Email authentication through SPF and DKIM

Email authentication through SPF and DKIM

Here we go again! Acronyms again, things to know again, nerd information again! Well no, they are a serious matter and the correct delivery of your emails depends on these acronyms. We know from personal experience that these acronyms can sound unfamiliar, frightening, and can seem totally uninteresting. Or perhaps they sound familiar to you, but you've never cared enough to check what they really are. Let's try to do some clarity for non-technicians.

Either way, it's time to learn a little about what SPF and DKIM are and how to set them up in the DNS records for your mail server if you want to have better control over the delivery of your emails. I will try my best to explain it in simple words, which will be understood not only by programmers.

What is SPF? How does SPF work?

Put simply, Sender Policy Framework (SPF) is a security mechanism built to prevent bad guys from sending emails on your behalf. The mechanism involves communication between DNS servers… and this is where it all starts to look scary! But don't panic. I'll try to keep it as simple as possible.

Let's say you sent an email to Bob. But how does Bob's DNS server know that the email was actually sent by you? The problem is that he doesn't actually know it. Unless you have SPF set up on your DNS server. Oh well, we would have to explain what a DNS server is but let's skip it otherwise you send me to hell!

SPF defines which IP addresses can be used to send email from your domain. So let's imagine two possible "conversations" between servers. To make this easier, let's assume your name is Paul.

Scenario 1 – You have not set SPF.

Mike's Server: Hey, Bob's Server. I have a new message from Mike.
Bob's Server: Hi Mike's Server. What's your SPF?
Mike's Server: Yeah, about the SPF… who cares, really. I do not have one. Trust me, it's from Mike.
Bob's Server: If you don't have SPF, I can't be sure Mike sent it. Give me Mike's allowed IPs so I can compare them to yours.
Mike's server: I don't have Mike's IP whitelist.
Bob's server: Then I don't want your message. Delivery denied. Sorry, mate…

Scenario 2 – You have set SPF.

Mike's Server: Hey, Bob's Server. I have a new message from Mike.
Bob's Server: Hi Mike's Server. What's your SPF?
Mike's Server: Here's my SPF. There is a whole list of IPs that Mike himself has declared as ones that can be used on his behalf.
Bob's server: Ok, let me see… And the message you have for me is sent from the IP Okay, it's on the list. Everything looks fine. Give me the message, I'll show it to Bob. Thank you!

My apologies to all sys readers for this oversimplification, I know you're shivering but please forgive me and keep in mind that we envy your technical knowledge but I have to speak to a non-technical audience and I have to simplify.

Anyway, the moral of these two short dialogues is: set your SPF. If you don't, you might look like a bad boy, and not all of your emails will get delivered.

What applications should you include in your SPF?

The general idea is to make sure that any applications that send email on your behalf (and that use their SMTP, not yours) are included in your SPF. For example, if you're using Google Apps to send email from your domain, you should put Google in your SPF. Here are Google's instructions on how to do it.

But it's important to make sure, that Google isn't the only application that has permissions in your SPF. For example, if we are using HelpScout to manage our support emails and MailChimp to send our newsletters then we include both in our SPF.

Should I also include Woodpecker in my SPF?

No. As I said, you should remember to put apps that send email on your behalf, but use their own SMTP, in your SPF record. Woodpecker uses your own SMTP to send your emails, so it's more of an online email client than a bulk emailing app.

That said, the deliverability of emails sent from Woodpecker depends on the reputation of your domain. Setting SPF and DKIM will help you protect the good reputation of your domain, and therefore improve the deliverability of your emails.

How to set SPF record on your server step by step?

The first step is to check what your current SPF record is. You can do this using tools like:

When you type in your domain (for example I would type, the tools will run some tests and show you your current SPF, or a notification that it hasn't been set yet.

What are the next steps?

Depending on your domain host, the steps will be different. Basically, it's a matter of pasting a properly structured line of text into the right place in the console. For example, if you're using Google Apps to send all email from your domain, the line should look like this:

“v=spf1 ~all”

The “v=spf1” part of the record is called a version, and those that come after that are called mechanisms.

Now let's see what exactly each part means.

  • v = spf1 this element identifies the record as an SPF
  • this mechanism includes mail servers that are authorized servers
  • ~v=spf1 this element indicates that if an email is received from an unauthorized server (not listed in the "include:" mechanism), it is tagged as a soft fail, meaning it can be let through, but may be flagged as spam or suspicious.

But if you're using more apps than this (for example, something to send your newsletter, something to send your support messages, etc.), the line will be a bit longer, because you'll need to include all other apps in it. Or if you don't use Google Apps but a server from another host, for example GoDaddy, the line will be different.

Here's how to set SPF for the most common domain hosts:

What is DKIM?

The DomainKeys Identified Mail (DKIM) standard was created for the same reason as SPF: to prevent bad guys from impersonating you as an email sender. It's a way to further sign your emails in a way that allows the recipient's server to check whether the sender is you or not.

By setting up DKIM on your DNS server, you are adding yet another method to tell your recipients “yes, this is indeed me sending this message”.

How to set dkim and spf

The whole idea is based on the encryption and decryption of the additional signature placed in the header of your message. To make this possible, you need to have two keys:

  • the private key (which is unique to your domain and available only to you. It allows you to encrypt your signature in the header of your messages).
  • the public key (which you add to your DNS records using the DKIM standard, to allow your recipient's server to retrieve it and decrypt your signature hidden in the header of your message).

Take Game of Thrones for the big picture of DKIM. Ned Stark is sending a crow with a message to King Robert. Everyone could take a piece of paper, write a message and sign it Ned Stark. But there is a way to authenticate the message – the seal. Now, everyone knows Ned's sigil is a direwolf (this is the public key). But only Ned has the original seal and can put it on his messages (this is the private key). Setting up DKIM is just putting the public key information in your server records. It's simply a txt record that needs to be put in the right place.

Once you have this set up, every time someone receives an email from you, the recipient's server will try to decrypt your hidden signature using the public key. If successful, this will further authenticate your message and consequently increase the authority of all your emails.

How to setup DKIM record on your server step by step?

First, you need to generate the public key. To do this, you need to log in to your email provider's administration console. The next steps may be different depending on your email provider.

If you're using Google Apps to send your emails, here are the fitting instructions step by step. For Google Apps users, you should know that DKIM signatures are turned off by default, so you have to turn them on manually in your Google admin console.

When you have the public key, take the generated txt record and paste it in the right place in your DNS records.

Finally, you need to enable email signing to start sending emails with your signature encrypted with your private key. Here's how, if you're using Google Apps to send your emails.

Set SPF & DKIM and improve your deliverability

If you are sending a lot of emails, either for marketing or for incoming or outgoing sales, your domain reputation is crucial and you should take care of it. You don't want your domain to be blacklisted and your emails to go to spam. Correctly setting the SPF and DKIM records on your DNS server is a necessary step for the security of your domain and the high deliverability of your messages.

Setting them up may seem complicated, but it is undoubtedly worth it. If I were you, I'd go to my account and check if my SPF and DKIM are set up correctly right now or ask my IT guys to do it. And if it turns out that the answer is "no", I would ask them to help me.