Skip to content

Boost Deliverability: Master DMARC, DKIM, SPF

  • by Jake Lee
  • 21 min read
Boost Deliverability: Master DMARC, DKIM, SPF

Email marketing is a tough game. You craft the perfect message, hit send, and then…silence. Or worse, your emails land in the dreaded spam folder. It’s a common issue, but it doesn’t have to be your reality. There are steps you can take to boost your email deliverability and make sure your messages reach their intended recipients. It starts with mastering three key protocols: DMARC, DKIM, and SPF. Let’s dive into how these work and how you can use them to your advantage.

What is Email Deliverability?

Email deliverability is the measure of how often your emails reach your recipients’ inboxes. It is not the same as the email sending rate, or the amount of emails you send at a given time. While you may hit send on thousands of emails, only a certain percentage will actually land in the inbox. This percentage is your email deliverability rate.

Many factors can impact email deliverability. Some factors are technical, while others may be related to your email content or sending habits. For instance, if you use aggressive language in your emails, your emails can be flagged as spam. Email providers may also reject emails sent from servers with bad reputations, which affects your deliverability negatively. Low engagement rates can also negatively affect your email deliverability, that’s why you should only send emails to people who want to get them.

In short, email deliverability is a very important part of the email marketing process. You can create emails that contain the most compelling marketing copy in the world, but if they don’t reach the inbox, they are not worth much. By taking steps to improve your email deliverability you make sure that the time, money, and resources that you spend on your email campaigns are well used. You want to make sure that people who want to read your emails, are in fact reading your emails, and that your emails are not going to their spam box instead.

Why is Email Deliverability Important?

It is not enough to press the send button. You have to know if your emails are landing in the inbox, or not. Email deliverability is important because it ensures your emails are not wasted. Here are a few reasons why it’s crucial for your email marketing success.

  • Reach Your Audience: First and foremost, you need your emails to arrive in your recipients’ inboxes. If your emails are going to spam, they’re as good as not being sent. Email deliverability ensures you’re actually connecting with the people you intend to reach.
  • Protect Your Reputation: Email providers take note of how recipients interact with your emails. If many people mark your emails as spam or don’t open them, it’ll hurt your sender reputation. A bad reputation can result in your emails being consistently blocked or filtered into spam folders.
  • Increase ROI: Email marketing is a cost-effective way to reach customers. But its ROI hinges on good deliverability. When your emails reach the inbox, you increase the chance of clicks, conversions, and, ultimately, profit.
  • Maintain Compliance: Email regulations, such as GDPR and CAN-SPAM, require senders to follow certain practices. One way to comply with these laws is to make sure people who do not want your emails do not get your emails. Deliverability is often tied to compliance, and you should know how it all works.

Improving your email deliverability can result in more leads, more sales, and a more engaged audience. Simply put, mastering email deliverability is key to any successful email marketing strategy.

What are DMARC, DKIM, and SPF?

DMARC, DKIM, and SPF are email authentication methods. They are designed to verify the legitimacy of your emails and to prevent email spoofing. Email spoofing is when bad actors try to impersonate your email domain to send emails that look like they came from you. They often use this tactic to get users to download malware or give away personal information, these are called phishing attacks.

Let’s take a closer look at each of these protocols and how they work.

SPF (Sender Policy Framework)

SPF is like a guest list for your email domain. It specifies which mail servers are allowed to send emails using your domain. When an email server receives a message from your domain, it can check the SPF record to verify if the sending server is on the list. If the sending server is not listed in your SPF record, the email is less likely to land in the inbox and might be rejected or marked as spam.

An SPF record is a TXT record that is added to your domain’s DNS settings. A typical SPF record looks something like this:

v=spf1 include:spf.emailservice.com -all

Let’s break down what this means:

  • v=spf1: This tells the receiving server that this is an SPF record.
  • include:spf.emailservice.com: This part lists the authorized servers for sending emails from your domain. Replace spf.emailservice.com with the actual server or servers you use. If you use more than one server, you will have more than one entry like this one.
  • -all: This tag specifies that all other email servers not listed in the SPF record should be marked as “not authorized” to send emails from your domain. If you use the “~all” tag, it marks emails from servers not on your SPF record as “softfail”, meaning that emails from these servers will most likely land in the spam folder but not outright rejected. The “+all” tag means all servers are authorized to send emails from your domain, this basically defeats the point of using SPF and is not recommendable.

