· 12 min read
SPF, DKIM, and DMARC: Email Authentication Explained
Technical guide to email authentication protocols. How to configure SPF, DKIM, and DMARC for your transactional email with DNS examples.
Email authentication proves you are authorized to send from your domain. Without it, receiving servers cannot distinguish your legitimate email from spoofed messages. Three protocols work together: SPF, DKIM, and DMARC.
Why Authentication Matters
Email was designed in an era when trust was assumed. The "From" address can be set to anything. Authentication protocols add verification layers that receivers use to:
- Detect spoofed emails claiming to be from your domain
- Make inbox placement decisions
- Build sender reputation
- Protect your brand from phishing attacks
SPF: Sender Policy Framework
SPF specifies which servers are allowed to send email from your domain. It is a DNS TXT record that receivers check against the sending server.
How SPF Works
- Your email arrives at the receiving server
- Server checks the envelope sender domain
- Server looks up the SPF record for that domain
- Server compares the sending IP against the authorized list
- Result: pass, fail, soft fail, or neutral
SPF Record Syntax
# Basic SPF record
example.com. IN TXT "v=spf1 include:_spf.sequenzy.com -all"
# Breakdown:
# v=spf1 - SPF version 1
# include:... - Include another domain's SPF record
# -all - Fail everything not explicitly allowed
# Multiple providers
example.com. IN TXT "v=spf1 include:_spf.sequenzy.com include:_spf.google.com -all"
# With IP address (for custom mail server)
example.com. IN TXT "v=spf1 ip4:203.0.113.5 include:_spf.sequenzy.com -all"SPF Qualifiers
| Qualifier | Meaning | Use When |
|---|---|---|
-all | Hard fail | You are confident in your SPF record |
~all | Soft fail | Testing or transitioning |
?all | Neutral | No policy (not recommended) |
Common SPF Mistakes
- Too many DNS lookups: SPF has a limit of 10 DNS lookups. Use SPF flattening if needed.
- Forgetting services: Include all services that send email (transactional, marketing, support desk).
- Multiple SPF records: Only one SPF record per domain. Combine providers in one record.
DKIM: DomainKeys Identified Mail
DKIM adds a cryptographic signature to emails. It proves the message was not modified in transit and was signed by someone with access to your private key.
How DKIM Works
- Your email service signs the message with your private key
- The signature is added as a DKIM-Signature header
- Receiver looks up your public key via DNS
- Receiver verifies the signature against the message
- Result: pass or fail
DKIM DNS Record
# DKIM public key record
# Format: selector._domainkey.example.com
sq1._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."
# Breakdown:
# sq1 - Selector (identifies which key)
# _domainkey - Required subdomain
# v=DKIM1 - DKIM version 1
# k=rsa - Key type (RSA)
# p=... - Public key (base64 encoded)DKIM Best Practices
- Use 2048-bit keys (1024-bit is considered weak)
- Rotate keys periodically (annually is common)
- Use different selectors for different services
- Sign important headers: From, To, Subject, Date, Message-ID
DMARC: Domain-based Message Authentication
DMARC ties SPF and DKIM together. It tells receivers what to do when authentication fails and provides reporting.
How DMARC Works
- Receiver checks SPF and/or DKIM
- Receiver checks alignment (From domain matches SPF/DKIM domain)
- Receiver looks up DMARC policy
- Receiver applies policy: none, quarantine, or reject
- Receiver sends aggregate reports to your specified address
DMARC Record Syntax
# DMARC record (always at _dmarc subdomain)
_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100"
# Breakdown:
# v=DMARC1 - DMARC version 1
# p=reject - Policy for failures (none, quarantine, reject)
# rua=mailto:... - Where to send aggregate reports
# pct=100 - Percentage of messages to apply policy to
# Monitoring mode (start here)
_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com"
# Gradual rollout
_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@example.com"DMARC Policies
| Policy | Effect | When to Use |
|---|---|---|
p=none | No action, just report | Initial monitoring phase |
p=quarantine | Send to spam | After reviewing reports |
p=reject | Reject entirely | When confident in setup |
DMARC Implementation Steps
- Start with p=none: Monitor what is happening without affecting delivery
- Review aggregate reports: Identify legitimate senders that might fail
- Fix authentication issues: Ensure all legitimate email passes SPF and DKIM
- Move to quarantine: Start with pct=10, gradually increase
- Move to reject: After confirming all legitimate email passes
Verification Commands
# Check SPF record
dig TXT example.com +short
# Check DKIM record
dig TXT sq1._domainkey.example.com +short
# Check DMARC record
dig TXT _dmarc.example.com +short
# Or use nslookup on Windows
nslookup -type=TXT example.com
nslookup -type=TXT sq1._domainkey.example.com
nslookup -type=TXT _dmarc.example.comService-Specific Setup
Sequenzy
- Add your domain in Sequenzy dashboard
- Copy the provided DNS records
- Add records to your DNS provider
- Verify in Sequenzy dashboard
Postmark
- Add sender signature in Postmark
- Copy DKIM and Return-Path records
- Add to DNS
- Verify in Postmark
Resend
- Add domain in Resend dashboard
- Copy provided DNS records
- Add to DNS
- Verify in Resend
Troubleshooting
SPF Fails
- Check that the sending IP is included in SPF
- Verify no more than 10 DNS lookups
- Confirm only one SPF record exists
DKIM Fails
- Verify the selector matches what your service uses
- Check that the public key is correctly formatted
- Ensure no whitespace in the DNS record
DMARC Fails
- Check alignment (From domain must match SPF/DKIM domain)
- Review aggregate reports for failure reasons
- Verify both SPF and DKIM are passing
Looking for email services?
Compare transactional email services with easy authentication setup.
View Full Comparison