Get in Subscribers’ Inboxes with DKIM and SPF Email Authentication

Illustration by Pedro Piccinini SPF, DKIM & DMARC illustration

Email authentication is just a fancy phrase for things that help you avoid being labeled as spam. If you’ve ever tested the spammyness of your emails (which I highly recommend you do), you would have noticed there are two specific things that affect your spam score: DKIM and SPF.

If you send out email newsletters or updates, you’ll want to have a passing familiarity with DKIM and SPF, two intimidating-sounding yet important acronyms that ensure your emails will land in your subscriber’s inbox instead of their spam folder.

By implementing these email authentication technologies, you can avoid being marked as spam, improve your open rate, increase engagement with your readers, and improve your sender reputation. A win for everyone!

Here’s what you need to know.

What in the World is DKIM and SPF?

If you aren’t an email marketer or web developer by trade, you might not have much familiarity with DKIM or SPF. That’s okay. It’s unlikely that you’ll have to do a really deep dive into either of these topics anytime soon. A casual knowledge will probably be plenty to get you through most of your email newsletter needs. Simply put:

  • DKIM: This acronym stands for DomainKeys Identified Mail, which references two separate technologies (Domain Keys and Identified Mail being those technologies — the name is not overly imaginative). Essentially, DKIM is a technology that allows your domain to sign your email as authorized. If your email comes from customerservice@dinosaurs.com, a DKIM will confirm this particular email is indeed authorized to be sent from the dinosaurs.com domain.
  • SPF: Short for Sender Policy Framework, SPF works on the same principle as DKIM, but in a different way. The goal is the same: verifying the sender of the email. But SPF works by creating a record of your Domain Name Server (DNS) when you send an email. Other email clients can then check this record against where your email purports to come from; if they both match up, your email will pass this very basic security test!

In simple terms, both DKIM and SPF work by verifying that a “from” address used on an email is authorized by that website’s domain. In other words, they make sure that you aren’t pretending to be someone else.

Most modern best practices for newsletters and bulk emails of any kind involve using both DKIM and SPF protocols.

What is the Value of DKIM and SPF Protocols?

DKIM and SPF protocols were developed for one simple reason: to protect you and your emails. When you look in your inbox, you have to have some level of confidence that any given email comes from who it says it comes from. There are two significant ways that DKIM and SPF can protect you and your users.

Protection from Fraud

These days, the internet can be a scary place, with Nigerian princes lurking in your inbox waiting to hoodwink you. And there are enough malicious actors out there forcing email service providers (ESPs) to play a little defense. Requiring authentication for send out mass emails is the very layer of that defense. It might seem like an extra hoop to jump through at first, but these defenses actually end up benefiting you in the long run.

All of your subscribers, for example, would quickly lose confidence in your emails if they started receiving emails that claimed to be from you but that you didn’t send. If your domain is dinosaurs.com, you don’t want anyone else sending emails from “customerservice@dinosaurs.com,” pretending to be you. DKIM and SPF are both designed to protect users from this type of fraud and spam.

More broadly, DKIM and SPF:

  • Help protect users from certain types of phishing schemes (although, that protection is by no means complete; users should always practice good information security hygiene).
  • Help protect the identities of small businesses and social groups. Scammers and spammers are less likely to try to impersonate you if you’re using DKIM and SPF protocols.
  • Provide confidence to email clients that you are who you say you are.

Protection From Being Labeled a Spammer

The second primary benefit of using DKIM and SPF is that doing so can help keep you from being labeled a spammer yourself. When all of the information from your domain key and your domain name server matches what you’re trying to send via your newsletter, it’s a good signal to all email clients — the Gmails and Yahoos and Outlooks of the world — that you are indeed who you say you are.

It’s a way of proving your trustworthiness to those email clients. Most scammers and spammers, for example, aren’t going to take a lot of time to ensure their DKIM and SPF protocols are properly formulated (in fact, their entire scamming strategy just might depend on the opposite).

If you want your emails to go to your subscriber’s inbox and not get caught in their spam filters, it’s worth taking the time to ensure that your DKIM and SPF is set up properly.

How Do Email Service Providers Decide What Spam Is?

ESPs use email filters and a host of criteria to determine if any given piece of mail is legitimate or spam. These filters are essentially algorithmic software, powered by AI, that analyze all incoming and outgoing emails and decide if it is spam or not.

Ensuring that you use proper DKIM and SPF protocols is one factor that is heavily weighted by those algorithms. Without these protocols in place, it’s possible that any innocent mistake, no matter how small, could tip the scales in terms of what email clients see, landing your email in the spam folder.

For more on how spam works, read our guide: How Spam and Phishing Filters Work.

How Do You Set Up DKIM and SPF?

Setting up your DKIM and SPF protocols can be a do-it-yourself style project if you send emails using your web server. But it’s usually recommended that you have at least some experience managing your domain and server information.

