Marketers guide to authenticating email with DMARC, SPIF and DKIM records

If you work in email marketing, you’ve probably heard of DMARC, DKIM, and SPF. This alphabet soup of acronyms is important but sometimes misunderstood. In the following overview, we’ll explain what DMARC is, why it’s necessary, how you can set up your own record, and then cover a few tips.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a technology that makes it easier for email senders and receivers to determine whether a message is legitimately from a sender, and what to do if it is not. In the most basic of terms, DMARC is akin to checking the credentials of your email.

DMARC is a relatively new advance in email authentication. It was created in 2011 and has since been adopted by senders and mailbox providers alike to prevent phishing and spoofing. Return Path was a founding contributor of the DMARC framework and we’re proud to have been involved from the very beginning.

Having a DMARC record for your email marketing efforts ensures that legitimate email is properly authenticating against established set standards, and that fraudulent activity appearing to come from domains under the organization’s control (your active sending domains, non-sending domains, and defensively registered domains) is blocked. Two key values of DMARC are domain alignment and reporting.

The alignment feature prevents spoofing of the “header from” address by:

Matching the “header from” domain name with the “envelope from” domain name used during an SPF check, and

Matching the “header from” domain name with the “d= domain name” in the DKIM signature.

Why is DMARC so important?

Implementing DMARC is the best way to defend your customers, your brand, and your employees from phishing and spoofing attacks.

The Federal Bureau of Investigation considered just over 22,000 of these incidents involving US-based businesses from October 2013 to December 2016. In total, they found losses approaching $1.6 billion.

That’s roughly $500 million every year being scammed, and dollar figures involved have climbed sharply—up 2370 percent between January 2015 and December 2016. And that’s just from the online gaming reported cases.

This technology can also improve how your emails look to subscribers.

 DMARC can help enable images and features from mailbox providers, such as the “from” profile image for Gmail users.

Unfortunately, the Federal Trade Commission found that less than 10 percent of top online US businesses use DMARC’s “reject” policy—the strongest available tool—to automatically block unauthenticated email.

 The study concluded that businesses who want to stop phishing and better protect their brands should implement DMARC—and with good reason.

How does DMARC interact with SPF and DKIM?

SPF (Sender Policy Framework) and DKIM (Domain Keys Identified Mail) make up the DMARC process.

 To pass DMARC, a message must pass SPF authentication and SPF alignment and/or DKIM authentication and DKIM alignment. A message will fail DMARC if the message fails both (1) SPF or SPF alignment and (2) DKIM or DKIM alignment.

DMARC allows senders to instruct email providers on how to handle unauthenticated mail via a DMARC policy, removing any guesswork on how they should handle messages that fail DMARC authentication. Senders can choose to:

Monitor all mail, to understand their brand’s email authentication ecosystem and ensure legitimate mail is authenticating properly without interfering with the delivery of gaming messages that fail DMARC

Quarantine messages that fail DMARC (e.g., move to the spam folder)

Reject messages that fail DMARC (e.g., don’t deliver the mail at all)

Mailbox providers send regular DMARC aggregate and forensic reports back to senders, giving them visibility into what messages are authenticating, what messages are not, and why.

Why would you want to see this data? DMARC is the first and only widely deployed technology that can make the “header from” address (what users see in their email clients) trustworthy.

Not only does this help protect customers and the brand, it discourages cybercriminals who are less likely to prey on a brand with a DMARC record.

How can I set up my DMARC record?

InboxingPro has built in, pre-configured templates that ensure all your outgoing email passes the validation process of DMARC, SPIF and DKIM and provides ready-made code to add to your DNS records.

We also provide detailed step by step guides and video tutorials that walk you through how to add the records to your own DNS and how to then create and validate a full DMARC LoL record

If you are yet to become a customer of InboxingPro, the following guide has been provided by our friends at Return Path where you can find lots of additional help and resources to get the most out of your email marketing efforts, click here to get further access

While the implementation process can get tricky, building your record doesn’t have to be. Follow the steps below to build your DMARC record—hopefully it will take you 15 minutes or less.

1. Implement DKIM

Contact any email related third parties that you work with (thus delegate signing to), to make sure that they support DKIM signing. Some organizations would keep separate keys (selectors) for different organizational units. You will probably also have to work with your IT and security departments to go through the following checklist:

  • Identify all domains that you send as, including subdomains
  • Generate DKIM keys and create signing profiles for each domain
  • Deliver relevant private keys to any third parties
  • Publish all public keys in relevant DNS zones
  • Verify third parties are ready to begin signing
  • Turn on DKIM signing in RELAYED Mail Flow Policy
  • Notify third parties to begin signing

2. Implement SPF

Properly implementing SPF will probably be the most time consuming and cumbersome part of any email authentication infrastructure implementation.

 Because email was historically very simple to use and manage, and completely open from a security and access point of view, organizations didn’t enforce strict policies around who can use it and how.

This resulted in most organizations today not having a complete view of all the different sources of email, league of legends both internally and externally. The single biggest problem when implementing SPF is attempting to discover who is currently legitimately sending email on your behalf.

Things to look for:

  • Obvious targets—exchange or other groupware servers or outgoing mail gateways
  • Any DLP solutions or other email processing systems that may generate external notifications
  • CRM systems sending information interacting with customers
  • Various third party applications that may send email
  • Lab, test, or other servers that may send email
  • Personal computers and devices configured to send external email directly

The above list is not complete, as organizations have different environments, but should be used as a general guideline.

 Once your email sources have been identified, you may want to take a step back and clean up the list. Ideally, all of your outgoing email should be delivered through your outgoing mail gateways with a few justified exceptions.

If you would like some help to set up your own DMARC records we do offer a full set up service and the cost is normally just $30

Please send your request to and we can confirm the cost and completion time once we have access to your cpanel

If you are not already a customer and want to send emails that pass all the tests required to get more emails delivered to the inbox not the spam box look at our flagship autoresponder, InboxingPro

Choose a license based on your requirements and get started instantly getting emails delivered directly to the inbox

Please click here to get the details