a huge list of IP numbers.

A DNS lookup is the procedure that converts a domain name to the correct Internet Protocol address. The most essential purpose of DNS is the conversion of user domain names (like to numeric IP addresses (like ). A reverse DNS lookup, on the other hand, is used to find the domain name connected to an IP address.

Email Warmup – It is the process of getting your email address, IP address, and domain name ready to be acknowledged by spam filters so that it can safely reach the recipient directly in the primary mailboxes.

Since the majority of emails are now categorized as spam as a result of the Google filter update, it is getting more challenging to get into the primary inbox of your target customer. Hence, we “warm up” our email address.

How is this done? By using an external tool that sends emails to and from your email address.

This leads to an increase in your open rates, replies received, and new emails received – setting a narrative that you’re an authentic user achieving decent deliverability results.

Cold Email – Cold email is any mail you send to your future customer without any direct existing connection with them. For instance, a message sent to someone whose email address is displayed on public platforms and with whom you are not in touch.

Cold emails are obtrusive, less annoying, and a very effective method in B2B businesses. It is direct communication between two parties without the involvement of any other party.

Now that you are familiar with some of the key technical phrases used in connection with these protocols, let’s examine how each element functions.


Sender Policy Framework (SPF)

SPF is an authentication technique that maintains a DNS TXT record of IP addresses that are permitted to send an email on behalf of domains. It outlines a procedure that domain owners may employ to decide which IP addresses and domains are authorized to be used as the source for emails sent from their domain.

While receiving messages that appear to have been received from an SPF-enabled domain, mail servers that support SPF are required to do a DNS lookup for the SPF DNS TXT record that provides the list of approved email sources.

A typical SPF record looks like this:
“v=spf1 ip4: ip6: -all”


Why is SPF required?

SPF records stop spammers from imitating you by leveraging your domain name. To evaluate whether the email they received originated from an authenticated user or not, sender servers verify your Domain name. It is a must-have protocol that needs to be followed to maintain the integrity of data.

There exist seven valid responses to any SPF-generated query namely:

  • Pass – The sending mail server has permission to send an email on behalf of the domain.
  • Fail – It indicates that the sender mail server lacks copyright authorization to send the email.
  • Soft Fail – It means that there exists a possibility that the sender isn’t the authorized user.
  • Neutral – When the domain owner has an SPF record in the DNS system that expressly asserts no allowed IP addresses or domains, neutral is returned.
  • None – No existence of SPF records is found in the system.
  • Temporary error – It is a transitory issue that caused the query to fail.
  • Permanent Error – This kind of error can happen if the sender domain contains multiple SPF registers or if the SPF record incorporates syntax issues.


Domain-Based Message Authentication Reporting and Conformance(DKIM)

To prevent message tampering while in transportation between both the sending and reception servers, emails must adhere to the DKIM (Domain Keys Identified Mail) security standard. Email uses public-key cryptographic techniques to encrypt itself with a master password as soon as it leaves a sending server.

Email servers check the unique code added via DKIM to your email package’s header to make sure the email’s content hasn’t changed. A DKIM record present in the DNS is similar to SPF. To ensure that the communications’ contents haven’t changed during transit and to recognize the origin of the mail, your recipient’s incoming email provider applies the public key that was made available to your domain’s DNS.

DKIM is the internal filtering method used by MBPs to evaluate if an email belongs in the inbox, or spam folder, or is to be discarded. To help tell MBPs to know what to do if DKIM and/or SPF fail, senders can implement DMARC.


Why is a DKIM record important?

DKIM offers more authentication compared to SPF protocol and brings down the chances of ending up in the spam or junk folder. DKIM prevents any spoof emails going out from your domain. .

Even if it is not required, It is recommended to add a DKIM entry to your DNS to authenticate mail from your domain.


DOMAIN-based Message Authentication, Reporting, and Conformance(DMARC)

DMARC is a DNS txt record that can be broadcast for a domain to specify what happens if an identity verification attempt is unsatisfactory.

The email is delivered to the recipient’s inbox if it bears a DKIM signature and the sender server is included in the SPF records. As a domain owner, you can designate how unauthorized person signals should be addressed by MBP implementing DMARC.

There are three DMARC policies that are followed if the message fails authentication:

  • none: When the authentication for an email fails, your receiving server follows the “none” policy and does nothing. It has no bearing on your deliverability. However, it also won’t shield you against con artists, therefore we don’t advise setting it. You may stop them from the start and show the world that you care about your customers and business by enacting stronger policies.
  • reject: The reception gateway rejects those messages that fail email authorization using the rejection policy. This suggests that such emails will bounce because the recipients won’t be receiving them.It is the most useful, but you should only use it if you are certain that all emails coming your way have been sent with the best practices. If not, you might miss out on important messages.
  • quarantine: This is where communications that originate from your domain but fail the DMARC inspection go. The provider is suggested to move your email to the spam bin in this situation.


Wrapping Up

DKIM, SPF, and DMARC combined together are an excellent approach to reduce the threat of spam, hacking, and other email scams for your inbox.

In addition to the above, these practices act as a proof that you’re an active, responsible user.

This significantly brings down the chances of any emails that you send being marked as spam.

By combining these 3 protocols, you can safeguard your own email accounts, establish your authenticity as a user, and subsequently lay the foundations of a successful cold email campaign that lands safely in your desired inboxes.