Skip to content

What are SPF, DKIM, and DMARC, and how to check them

Why should you care about SPF, DKIM, and DMARC? You want your clients to get your emails, that’s why!

Email authentication is a key part of email deliverability. But what is email authentication, what are SPF, DKIM, and DMARC, and how do they work? This tricky topic can be hard to understand, but getting the details of how these authentication protocols work can save you a big headache in the long run.

Email authentication is important for making sure all of your business emails are delivered to the right folder in your leads’ and clients’ inboxes. Without the proper email authentication protocols in place, your email might go to the spam folder, or worse, bounce altogether.

That’s why we’re breaking down what SPF, DKIM, and DMARC are—so you can address your email deliverability issues head-on with the proper tools.

Jump to:

What are email authentication protocols?

Email authentication protocols are designed to verify the legitimacy of email messages. In essence, protocols establish your email’s authenticity and check that the content of the email hasn’t been tampered with while on its way to the recipient.

Email authentication protocols like SPF, DKIM, and DMARC prevent two major threats: phishing and spoofing. 

Phishing attacks are emails sent by hackers that attempt to extract sensitive information. Spoofing is when a hacker sends an email assuming the identity of another sender. An example of this is a hacker sending a banking email asking you to verify your account information—and then stealing your login credentials.


The key points of SPF, DKIM, and DMARC are twofold:

  • To prevent your email from being coopted for nefarious activity
  • To ensure your email is delivered to the correct recipient and the intended inbox

These authentication protocols all have different individual purposes, though, that influence email deliverability. All three publish information using a domain name system, or DNS.

SPF (sender policy framework)

The SPF protocol allows the domain owner to specify which servers can send email on behalf of their domain. It’s kind of like making your partner an authorized user for your bank account; they’re allowed to send money to and from your account. SPF is similar. You can say which servers are allowed to send an email from your custom email domain in the form of a list of IP addresses or hostnames.

Pro tip

“IP address” is a unique ID number for every network that connects to the internet. A hostname is the name assigned to a device (like the computer you’re on, or your phone).

How does the receiver know that the email was sent from you, though? When the recipient receives the email, their mail server checks the SPF record of the sender’s domain to verify if the server sending the email is authorized. If the SPF check fails, the email may be marked as spam or bounce.

DKIM (DomainKeys identified mail)

DKIM is kind of like an email signature. You wouldn’t want anyone forging your signature, would you? That’s where DKIM comes in. DKIM allows the sender of an email to digitally sign the email with a private key. 

The recipient’s email server then verifies the signature using a public key published in the sender’s DNS records.

This way, the recipient knows the email has not been intercepted and changed during transit. DKIM ensures that the email came from the claimed domain affiliated with the private key.

Pro tip

If your emails aren’t authenticated with DKIM, then the recipient can’t confirm you sent the email. This can affect your email sender reputation

DMARC (Domain-based message authentication, reporting, and conformance)

Of the three standard email authentication protocols, DMARC is the most advanced email protocol, and it’s executed after SPF and DKIM fail. 

DMARC is like the skeleton key of email authentication protocols; it enables domain owners to be even more specific about policies for email handling after the first two protocols fail. For example, if an email fails SPF and DKIM checks, DMARC dictates where reports are sent, and whether the email should be quarantined, rejected, or monitored. 

A DMARC record, therefore, is the record of how an email should be handled. That record is then sent to the email addresses sent to the email specified on record.

Email protocol TL;DR

These protocols are a little confusing, but here’s the TL;DR:

  • SPF defines what servers can send emails on behalf of a domain 
  • DKIM confirms the authenticity of the email content 
  • DMARC dictates and records how email servers should handle messages that fail SPF and DKIM checks.

How do authentication protocols talk to one another?

Once your domain is authenticated and these three protocols are set up, they have a specific way of communicating with one another. Say you send an email after setting up your authentication records. The server of the person you sent the email to will check to see if you have your SPF and DKIM records set up (which you do!)

Next, the server checks the DKIM and SPF—basically, following our examples above, it makes sure that your partner is on your bank account and that your signature matches the one you’ve provided on file. 

From there, the DMARC rules are applied: do we quarantine, reject, or monitor this email? If the email fails SPF or DKIM, or the protocols aren’t present, DMARC is set up to tell the email to behave in a few different ways. 

One way is for the email to continue on to the recipient’s inbox despite the lack of protocols. The next way is for DMARC to mark the email as suspicious—these emails end up in spam. Lastly, the email may just be rejected outright for being too fishy (or phishy… 🐟 ).

Authentication protocols and your custom domain name

Authentication protocols should be updated regardless of whether you’re sending emails using a clientflow management platform (like HoneyBook), a customer relationship management tool (like Dubsado), or an email sender service (like Mailchimp or Postmark).

With HoneyBook, you can use your custom Gmail domain name to send transactional emails and easily check your authentication protocols straight from the platform. For all other domain name providers like Yahoo and Microsoft, authentication protocols must be checked from inside your account

If you use HoneyBook’s default sending service, you leverage the HoneyBook sending reputation and HoneyBook handles the DNS records for you. Safely email your clients from your account, and ensure that no one is spoofing or phishing with your transaction sends.

Stay current on email best practices

Get the top tips on independent business management straight from the experts.

Blog tags:

Share to:


Follow us

Related posts