Setting up your SPF record correctly is a critical step in email authentication. If you don’t have an SPF record, email providers may assume that your emails are fake, and your emails can be marked as spam. With an SPF record, you provide clear guidelines for mail servers, telling them which servers can send emails using your domain.

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to your outgoing emails. This signature works like a fingerprint for each email that leaves your servers. This signature is encrypted. So, only the receiving mail server can verify it with your public key that’s stored in your domain’s DNS settings.

If an email is modified during transit, the signature will be deemed invalid by the receiving mail server, giving it a signal that something is not right. This mechanism makes it very hard for malicious actors to send spoofed emails using your domain.

When you set up DKIM, a public and a private key are generated, both are used to secure your emails. The private key is stored in your sending mail server, it’s used to sign your outgoing emails. The public key is stored in your domain’s DNS settings, it’s used to verify emails coming from your domain.

A DKIM record is also a TXT record that’s added to your domain’s DNS. It includes your public key and other information. Here is an example of what a DKIM record looks like:

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuZc623gZg1H5…

Here is what this means:

  • v=DKIM1: This means that this is a DKIM record.
  • k=rsa: This tells you what type of encryption algorithm is used. In this case RSA.
  • p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuZc623gZg1H5…: This part is your public key. It’s a long string of characters that the receiving email server uses to check your emails signature.

With DKIM, each email is stamped with a unique signature, allowing receiving servers to make sure your emails are genuine and were not tampered with during the transit. DKIM improves your sender reputation and helps improve your email deliverability.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC builds upon SPF and DKIM by giving you control over what happens when emails fail the authentication checks, as well as provide you with reports on emails sent using your domain. With DMARC, you can tell the receiving mail server what to do with your emails that fail SPF and DKIM authentication. For example, if an email doesn’t pass the SPF or DKIM checks, you can tell email servers to reject it. You can also tell email providers to quarantine the email. You also get reports of all the emails sent with your domain, this helps you to find any fraudulent activity.

A DMARC record is also a TXT record added to your domain’s DNS. A typical DMARC record looks like this:

v=DMARC1; p=reject; rua=mailto:[email protected]; ruf=mailto:[email protected];

Here is what this means:

  • v=DMARC1: This means that this is a DMARC record.
  • p=reject: This is the policy, it tells the receiving email server what to do with the emails that fail SPF and DKIM checks. You can set the policy to reject, quarantine, or none. The reject policy tells the server to reject emails that fail the authentication checks. The quarantine policy tells the server to put these emails in the spam folder. And the none policy means that the receiving email server will still process the email normally, but reports will still be sent to the email addresses you include in your DMARC record.
  • rua=mailto:[email protected]: This email address receives reports about aggregate DMARC data (this means aggregated report data on how your emails are performing).
  • ruf=mailto:[email protected]: This address receives forensic reports (this means that you get information on individual email failures).

DMARC helps you enforce your authentication policies and find issues with your email sending practices. It also helps you make sure that bad actors can’t use your domain to spoof emails. It’s an important step in strengthening your sender reputation.

How Do DMARC, DKIM, and SPF Work Together?

These protocols work together to protect your emails and ensure deliverability. Here’s a simple breakdown of how the process works:

  1. Sending the Email: You craft an email, and your mail server sends it. Before sending, your mail server adds a DKIM signature to your email message.
  2. Receiving the Email: When an email provider receives an email from your domain, it checks for several things. First, it checks the SPF record of your domain, to make sure that the email came from an authorized server. Then, it checks the DKIM signature to confirm that the message is actually from you and that the email hasn’t been tampered with.
  3. DMARC Enforcement: The receiving server looks at your DMARC record to know what to do with the email based on whether the SPF or DKIM checks passed or failed. If the checks pass, then the email is delivered to the inbox. If the email fails these checks based on the policy you specify in your DMARC record, the email may be rejected or quarantined (placed in the spam folder).
  4. Reporting: Through DMARC reports, you get data about the emails sent with your domain. It includes how many emails passed or failed the authentication checks, the source of the emails, and if there are any problems with your authentication settings. This information helps you tweak your SPF and DKIM records. Also, you can get information about potential attempts of bad actors trying to spoof emails with your domain.

