Everything you need to know about SPF, DKIM and DMARC records
The match between the domain in the From header and the domain authenticated via SPF or DKIM. DMARC requires alignment with at least one of these protocols for an email to pass verification.
ARC (Authenticated Received Chain) is a protocol that preserves email authentication results (SPF, DKIM, DMARC) when messages are forwarded. It addresses the problem where forwarding causes SPF or DKIM checks to fail because the forwarding server isn't in the original SPF record.
A type of fraud where an attacker impersonates or compromises a business email address to trick recipients into making payments, sharing credentials, or disclosing sensitive information. Often relies on email spoofing or account takeover.
BIMI (Brand Indicators for Message Identification) is a standard that enables displaying the sender's logo directly in the recipient's email client. It requires a working DMARC policy of quarantine or reject and a certified logo (VMC certificate).
A list of IP addresses or domains identified as sources of spam or malicious activity. Maintained by anti-spam organizations (Spamhaus, Barracuda, SORBS). Being blacklisted significantly reduces email deliverability.
An email that cannot be delivered and is returned to the sender. A hard bounce indicates permanent failure (non-existent address), while a soft bounce is temporary (full mailbox, server unavailable).
A DNS record type (Canonical Name) that maps one domain name to another. In email authentication, CNAME records are used for DKIM in Microsoft 365, where they point to public keys hosted by Microsoft.
DKIM (DomainKeys Identified Mail) is a method of digitally signing emails that allows the recipient to verify that the email actually comes from the domain listed as the sender and that it was not altered during transmission.
Explanation:
v=DKIM1 - DKIM protocol versionk=rsa - cryptographic algorithm typep=... - public key in Base64 encodingDMARC (Domain-based Message Authentication, Reporting, and Conformance) is an email authentication protocol that combines SPF and DKIM. It allows domain owners to specify a policy for handling emails that do not pass authentication.
Explanation:
v=DMARC1 - DMARC protocol versionp=quarantine - policy for domain (quarantine = quarantine)rua=mailto:dmarc@example.com - address for aggregate reportsruf=mailto:dmarc-failures@example.com - address for detailed failure reportssp=reject - policy for subdomainsadkim=r - relaxed DKIM alignmentaspf=r - relaxed SPF alignmentDMARC reports are automatic reports sent by receiving mail servers to the domain owner. Aggregate reports (rua) summarize authentication results over a given period. Forensic reports (ruf) provide details about individual failures. Reports help monitor who is sending emails from your domain.
DNS (Domain Name System) is a hierarchical system that translates domain names (e.g. example.com) into IP addresses. It is essential for email authentication because SPF, DKIM, and DMARC records are published as TXT records in DNS.
The ability of an email to reach the recipient's inbox rather than being filtered to spam or rejected. Affected by sender reputation, authentication (SPF, DKIM, DMARC), content quality, and recipient engagement.
The rate at which emails successfully reach the recipient's inbox rather than being filtered to spam or rejected. Influenced by authentication (SPF, DKIM, DMARC), sender reputation, message content, and recipient engagement.
Email spoofing is a technique where an attacker forges the sender address in an email to make it appear as if the message comes from a trusted domain. SPF, DKIM, and DMARC protocols are designed to protect against spoofing.
The envelope sender (also known as MAIL FROM or Return-Path) is the sender address specified in the SMTP envelope of an email. It differs from the From header address that recipients see. SPF verifies this envelope address, not the From header.
The From header is the email header field that contains the sender address visible to recipients in their email client. Unlike the envelope sender (MAIL FROM), it is easily forgeable. DMARC ensures that the From header address aligns with the domain verified by SPF or DKIM.
HTTPS is a secure encrypted connection between a browser and a website. It protects login credentials, forms and payment details, and prevents data from being read or modified in transit.
More informationThe process of gradually increasing email sending volume from a new IP address to build positive reputation with email providers. Starts with a small volume to the most engaged recipients and scales up over 4-8 weeks.
An MX record (Mail Exchanger) is a DNS record that specifies which mail servers accept emails for a given domain. In an SPF record, the mx mechanism authorizes sending from the IP addresses of these servers.
PermError (Permanent Error) is a permanent error during SPF record evaluation. The most common causes are multiple SPF records on a single domain, syntax errors in the record, or exceeding the 10 DNS lookup limit. When a PermError occurs, SPF authentication fails.
Phishing is a fraudulent technique where an attacker impersonates a trusted person or organization to trick victims into revealing sensitive information (passwords, credit card numbers, etc.). Email spoofing is one of the primary tools used in phishing attacks.
A score assigned by email providers based on the sending history of a domain or IP address. Low reputation causes emails to be filtered to spam. Factors include complaint rates, bounce rates, sending volume, and authentication.
An email address operated by anti-spam organizations or email providers to identify spam senders. Two types exist: pristine traps (never belonged to a real user) and recycled traps (repurposed from inactive accounts).
SPF (Sender Policy Framework) is an email authentication method that allows domain owners to specify which servers are authorized to send emails on behalf of their domain. SPF record is published in DNS as a TXT record.
Explanation:
v=spf1 - SPF protocol versioninclude:_spf.google.com - allows Google Workspace serversinclude:spf.protection.outlook.com - allows Microsoft 365 serversip4:192.168.1.10 - allows specific IP address~all - soft fail for other serversAn SPF record optimization technique that replaces nested include mechanisms with direct IP addresses (ip4/ip6). It reduces the number of DNS lookups required to evaluate the record, helping stay within the 10 DNS lookup limit defined in RFC 7208. Requires automation since service IP addresses may change.
A TXT record is a type of DNS record used to store arbitrary text. In the context of email authentication, TXT records are used to publish SPF rules, DKIM public keys, and DMARC policies.