What are SPF, DKIM & DMARC Email Authentications?

By Sinead Harte

Digital Content & Copywriting Specialist

February 2024

Recently, you may be getting notifications from Microsoft, MailChimp, Shopify or other platforms saying you need to authenticate and/or add SPF, DKIM or DMARC records to continue sending emails from your domain. 

If you’re at a loss as to what SPF, DKIM or DMARC records are, you wouldn’t be alone. And, whilst we’re not IT experts, Darren Chapman of Pivotal Data Solutions is. 

Earlier this month, Darren dropped by the CoBright office to explain what SPF, DKIM and DMARC records are, why technology providers, EMS platforms and other platforms are pushing these email authentications, and how they are essential for your email deliverability.

What are SPF, DKIM, & DMARC records & why are they important? 

Back when the internet was invented in 1983, emails were always trusted and, without great threat of malicious behaviour, email methods didn’t have security inherently built-in. 

You could sit on any network and send emails as any domain, and any server would accept it. This became an obvious target for scammers and hackers to exploit this security vulnerability. 

Phishing emails gained great popularity, where untrustworthy sources posed as reliable sources in an attempt to gain sensitive data from their victims – something that we still see frequently today. 

In the early 2000s, there was a crackdown on email and domain security with new email authentication standards being developed. These standards were SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail).    

Whilst SPF and DKIM assisted with email security in the 2000s and early 2010s, technology became more sophisticated – and so did phishers and hackers. 

In 2012, DMARC (Domain-based Message Authentication, Reporting, and Conformance) was introduced to address the weaknesses that SPF and DKIM exposed.

More about SPF, DKIM and DMARC

What is SPF (Sender Policy Framework)?

In response to email spoofing and phishing in the early 2000s, SPF (Sender Policy Framework) was standardised to help prevent unauthorised users from sending emails on behalf of a domain they don’t own. 

Implemented through DNS (Domain Name System) records, SPF determines the IP addresses (email servers) that can send email from your domain (the part after the @ in your email address). 

So, let’s say that you send an email; during email delivery, the recipient server will check the SPF record in your DNS to confirm that your server is legitimate. 

This means that scammers and hackers can’t use your domain, assuring your recipients that your emails are from you and can be trusted.



What is DKIM (DomainKeys Identified Mail)? 

DKIM (DomainKeys Identified Mail) is another email authentication protocol that works to reduce email spoofing and phishing. 

By encrypting your outgoing message with a private key or CNAME record held by your domain, DKIM adds a digital signature to your outgoing message. The CNAME Record allows receiving servers to see that the message is verified to be from a server allowed to send on behalf of your domain, and your email hasn’t been tampered with in transit.   

When used in conjunction with SPF, these authentication protocols help to improve your email deliverability and enhance email security by verifying the authenticity of both your sent and received emails. 



What is DMARC (Domain-based Message Authentication, Reporting, and Conformance)?

Building upon SPF and DKIM, DMARC (Domain-based Message Authentication, Reporting, and Conformance) was introduced in 2012 to help address the massive increases in SPAM emails due to the slow uptake of the SPF and DKIM standards. 

Telling the receiving server what to do with the results of SPF and DKIM, a DMARC policy under your domain instructs email servers to either reject or quarantine emails sent from your domain if they fail the SPF and/or DKIM checks. 

Where are your SPF, DKIM & DMARC records stored?

All SPF, DKIM, and DMARC records are stored in your Domain Name System (DNS) TXT records, which is where all your records that are associated with your domain are stored. 



Why are these SPF, DKIM, & DMARC records being pushed now/ being made a requirement? 

Now more than ever, cyber security is vital. 

With more than 80% of security breaches coming from phishing emails, and many companies, large and small, falling victim to cyber-attacks (think of Medibank, Optus, Telstra, Woolworths and more), it’s become a necessity to have your SPF, DKIM, & DMARC records in place. 

Platforms like Google, Yahoo and Microsoft largely as recipients of emails from scammers and legitimate platforms such as  MailChimp, Shopify and more have started changing how aggressively they enforce SPF, DMKIM and DMARC standards.

Consequently, all legitimate email senders are pushing for you to update your SPF, DKIM, and DMARC records now and authenticate all emails sent from your domain. If you don’t, your recipients will likely not receive communications via these platforms. 

Why does that matter? Think of your email marketing system campaigns going straight to recipients’ junk folders or quarantine or your Shopify store being unable to send email order confirmations because they are rejected outright. That’s why it’s important to get these records updated as soon as you can.

Where to from here

Whilst it’s still a bit to wrap your head around, it’s important to remember that email authentication might be new to you, but it’s not new to your IT provider. 

If you’re receiving notifications regarding SPF, DKIM or DMARC records, reach out to your IT Provider or Darren Chapman at Pivotal Data Solutions.

Pivotal IT