By setting up these three protocols, you create a strong authentication system that email providers see as trustworthy. This ultimately helps you improve your email deliverability and protect your brand’s reputation.

How to Set Up DMARC, DKIM, and SPF

Let’s go over the steps of setting up SPF, DKIM and DMARC.

Setting Up SPF

  1. Identify Authorized Sending Servers: List all the email servers that send emails on behalf of your domain. This could be your own mail server, your email marketing platform, or other third-party services that you use.
  2. Create an SPF Record: Format your SPF record using the guidelines listed above. A typical record will look like this: v=spf1 include:spf.emailservice.com -all. Ensure you include all authorized email servers in your SPF record.
  3. Access Your DNS Settings: Log in to your domain registrar’s control panel, or your DNS hosting provider’s control panel. Go to the DNS settings for your domain.
  4. Add a TXT Record: Create a new TXT record. For the name or host, use @ or leave it blank, or whatever your DNS provider asks for. For the value, enter your SPF record. Save the TXT record.
  5. Verify Your SPF Record: After adding the record, use an online tool like MXToolbox’s SPF record lookup tool to make sure your record has no errors.

Setting Up DKIM

  1. Generate DKIM Keys: Use your email service provider or generate your own DKIM public and private keys. You may need to use a tool to do this.
  2. Add the Private Key to Your Mail Server: Paste your DKIM private key into your mail server configuration. The specifics of this will depend on the mail server software you use.
  3. Add a TXT Record to DNS: Access your domain’s DNS settings, create a TXT record. Enter a selector (this is usually default._domainkey) or whatever is suggested by your email provider in the host or name field. Copy your public key and paste it into the value field. Save your settings.
  4. Verify Your DKIM Record: You can use a tool like MXToolbox’s DKIM record lookup tool to check that your DKIM setup is working correctly.

Setting Up DMARC

  1. Create a DMARC Record: Create a DMARC TXT record using the format we covered above. A good starting point is: v=DMARC1; p=none; rua=mailto:[email protected]; ruf=mailto:[email protected];. Make sure to include your report receiving email addresses.
  2. Access DNS Settings: Log in to your domain registrar’s or DNS provider’s control panel. Go to the DNS settings for your domain.
  3. Add a TXT Record: Create a new TXT record. Use _dmarc as the record name or host, and enter your DMARC record into the value field.
  4. Verify Your DMARC Record: Use an online tool like MXToolbox’s DMARC record lookup tool to make sure your record is valid.

Important Tips for Setting Up These Records

  • Start Slowly: Begin with a none policy in your DMARC record. This will allow you to see the impact of your SPF and DKIM records without rejecting emails. Once you have solid understanding of your email flows, you can switch to the quarantine or reject policies.
  • Monitor Your Reports: Keep an eye on your DMARC reports. Look for any irregularities in your email sending practices.
  • Keep Records Updated: Add and remove authorized servers in your SPF record as needed. If you’re not doing this, your emails can fail authentication checks.
  • Consult Your Email Provider: Your email provider is often the best source of information for the exact settings needed for DKIM and SPF.
  • Test Your Setup: Test your email settings before running large email campaigns. This makes sure that everything is set up correctly and that your emails do not end up in the spam folder.

Common Mistakes and How to Avoid Them

When setting up DMARC, DKIM, and SPF, it’s easy to make mistakes. Here are some common errors and how to avoid them:

  • Too Many SPF Lookups: SPF records are limited to 10 lookups, meaning you can only have 10 includes within your SPF record. When you go over this limit, SPF stops working. To avoid this, use one include that will resolve multiple servers instead of many individual includes. You should also keep your SPF record as short as possible.
  • Incorrect DNS Syntax: Even a small mistake in DNS syntax can lead to big problems. Review your DNS records closely. You can use online tools to double-check your settings.
  • Forgetting a Sending Source: If you forget to include a mail server in your SPF record, emails sent from that server will fail the SPF authentication check. So, before you start sending email campaigns, make sure all your authorized senders are included in your SPF record.
  • Misconfigured DKIM Keys: Incorrectly set up DKIM keys can lead to emails failing DKIM authentication, leading to deliverability problems.
  • Missing DMARC Record: Having SPF and DKIM in place but not setting up a DMARC record misses a huge opportunity. DMARC helps you protect your domain by telling email servers what to do when emails fail authentication. Also, it’s important that you also receive reports on your email sending behavior.
  • Not Monitoring Reports: You should monitor the reports generated by DMARC. Without regularly checking your reports, you might not notice when something is wrong. So, schedule time to monitor your reports regularly. This will help you spot any errors and fix them.

