DKIM and SPF: Understanding Email Authentication and Deliverability


Email authentication is the process by which an email provider verifies that a message was sent from the domain listed in its From field. Email authentication is critical for ISPs and other organizations that must ensure that emails come from who they say they’re coming from. DMARC (Domain-based Message Authentication, Reporting & Conformance) has become the standard for email authentication because of its simplicity and effectiveness. We’ll explain what DKIM and SPF are and how they can help improve deliverability in this post!

What is DKIM?

DKIM is a way to verify that an email is authentic. It uses a cryptographic signature, which identifies the sender and can be verified by the recipient. This helps prevent spoofing and phishing attacks, where malicious actors send out emails that appear to be from a legitimate source but are fraudulent.

The DKIM process begins with generating a private key for your domain name (e.g., [yourdomainname].com). This private key is used to sign each outgoing message using one of two algorithms: SHA-1 or RSASSA-PKCS1 v1/v2 with SHA-256 hash function (RFC 6376). You then publish your public key in DNS records so that other people can use it when verifying messages they receive from you.

The sender’s domain name is added to the email header as a DKIM-Signature field. The receiving server can then retrieve the public key for that domain and verify that it matches what was published in DNS records. If there’s a match, it indicates that the message hasn’t been altered during transit and is likely from whom it claims.

What is SPF?

SPF is a Sender Policy Framework, which is a record that defines which mail servers are allowed to send emails on behalf of your domain. It’s added to your DNS records and checks if the sending server is authorized to send emails from your domain.

If you use Gmail or Yahoo Mail as an example, their SPF records look like this:

v=spf1 -all

Only Google’s mail servers can send emails from their domains since no “exceptions” section is specified (like If any other servers try sending an email using these domains’ nameservers, they will fail because they aren’t listed in any exception section of the record itself; therefore, all messages sent by them will be considered spammy!

How does DKIM work?

DKIM uses public-key cryptography to sign emails digitally. The sender’s domain name is published in DNS, and the private key is used to sign emails. The receiver uses the public key to verify the signature, which allows them to confirm that it was sent from an authorized source and hasn’t been altered during transmission.

How does SPF work?

SPF is a DNS record that identifies which IP addresses are authorized to send emails on behalf of your domain. It also helps identify spammy mail from other domains that may try to impersonate yours. If you don’t have an SPF record, it’s easy for someone else to send emails with a fake “from” address in your name by simply forging the IP address they use in their message headers (the part of an email that shows where it came from).

SPF records are published on domain registrar websites, like GoDaddy or Namecheap–but not all registrars support them yet! So make sure yours does before proceeding with this process.


DKIM and SPF help improve email deliverability by authenticating a sender’s domain name and email address. DMARC is a policy protocol that allows you to set a policy for how your domain should respond to emails that fail authentication.

DKIM and SPF help improve email deliverability by authenticating a sender’s domain name and email address. DKIM and SPF help improve email deliverability by authenticating a sender’s domain name and email address. While DKIM is used to authenticate a domain name, SPF is used to validate an IP address or range of IP addresses. Both protocols require you to publish a DNS record in your DNS provider’s dashboard, which means you need access to their platform before configuring either protocol.

Both are not replacements for DMARC (Domain-based Message Authentication Reporting & Conformance) but work alongside it as part of an overall strategy for improving your email deliverability rates through authentication and reporting toolsets.


DKIM and SPF help improve email deliverability by authenticating a sender’s domain name and email address. They are both used in conjunction with DMARC, which allows you to set up policies for dealing with messages that fail authentication checks. In this article, we’ll cover what DKIM is and how it works, as well as discuss SPF vs. DMARC vs. DKIM so you can decide which one is best for your business needs!

Subscribe to Phisher Safe by SimpleDMARC

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.