You might have heard about SPF and DKIM, and you might even know that they’re email authentication standards. But a lot of the information out there about SPF and DKIM is a little hard to understand. That’s why I’m going to lay it out in an easy-to-understand way and give you some tips for setting them up for your own domains.
In the earliest days of what we would recognize as modern email, there was little in the way of sender verification. Pretty much all spam, scams, and viruses that spread through email did so using falsified sender information – as they still do today. So how can you be sure that the sender is who they say they are?
When you go to www.google.com, you’re generally pretty confident that Google has control over what gets sent back to you. This is because the Domain Name System (DNS)—a distributed network of servers that act as a phonebook—connects the domain with a variety of records, including where to find the real google.com.
Email uses a later adaptation of this same system to verify senders. Specifically, we use what’s called a Sender Policy Framework (SPF) record. Much like your browser does when you type in google.com, your email client will look up the DNS entries for any domain you receive email from and make sure that the domains listed there agree that the server sending the email is legitimate.
Think of it like this: if you wrote your own name and someone else’s return address on an envelope and sent it to me, SPF is a way for me to call each of you up and make sure it’s legitimate. But then how do I know it’s actually you that wrote the contents?
DKIM uses public key encryption which, to criminally oversimplify, is basically a giant math problem that takes forever to solve unless you have two very specific hints. One hint I make publicly available, the other I send along with the message. If you feed both of those hints into the problem-solving machine and it gives you the answer, then you know I wrote the contents.
Implementing each of these layers of validation is pretty straight-forward and SparkPost makes it extra simple. In fact, SparkPost handles the SPF part automatically, so all email from your account is already SPF-compliant.
That leaves just DKIM for you to configure. Here’s how: When you log into your account, under Account > Sending Domains you can find the DNS entry you need to add. In your host dashboard, you should see a section for DNS entries. If you just set up this host or domain, this should look pretty familiar.
Some hosts will mention SPF records here, but you’re looking for a generic TXT record.
There are two parts to a DKIM record: the host name and its value. You will want to paste the DKIM record value you copied from the SparkPost dashboard earlier. Submit the form, and you’re set.
By the way, not all registrars allow you to add DNS records to arbitrary host names, which is necessary for DKIM setup. Most of the time, they can do it for you, but you might need to go through a support request for it. For specific instructions for different registrars, you can check out the DKIM support guide.
P.S. If you want to check to see if your email is SPF and DKIM enabled, you can use our Validator tool.
Alex Mohr runs marketing and analytics for sendwithus.com and works tirelessly to rid the world of bad coffee and bad emails.