By being mindful of these common issues and following the right steps, you can set up email authentication correctly. Doing this will improve your email deliverability.

Troubleshooting Common Issues

Even after properly setting up your email authentication, issues can still arise. Here’s how to address common deliverability problems.

  • Emails Still Going to Spam: If your emails are still going to spam despite using SPF, DKIM, and DMARC, it could be a content issue. Avoid using spam trigger words, use proper formatting, avoid using all caps, and do not use too many links in your emails. Check your sender reputation using tools like Sender Score.
  • Authentication Failures: Check if your DNS records are correct. Make sure that you’re not missing any sending sources in your SPF record. You can also check if your DKIM public key matches the private key stored in your server.
  • DMARC Report Errors: If you notice DMARC errors, start by checking your SPF and DKIM setups. Make sure you have a proper rua tag to receive aggregate reports and ruf tag to receive forensic reports.
  • Low Engagement: Low engagement such as low open rates can impact your deliverability. You should only send emails to people who opted in to receiving your messages. Also, consider segmenting your email list to send more targeted content. Use the appropriate subject line and the right frequency.
  • IP Reputation Issues: Your IP address reputation can directly impact your deliverability. Check if your IP address is on any blacklists. Also, make sure you do not use IP addresses with bad reputations.
  • Technical Errors: Sometimes issues can be technical, like problems with your mail server or your DNS setup. Make sure your email server is well configured and that there are no issues with your DNS configuration.
  • Email Client Issues: Sometimes deliverability issues may arise because of how different email clients handle your messages. Test your email campaigns with several email clients before sending them out.
  • Missing Authentication Records: When in doubt, check if you have the required authentication records set up. Ensure that you have working SPF, DKIM, and DMARC records, as these are important for your emails to land in the inbox.

Troubleshooting deliverability problems can be time-consuming, but taking a systematic approach can help you isolate and solve the issues. And it can help to make sure that your emails reach your audience.

How to Monitor Your Email Deliverability

Setting up DMARC, DKIM, and SPF is only the first step. You must also monitor your email deliverability to ensure your emails are reaching the inbox and to address any issues.

  • Use DMARC Reports: DMARC reports are a treasure trove of information. They give you insights into how your email authentication is performing. It shows if your emails pass SPF or DKIM checks, and what email providers do with emails that fail the authentication checks. Use the reports to monitor your email behavior and fix issues with your sending practices.
  • Sender Reputation Tools: Use tools like Sender Score to keep track of your email IP address and domain’s reputation. This will show if you have a good, neutral, or bad reputation based on several metrics.
  • Email Testing Tools: You can also use email testing tools like Mail-tester to test your email deliverability. These tools will let you know your spam score and how different email providers view your emails.
  • Track Engagement Metrics: Monitor how your recipients are engaging with your emails, such as open rates, click-through rates, and unsubscribes. Low engagement rates can impact your deliverability. So, they should be watched closely.
  • Monitor Blocklists: Use tools like MXToolbox’s blacklist checker to see if your sending IP or domain has been added to any email blacklists. If you get blacklisted, you should contact the blacklist provider to remove your domain or IP from the blacklist as soon as possible.
  • Feedback Loops: Sign up for feedback loops with email providers. This provides information about how your recipients are marking your emails (as spam or not spam) and will also help you address deliverability issues.
  • Use Email Analytics: Keep an eye on the email analytics offered by your email provider, this includes things like delivery rates, bounce rates, and other information that can help you understand the health of your email campaigns.
  • Test Different Email Clients: Test your emails across several email clients and platforms to see if there are any problems that only specific email clients have.

Regularly monitoring your email deliverability allows you to spot issues early. You can take proactive steps to address deliverability problems that arise. Also, it allows you to make sure that your email campaigns are effective and profitable.

