Understanding SPF and DKIM in Sixth Grade English

Alex Mohr
Aug. 26, 2015 by Alex Mohr


You might have heard about SPF and DKIM, and you might even know that they’re email authentication standards. But a lot of the information out there about SPF and DKIM is a little hard to understand. That’s why I’m going to lay it out in an easy-to-understand way and give you some tips for setting them up for your own domains.

In the earliest days of what we would recognize as modern email, there was little in the way of sender verification. Pretty much all spam, scams, and viruses that spread through email did so using falsified sender information – as they still do today. So how can you be sure that the sender is who they say they are?

When you go to www.google.com, you’re generally pretty confident that Google has control over what gets sent back to you. This is because the Domain Name System (DNS)—a distributed network of servers that act as a phonebook—connects the domain with a variety of records, including where to find the real google.com.

Email uses a later adaptation of this same system to verify senders. Specifically, we use what’s called a Sender Policy Framework (SPF) record. Much like your browser does when you type in google.com, your email client will look up the DNS entries for any domain you receive email from and make sure that the domains listed there agree that the server sending the email is legitimate.

Think of it like this: if you wrote your own name and someone else’s return address on an envelope and sent it to me, SPF is a way for me to call each of you up and make sure it’s legitimate. But then how do I know it’s actually you that wrote the contents?

That’s where DKIM comes in. DKIM is a combination of DomainKeys, originally designed at Yahoo, and Cisco’s Identified Mail.

DKIM uses public key encryption which, to criminally oversimplify, is basically a giant math problem that takes forever to solve unless you have two very specific hints. One hint I make publicly available, the other I send along with the message. If you feed both of those hints into the problem-solving machine and it gives you the answer, then you know I wrote the contents.

Implementing each of these layers of validation is pretty straight-forward and SparkPost makes it extra simple. In fact, SparkPost handles the SPF part automatically, so all email from your account is already SPF-compliant.

That leaves just DKIM for you to configure. Here’s how: When you log into your account, under Account > Sending Domains you can find the DNS entry you need to add. In your host dashboard, you should see a section for DNS entries. If you just set up this host or domain, this should look pretty familiar.


Some hosts will mention SPF records here, but you’re looking for a generic TXT record.

There are two parts to a DKIM record: the host name and its value. You will want to paste the DKIM record value you copied from the SparkPost dashboard earlier. Submit the form, and you’re set.

By the way, not all registrars allow you to add DNS records to arbitrary host names, which is necessary for DKIM setup. Most of the time, they can do it for you, but you might need to go through a support request for it. For specific instructions for different registrars, you can check out the DKIM support guide.

P.S. If you want to check to see if your email is SPF and DKIM enabled, you can use our Validator tool.

Alex Mohr

Alex Mohr runs marketing and analytics for sendwithus.com and works tirelessly to rid the world of bad coffee and bad emails.



10 Ways To Build Brand Trusty and Loyalty Through Transactional Email

Related Content

DKIM Validation: An Email Authentication Best Practice

An overview of DKIM validation including how to sign and validate work, interpreting DKIM signatures, what DKIM public keys look like and more.

read more

State of Email 2017: Your Role As A Sender

Our State of Email 2017 webinar will share insights on boosting ROI by bridging the gap between mailbox providers, marketers and email service providers.

read more

Email Basics Part 2: Putting the Pieces Together

In the second installment of our email basics series, Nick Zimmerman covers sending domains, web hosting, and DNS management.

read more

Get started and start sending

Try SparkPost and see how easy it is to deliver your app’s email on time and to the inbox.

Try Free

Send this to a friend