(TL;DR: Access SparkPost’s free email tools to verify DKIM signatures, as well as visualize and build your own SPF records. Avoid phishing and spoofing attacks and send more secure emails.)

Understanding SPF and DKIM to Improve Email Deliverability

If you’re aware of how email can play a critical role in acquiring and retaining customers, then you’ve probably heard of SPF and DKIM. You might even know that SPF and DKIM are fundamental components of email authentication and help protect email senders and recipients from spam, spoofing, and phishing.

But what do these terms actually mean and how are they related to email deliverability? Let’s start with some definitions.

Sender Policy Framework (SPF) Definition:

SPF is a form of email authentication that defines a process to validate an email message that has been sent from an authorized mail server in order to detect forgery and to prevent spam. The owner of a domain can identify exactly which mail servers they are able to send from with SPF protocols.

DomainKeys Identified Mail (DKIM) Definition:

DKIM is a form of email authentication that allows an organization to claim responsibility for a message in a way that can be validated by the recipient. DKIM uses “public key cryptography” to verify that an email message was sent from an authorized mail server, in order to detect forgery and to prevent delivery of harmful email like spam.

SPF and DKIM Explained Simply

In the early days of ‘modern email’, there were limited mechanisms available to support sender verification. Nearly all spam, scams, and viruses that spread through email did so using falsified sender information – as some still do today. Verifying who email senders actually are was and still is a difficult process.

Take the example of visiting www.google.com and submitting a search. You’re generally pretty confident that Google has control over what gets sent back to you for your search and the search results are secure. This is because the Domain Name System (DNS)—a distributed network of servers that act as a phonebook—connects the domain with a variety of records, including where to find the real google.com.

Email uses a later adaptation of this same system to verify senders, which is exactly what a Sender Policy Framework (SPF) record is.

How SPF Works

At the most basic level, SPF establishes a method for receiving mail servers to verify that incoming email from a domain was sent from a host authorized by that domain’s administrators. The following three steps outline how SPF works:

  1. A domain administrator publishes the policy defining mail servers that are authorized to send email from that domain. This policy is called an SPF record, and it is listed as part of the domain’s overall DNS records.
  2. When an inbound mail server receives an incoming email, it looks up the rules for the bounce (Return-Path) domain in DNS. The inbound server then compares the IP address of the mail sender with the authorized IP addresses defined in the SPF record.
  3. The receiving mail server then uses the rules specified in the sending domain’s SPF record to decide whether to accept, reject, or otherwise flag the email message.

To take the first step of inspecting your own SPF record, you can do so with SparkPost’s free tool – the SPF Inspector.

SparkPost SPF Inspector


Once you’ve identified which servers are authorized to send on behalf of a domain, you can then create an SPF record for your domain through the SPF Builder.

SparkPost SPF Builder

Creating an SPF record will move you one step closer to ensuring that legitimate email that comes from your domain is successfully delivered to customer inboxes. When it comes to verifying that an email message was sent from an authorized mail server, that’s where DKIM comes in.

How DKIM Works

Simply put, DKIM works by adding a digital signature to the headers of an email message. This signature can then be validated against a public cryptographic key that is located in the organization’s DNS record.

  1. The domain owner publishes a cryptographic key. This is specifically formatted as a TXT record in the domain’s overall DNS record.
  2. After a message is sent by an outbound mail server, the server generates and attaches the unique DKIM signature to the header of the message.
  3. The DKIM key is then used by inbound mail servers to detect and decrypt the message’s signature and compare it against a fresh version. If the values match, the message can be proved authentic, and unaltered in transit, and therefore, not forged or altered.

You can validate your email with the DKIM Validator.

SparkPost DKIM Validator

The Value of SPF and DKIM

If you are a business that sends commercial or transactional emails, it’s critical to use both SPF and DKIM. Not only will these protocols protect your business from phishing and spoofing attacks, but SPF and DKIM ultimately help protect your customer relationships and brand reputation. Bear in mind that these are just a few of the many steps you can take to ensure business-critical emails reach your customers’ inboxes on time and don’t end up in spam folders.

Summing Up

In a nutshell, SPF allows email senders to define which IP addresses are allowed to send mail for a particular domain. DKIM on the other hand, provides an encryption key and digital signature that verifies that an email message was not forged or altered.

When these email authentication methods are properly implemented, you will be one step closer to improving your email deliverability and sending secure emails that drive revenue for your business.

~ Erica