The Future of Email Authentication

Email authentication is an evolving field. New techniques and protocols are constantly being developed to combat email spoofing and to improve deliverability. Here are some trends you may see in the future:

  • BIMI (Brand Indicators for Message Identification): BIMI adds your brand logo to the email sender’s display. BIMI makes your email easily recognizable and also builds your brand credibility. It also relies on the same authentication protocols such as DMARC to work.
  • AI and Machine Learning: More and more AI and machine learning tools are being developed to improve email authentication. These technologies can find complex patterns of email behavior. So, they can help identify and block fraudulent emails with great precision.
  • Increased Email Security Standards: Email providers are always updating their security standards, and requiring stricter email authentication. This means that DMARC, DKIM, and SPF will only become more important, not less.
  • Decentralized Email Authentication: Decentralized tech such as blockchain tech is being explored as a way to enhance email security, making email communication more secure, traceable, and transparent.
  • More User Control: There will be more tools and options for email users to have control of the emails they receive. Users are increasingly demanding more control over who and what they receive in their inboxes. This will make email authentication more important than ever.
  • Collaboration: Email providers are now collaborating more often to create and implement new security standards. As technology changes, the community that supports and develops these tools must be prepared to meet the new challenges head-on.

As email evolves, so will the mechanisms needed to maintain its security and efficiency. Staying up-to-date on these trends is key to make sure your email deliverability is strong and your email communication is effective.

Is Mastering DMARC, DKIM, and SPF Worth It?

Yes, mastering these email authentication protocols is definitely worth the time and effort. Here are a few good reasons why:

  • Improved Deliverability: Setting up SPF, DKIM, and DMARC is the most important step for making sure your emails reach the inbox. It gives you a better sending reputation and your emails are more likely to bypass spam filters.
  • Protection Against Spoofing: With email spoofing constantly on the rise, it’s important to have these safeguards in place. These protocols keep bad actors from impersonating your domain and sending fraudulent emails. This protects your brand’s reputation and your audience.
  • Increased Trust: When your emails pass authentication checks, your recipients are more likely to see your emails as legitimate. This builds trust in your brand and increases the likelihood of your recipients engaging with your emails.
  • Better ROI: With improved deliverability, your email marketing efforts become much more effective. More emails in the inbox will lead to more opens, clicks, and, ultimately, more conversions.
  • Compliance: Email regulations like GDPR and CAN-SPAM require that you protect the data of your subscribers. Part of that is sending emails securely and making sure that fraudulent emails are not being sent out by impersonating your domain. These authentication protocols help you stay compliant with these regulations.
  • Peace of Mind: Having these safeguards set up gives you peace of mind that your email communication is well protected and effective. So, you can focus on making your email campaigns the best they can be.

Although it may take some time and effort to learn the intricacies of DMARC, DKIM, and SPF, it’s time and effort well spent. You will see great improvements in your email marketing efforts when you have these protocols set up. By mastering these tools, you make sure your emails reach their intended destination, protecting both your brand and your audience.

Jake Lee

Jake Lee

Jake Lee is Inboxify's Deliverability & Automation Specialist, ensuring our clients' emails reach the inbox every time. He's a certified expert in email authentication protocols and deliverability best practices, with a proven track record of improving sender reputations and maximizing email ROI.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts
Ultimate Guide To Email Marketing KPIs

Ultimate Guide To Email Marketing KPIs

  • by Jake Lee
  • 22 min read

Track email marketing KPIs to boost your campaigns. Learn core metrics, improve engagement, and drive ROI. Start now!

Email List Hygiene: Best Practices 2024

Email List Hygiene: Best Practices 2024

  • by Jake Lee
  • 17 min read

Boost engagement and deliverability with our guide to email list hygiene best practices. Clean your list now for a better 2024.

Why Your Emails Land In The Spam Folder

Why Your Emails Land In The Spam Folder

  • by Jake Lee
  • 18 min read

Stop your emails land in spam! Learn why it happens and use our guide to make sure your emails get to the inbox. Read more here!

Email Bounce Rates: Reduce Them Now

Email Bounce Rates: Reduce Them Now

  • by Jake Lee
  • 14 min read

Reduce email bounce rates now! Learn how to maintain a healthy list, improve deliverability, and avoid spam filters. Start today!