Co to jest SPF, DKIM i DMARC?
Kamil Porembiński
Kamil Porembiński

What are SPF, DKIM and DMARC? A few words about e‑mail delivery from the technical side

The email you sent didn’t get through? If you were sharing your impressions after last night’s game with a buddy, that’s fine. It’s worse if you lost a message in the depths of the net, in which you were finalizing the details of business cooperation with an important client. Or maybe you’re on the other side of the barricade and wonder why some emails – the content of which you’d love to read – end up in spam?

Whether you primarily send or receive email, you probably care about getting messages to the address you specify. Learn what spam is and what technical aspects have a direct impact on email deliverability.

What is spam?

Spam can be compared to the advertising flyers you find under your door. These are unwanted, unnecessary and often dangerous messages. Before an e‑mail is sent to a recipient, it is scanned several times. The first verification is done by the sender’s mail server. If the message is classified as spam, it will not move forward.

The email sent may also be rejected by the recipient’s server. It can also get under the watchful eye of various filters on the target inbox. The result is one – the recipient, to whom the message was addressed, will never get to know it.

Do you want your Internet mail to work efficiently? Do you want to make sure that spam actually goes to spam and that only valuable messages get to your mailbox? Bet on Google Workspace and enjoy probably the best mail, where you will not experience annoying messages with ads.

The more emails are rejected, the lower the deliverability rate will be. It is extremely important, among others, for people creating newsletters. If the mail will not be delivered, all the effort put in the service of this promotional channel will be wasted. So it’s time to move to the technical issues on which the deliverability of e‑mails depends.

SPF – Sender Policy Framework

No, in this case, SPF is not a sunscreen indicator, although actually the Sender Policy Framework has a lot to do with security. It is a text record that identifies the IP addresses from which you send emails within your domain. 

Why use SPF? This additional protection is supposed to make sure that nobody from the outside can impersonate you and send spam from your e‑mail account. When a message is delivered to a recipient’s server, thanks to SPF record it will be able to verify if a given sender’s server was actually authorized to send such an e‑mail.

Although at first glance an SPF record looks like a string of incomprehensible letters, numbers, and special characters, even someone without technical savvy will be able to build such a record based on the formula. If you prefer to rely on tools, use the SPF code generator.

A sample SPF record will consist of the following:

  • v=spf1 (indicator version),
  • ip4: (IP address of the mail server that is authorized to send mail),
  • and a/ mx/ ~all/-all (additional aspects of the record)


(+) confirms authentication,

(-) indicates no authentication,

(~) assigns a partial lack of authentication,

(?) indicates a neutral result.

Remember that an SPF record will only be able to translate into an increase in the deliverability rate of the emails you send if it is configured correctly.

DKIM – DomainKeys Identified e‑mail

DKIM is a way to authenticate email coming out of your outbox. This is another text record that is worth keeping in mind. With this parameter, the recipient of your message will be assured that it was sent by you and not by someone who has just hacked into your account and is sending out spam on your behalf.

You can take advantage of DKIM by including sender information in the header of the message you send using an encryption key.

Configuring a DKIM record is done in three steps:

  • key generation,
  • adding the DKIM key to the domain’s DNS records,
  • DKIM encryption activation.

If you want to make sure that the DKIM record is configured correctly, be sure to verify it.

When you implement the DKIM key, the recipient of your messages will be assured that they are actually sent by you.

DMARC – Domain-based Message Authentication Reporting and Conformance

If you want to increase the deliverability of the emails you send, there is another mechanism you can use for this purpose that is based on DNS records. It will help you find out who is behind the sending of all e‑mails that go out from your domain. 

However, before you set up DMARC, you must correctly configure the records listed earlier. Otherwise, the machine will not work. DMARC is in addition to the SPF AND DKIM records. The Google Workspace administrator recommends, for example, that SPF and DKIM be set at least 48 hours before the DMARC record is defined.

In order to configure DMARC, you must add the appropriate record to the DNS. In this way, you will specify the precision of verification of sent messages by the recipient server and indicate further actions to be taken when emails are not authenticated.

Policy Configuration:

  • none – if the message is not authenticated, it can be delivered to the recipient; this configuration does not force any action;
  • quarantine – emails that are not authenticated will be quarantined;
  • reject – this configuration will cause messages without authentication to not be delivered to the recipient.

What will you gain by setting up DMARC? You will have better control over your mailbox. Also, the risk that your emails will be classified as spam will be reduced.