SPF, DKIM & DMARC - 3 ways to improve email delivery

SPF, DKIM, DMARC and even BIMI records improve the throughput of emails to the recipient's mailbox. Spam filters are constantly evolving and the technology around email authentication is also getting better. In this article, we discuss the following:

• SPF (Sender Policy Framework)
• DKIM (DomainKeys Identified Mail)
• DMARC (Domain-based Message Authentication Reporting and Conformance)
• BIMI (Brand Indicator Message Identification)

Note! In the Tuonetti Webhotel, SPF, DKIM and DMARC records are automatically enabled.

Big players set the rules

The vast majority of all email traffic in the world goes through Google's Gmail. Microsoft's Outlook is also another huge action in this game. While these big players decide the rules of the game, small players invariably have to obey to make sure that emails end up in the inbox and not directly in the SPAM folder.

SPF, DKIM, DMARC, BIMI records

SPF, DKIM, DMARC and BIMI records are used to authenticate the sender of the email. In other words, they are designed to prevent someone else from sending email on your behalf. For example, Microsoft mail servers may not even accept emails that are missing these records. In such a situation, the emails do not even end up in spam, but the server blocks the traffic from happening at all. It is therefore important that the SPF, DKIM and DMARC records are set correctly for each domain from which the email is to be sent.

Updating records

SPF, DKIM, DMARC and BIMI are DNS Records. So to enable these, you need to have access to the DNS management of your domain. Note! An error in updating records can, in the worst case, cut off your email traffic altogether. We recommend that you contact your service provider if you are not sure what you are doing.

SPF record

The Sender Policy Framework (SPF ) record is used to tell you which servers are allowed to send email through your domain. The SPF record therefore lists all the different servers from which you might be sending email. Usually there is only one of these mail servers, but in some cases a separate service or server may be used to send newsletters.

An example of an SPF record that allows emails to be sent from a Google server, as well as from an Amazon server.

v=spf1 include:_spf.google.com include:amazonses.com ~all

• The DNS type is TXT without any subdomain prefix.
• The content of the record starts with v=spf1
• Add allowed servers to include:exampleidomain.fi style
• The all tag at the end tells you how tight the restriction should be.
  • -all = fail. Full blocking. Emails do not reach their destination.
  • ~all = soft fail. Emails will go through, but they will be flagged.
  • +all = allow all. Allows all servers in the world to send mail from this domain.

DKIM record

The DKIM record, DomainKeys Identified Mail, is, like the SPF record, also a protocol for verifying the authenticity of the source of an email. However, DKIM is better in the sense that it lasts longer than message retransmission. This is to ensure that the original message has not been manipulated from the original when it is forwarded.

DKIM is an encrypted key in the header of an email message that allows the server to verify that the email was actually sent by the domain owner.

Example of a DKIM record

v=DKIM1; k=rsa; p=MxxxxxxxxxxxxjANBxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1Mk6xxxxxxxxxQIDxxxxxxxxAB

• The DNS type is TXT, which may contain the subdomain prefix google._domainkey or default._domainkey, depending on your provider's settings.
• The content of the record starts with v=DKIM1
• Next, we define k=rsa, where k stands for "key" and rsa stands for key type. RSA is the most common, but may vary depending on the service provider.
• p stands for Public Key, i.e. the public part of the encrypted key. The private key remains on the server against which the public key is checked.
• The DKIM key is obtained through the service provider's service. WithTuonetti, this can be turned on automatically via Webhotel. For Google Workspace, we will turn on the DKIM record on your behalf.

DMARC record

Domain-based Message Authentication Reporting and Conformance, or DMARC, is a record that adds guidance and reporting to the existing SPF and DKIM records. This record allows the domain owner to get information about who else is trying to send messages on your behalf. DMARC therefore tells the recipient what to do when the rules for DKIM or SPF records are not respected.

An example of a DMARC record that moves emails that fail DKIM and SPF record checks to spam.

v=DMARC1; p=quarantine; rua=mailto:[email protected]

• The DNS type is TXT, which contains the subdomain prefix _dmarc
• The content of the record starts with v=DMARC1
• The next step is to define p, or Policy. This tells you what to do when an SPF or DKIM check fails.
  • p=none, a check is made, but no further action is taken.
  • p=quarantine, Move email to spam if it fails DKIM and SPF checks.
  • p=reject, Unauthorised mail will not be delivered at all.
• Finally, a rua, the address to which reports of failed deliveries are forwarded, is added. Usually another email address.

BIMI record (BONUS)

NOTE! This section may contain outdated information, as the implementation of the BIMI record is still very much under development. We update the section at regular intervals.

The BIMI record is a very new method that is not yet used in all services. The setting of a BIMI record is also not quite as obvious as the previous DKIM, SPF and DMARC records.

A correctly set BIMI record will display your company/organisation logo in the email application.

Example of a BIMI record

v=BIMI1; l=https://tuonetti.fi/tuonetti.svg

• The DNS type is TXT, which contains the subdomain prefix default._bimi
• The content of the record starts with v=BIMI1
• l or location tells you the location of the logo on the web
  • The logo must be in SVG format, but any SVG format will not work, the file must be:
    • version attribute must be 1.2
    • baseProfile attribute should be tiny-ps
    • the file must contain the
    • For further guidance, we recommend you read this article.

A BIMI record is not necessary, and we don't really recommend it unless you are a larger company that distributes a lot of email. For example, Google also requires a certificate to display the logo in Gmail. To obtain the certificate, you must have an internationally recognised brand name with an associated logo. You can then apply for a certificate for the logo, which normally costs around €1,000. Some providers will display your logo in mailboxes even without this.

Summary of SPF, DKIM and DMARC records

Together, the SPF, DKIM and DMARC records are very effective in the fight against spam. Google's and Microsoft's requirements to use these records may seem technically cumbersome, but almost without exception the above records are automatically enabled by modern service providers. At the latest, your service provider's customer service should be able to activate all the necessary records for you. But it is good to understand what the function of these records is.

Note, however, that SPF, DKIM and DMARC records alone are not sufficient to ensure that an email will always reach the inbox without exception. For example, the reputation of the server's IP address has a significant impact on the forwarding of email. There are also services that assess the reliability of different domains. The same services may place a domain on a block list if it is found to receive a lot of spam.

If sending emails is at the heart of your business, we recommend using Google Workspace for its reliability. Read also our previous article where we compare the difference between a web hosted email solution and a cloud solution.