Both SPF and DKIM authentication are set up by adding TXT entries to your domain’s DNS records. This is done through your host’s control panel (usually cPanel, Plesk or WHM).

If you are sending emails with your own website and want to set up DKIM, get in touch with your web host to set up your DKIM.

To set up SPF, MailPoet has put together a big list of web hosts together with easy-to-follow instructions on how to set up SPF for each one.

When you’ve set up DKIM and SPF, you can use this handy tool from MailTester: Check Your SPF and DKIM Keys.

Note: We don’t recommend sending email with your web host. Here’s why.

What if You’re Using an Email Platform or Plugin to Send Emails?

If DKIM and SPF sound complicated, there’s no reason to fear. The vast majority of those who send email, especially in terms of small business or organizations don’t completely understand DKIM or SPF — and don’t need to.That’s because most organizations send emails using some kind of plugin or service, like MailPoet, to accomplish the task.

The nice thing about third party email plugins and platform is that they take care of the DKIM and SPF work for you. This means you don’t have to lift a finger.

All premium level email services implement both DKIM and SPF protocols. The MailPoet Sending Service, for example, automatically implements DKIM and SPF, with no action required on your part. That makes it easy to ensure your emails are authenticated before they’re sent, so you can carry on with sending your newsletters with the peace of mind that comes with knowing your emails won’t end up in spam boxes.

What about my WordPress website’s email?

WordPress does send emails, like email notifications when there’s a new comment to the website owner or admin. Or a password reset. Or a WooCommerce invoice.

These are typical transactional emails and Email Service providers acknowledge them as important, even though they might not be signed with SPF or DKIM.

This said, at MailPoet, we recommended to send those emails with a third party instead of your host. Especially if they’re critical to your online business, in the case of WooCommerce owners.

DKIM and SPF Made Easy With MailPoet

There are plenty of reasons why you might use an email service, of course, and DKIM or SPF protocols will rarely crack the top 10. People are usually more interested in ROI and engagement — reasonably so.

But that’s not to say that DKIM and SPF aren’t important. When you use a mail service, such as the MailPoet Sending Service, you’ve benefit from the following:

  • You won’t have to spend a significant amount of time trying to figure out DKIM and SPF.
  • You won’t have to worry about accidentally getting your DKIM and SPF specifications wrong, thus resigning your emails to spam filters everywhere.
  • You’ll have access to customer support services and experts who will be able to help you through any DKIM and SPF questions you might have.

Depending on the structure, size, and setup of your business or organization, it’s likely you may still have some set-up to do for proper DKIM and SPF authentication. But that setup will be much easier if you use MailPoet, for example, than attempting that set-up on your own domain name servers.

What is DMARC?

You may have heard of Domain-based Message Authentication, Reporting, and Conformance, or DMARC. It’s a technical standard that helps protect email senders and recipients from spam, spoofing, and phishing.

DMARC allows email services (e.g. MailPoet) to publish a policy that defines its email authentication practices and provides receiving mail servers (e.g. Gmail, Yahoo) instructions on what to do if they receive spam or spoofed emails. This removes a lot of the guesswork for the spam filters of the biggest ESPs.

DMARC itself isn’t an email authentication protocol. It builds on SPF and DKIM and also piggybacks on the well-established Domain Name System (DNS).

ESPs have used DMARC to crack down on spoofing attacks. Yahoo, for example, tells all receiving email servers to reject mail from yahoo.com addresses that don’t originate from its servers. Gmail has adopted a similar policy. This is why we tell MailPoet users not to use a free email address as your “from” address.

While Gmail does not have a “reject” policy, they do visibly warn the user if the “from” address says it’s from @yahoo.com, @gmail.com, @outlook.com but the email wasn’t sent from their respective servers:

An example of Gmail's DMARC policy.

DMARC is not a prerequisite to good deliverability, although it can be considered one of the many deciding factors. The majority of the world’s senders have yet to implement DMARC, but the standard is gaining ground since it replaces spam filters altogether.

To popularize DMARC to the wider public, the specification will allow every sender to display their logo in your inbox as a proof of origin, like an official stamp. For example, if Cards Against Humanity sends you an email and you see their logo beside the subject line, you’ll know for sure you’re getting one of their authentic pranks.

Your Email Success Depends on DKIM and SPF

To a certain extent, your email newsletter’s success depends on DKIM and SPF email authentication being properly implemented. But that doesn’t necessarily mean you have to understand DKIM and SPF inside and out. For most small businesses and community groups, it’s enough to simply know that these two forms of authentication exist and that you need them both enabled on every bulk email you send out — and MailPoet can take care of the rest.

Ultimately, both DKIM and SPF function to keep our email systems safer and more secure. They’re the first line in defense against spammers and scammers. If you want your emails to make it to your subscriber’s inbox, DKIM and SPF will be your best friends. And with the right tools, they can even be easy to set up.