Inbox Guardians: Unlocking the Mysteries of SPF, DKIM, and DMARC

Oh, the joy of acronyms in the digital world—so many ABCs but none as easy as 123. While a headache within itself, if you’re an entrepreneur incorporating email marketing into your business strategy, these acronyms—SPF, DKIM, and DMARC—are your secret weapons of your email deliverability.

What is SPF?

SPF stands for Sender Policy Framework. Imagine you are in possession of an afterparty VIP ticket for the Golden Globes and are allowed one guest. SPF is like the bouncer at the door with the guest list who is checking ID to make sure only those permitted can enter. The receiving mail server checks that the email being sent on your behalf is from a server that’s on your ‘approved’ list. For example, if your domain is using Google Workspace to send your emails, your SPF record in DNS might include a statement like “v=spf1 include:_spf.google.com ~all” telling the world that, yes, emails from Google’s servers are totally legit to be sending emails for you. If it’s not on the list, it’s not coming in. Simple as that.

Example of an approved SPF: Received-SPF: pass (google.com: domain of 0101018cfb817536-17817521-8f0a-42d1-8dd6-df6193b0353b-000000@mail.tasks.clickup.com designates 54.240.27.140 as permitted sender) client-ip=54.240.27.140;

Why is SPF So Important?

Without an SPF, anyone could theoretically send an email claiming it’s from you—this is called Spoofing (using the example above, someone pretending to be you to gain entrance to the party!) That could damage your reputation, and we can’t have that. SPF helps to prevent spammers from sending messages with forged “from” addresses at your domain, keeping your email reputation spotless. To be clear, IT DOES NOT STOP THEM FROM TRYING! There is nothing that can stop someone from attempting to spoof your email address BUT a receiving mail server checker will flag the email as either spam or, like Google, will put a HUGE alert making you aware to proceed with caution. Again, this is why SPF, DKIM, and DMARC are so important as ALL THREE are needed to give you the best defense against spoofed emails coming off as legitimate.

What is DKIM?

DKIM stands for DomainKeys Identified Mail. If SPF is the bouncer, then DKIM is the secret handshake, seal of approval, most authentic way to vouch for your presence. It’s a way to attach a digital signature to your emails, which verifies that the content of the email hasn’t been tampered with in transit (intersected and changed in anyway before arriving to the recipient). For instance, a DKIM signature might look like “v=DKIM1; k=rsa; p=MIG…[varying characters here as they are specific to each account versus standard like an SPF]” which is essentially the fancy way of saying “this is the real deal.”

Example of an approved DKIM: Authentication-Results: mx.google.com;
dkim=pass header.i=@tasks.clickup.com header.s=3cwdjayh777lzsilgjkshy4o4gk3ewkk header.b=R8DWMcAD;
dkim=pass header.i=@amazonses.com header.s=hsbnp7p3ensaochzwyq5wwmceodymuwv header.b=hFptX2FG;

Why DKIM is Also a Must Have

DKIM is critical because it ensures message integrity and helps escalate the fight against email phishing and spoofing. Think of it as your brand’s digital signature—a way to assure your recipients that what they’re reading is genuinely from you. I can’t reiterate this enough, absolutely nothing can prevent spoofing from being attempted. People will try to make emails look like they are from you and normally change the “reply-to” within the email. Just like the warning message in yellow above, receiving email servers do everything they can to indicate the email is spam (either by placing it in a spam folder, flat our rejecting it, OR flagging the email).

What is DMARC?

For those of you who have been in your inbox this week, you may be scratching your head on this one. The new email regulations activating on February 1st insist that everyone updates their SPF, DKIM, and DMARC. The problem is DMARC has never been a part of the conversation before.

So what is DMARC? DMARC serves two purposes for the sender AND the receiver.

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. For the receiver, DMARC policies tell the receiving email server what to accept and what to reject – especially when checked against any filter policies already set up on the server. It is the ultimate shield to phishing and spoofing. If SPF fail and DKIM fail, DMARC is the final blow to any ill attempts.

For senders – imagine SPF is checking the guest list, and DKIM is the secret handshake; DMARC is the event organizer overseeing it all, ensuring that everything goes according to plan. Again, if/when an email fails SPF and DKIM checks — DMARC instructs the server on whether the email should be rejected, quarantined, or allowed through anyway. An example of a DMARC policy is “v=DMARC1; p=reject; rua=mailto:postmaster@spamalot.com” telling email receivers to reject emails that fail SPF and DKIM checks, and report back to you about it.

IMPORTANT: In every instance, the email recipient’s system enforces the policy, and it has the discretion to process the delivery of the email in a manner that may not strictly adhere to the DMARC policy’s specifications. In other words, just because you say “None” and order it to still deliver it, does not mean your email will bypass the receiving email server policies and land in the inbox.

The options for the p (policy) tag are:
Directly from Google Workspace

• none—Take no action on the message and deliver it to the intended recipient. Log messages in a daily report. The report is sent to the email address specified with the rua (email address designated to receive any communications) option in the record.
• quarantine—Mark the messages as spam and send it to the recipient’s spam folder. Recipients can review spam messages to identify legitimate messages.
• reject—Reject the message. With this option, the receiving server usually sends a bounce message  to the sending server.

Example of DMARC policy that passed: dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=tasks.clickup.com

Why is DMARC Policies Are Now Being Encouraged?

DMARC is the step that ties SPF and DKIM together with a clear policy, so you’re not just identifying and signing your emails—you’re also determining the consequences for those that don’t pass the checks. It’s the final say in your email’s authenticity and deliverability.

Why Are They All Important for Email Deliverability?

Together, these three form the solid foundation of Email Deliverability. They verify that you are who you say you are, maintain the integrity of your message, and build trust with email service providers and recipients. They’re your frontline defense in making sure your emails actually make it to the inbox—and stay out of the dreaded spam folder. Is it guaranteed? Again – no. You are only stating your intentions and providing guidance IF the receiving email does not have its own policies in place. Your emails will always be subjected to rule, regulations, and policies of the receiving mail server.

Other Methods to Increase Email Deliverability

While SPF, DKIM, and DMARC are headliners of the show, they are not the only performers. Ensuring your IP address isn’t on any blacklists, maintaining a consistent send volume, managing your email list hygiene (clearing out unsubscribes, sending re-engagement campaigns for cold emails, and scrubbing your list to only keep engaging leads), and crafting engaging, spam-trigger-free content (see image below) all play pivotal roles in email deliverability.

It may seem like a lot, but each piece of the puzzle is crucial for making sure that your carefully crafted email content isn’t lost in cyberspace. By paying attention to these aspects, you’re not just walking around in the dark; you’re strategically aiming for your destination (that beautiful inbox).