SPF, DKIM, DMARC and even BIMI records improve the throughput of emails to the recipient's mailbox. Spam filters are constantly evolving and the technology around email authentication is also getting better. In this article, we discuss the following:
Note! In the Tuonetti Webhotel, SPF, DKIM and DMARC records are automatically enabled.
The vast majority of all email traffic in the world goes through Google's Gmail. Microsoft's Outlook is also another huge action in this game. While these big players decide the rules of the game, small players invariably have to obey to make sure that emails end up in the inbox and not directly in the SPAM folder.
SPF, DKIM, DMARC and BIMI records are used to authenticate the sender of the email. In other words, they are designed to prevent someone else from sending email on your behalf. For example, Microsoft mail servers may not even accept emails that are missing these records. In such a situation, the emails do not even end up in spam, but the server blocks the traffic from happening at all. It is therefore important that the SPF, DKIM and DMARC records are set correctly for each domain from which the email is to be sent.
SPF, DKIM, DMARC and BIMI are DNS Records. So to enable these, you need to have access to the DNS management of your domain. Note! An error in updating records can, in the worst case, cut off your email traffic altogether. We recommend that you contact your service provider if you are not sure what you are doing.
The Sender Policy Framework (SPF ) record is used to tell you which servers are allowed to send email through your domain. The SPF record therefore lists all the different servers from which you might be sending email. Usually there is only one of these mail servers, but in some cases a separate service or server may be used to send newsletters.
An example of an SPF record that allows emails to be sent from a Google server, as well as from an Amazon server.
v=spf1 include:_spf.google.com include:amazonses.com ~all
The DKIM record, DomainKeys Identified Mail, is, like the SPF record, also a protocol for verifying the authenticity of the source of an email. However, DKIM is better in the sense that it lasts longer than message retransmission. This is to ensure that the original message has not been manipulated from the original when it is forwarded.
DKIM is an encrypted key in the header of an email message that allows the server to verify that the email was actually sent by the domain owner.
Example of a DKIM record
v=DKIM1; k=rsa; p=MxxxxxxxxxxxxjANBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1Mk6xxxxxxxxxQIDxxxxxxxxAB
Domain-based Message Authentication Reporting and Conformance, or DMARC, is a record that adds guidance and reporting to the existing SPF and DKIM records. This record allows the domain owner to get information about who else is trying to send messages on your behalf. DMARC therefore tells the recipient what to do when the rules for DKIM or SPF records are not respected.
An example of a DMARC record that moves emails that fail DKIM and SPF record checks to spam.
v=DMARC1; p=quarantine; rua=mailto:[email protected]
NOTE! This section may contain outdated information, as the implementation of the BIMI record is still very much under development. We update the section at regular intervals.
The BIMI record is a very new method that is not yet used in all services. The setting of a BIMI record is also not quite as obvious as the previous DKIM, SPF and DMARC records.
A correctly set BIMI record will display your company/organisation logo in the email application.
Example of a BIMI record
v=BIMI1; l=https://tuonetti.fi/tuonetti.svg
A BIMI record is not necessary, and we don't really recommend it unless you are a larger company that distributes a lot of email. For example, Google also requires a certificate to display the logo in Gmail. To obtain the certificate, you must have an internationally recognised brand name with an associated logo. You can then apply for a certificate for the logo, which normally costs around €1,000. Some providers will display your logo in mailboxes even without this.
Together, the SPF, DKIM and DMARC records are very effective in the fight against spam. Google's and Microsoft's requirements to use these records may seem technically cumbersome, but almost without exception the above records are automatically enabled by modern service providers. At the latest, your service provider's customer service should be able to activate all the necessary records for you. But it is good to understand what the function of these records is.
Note, however, that SPF, DKIM and DMARC records alone are not sufficient to ensure that an email will always reach the inbox without exception. For example, the reputation of the server's IP address has a significant impact on the forwarding of email. There are also services that assess the reliability of different domains. The same services may place a domain on a block list if it is found to receive a lot of spam.
If sending emails is at the heart of your business, we recommend using Google Workspace for its reliability. Read also our previous article where we compare the difference between a web hosted email solution and a cloud solution.