Skip to content
More support
  • There are no suggestions because the search field is empty.

Understanding DKIM, SPF, and DMARC for Email Deliverability

Proper DNS configuration plays a critical role in ensuring your emails are delivered reliably and not marked as spam. Three key DNS records – DKIM, SPF, and DMARC – work together to authenticate your emails and protect against spoofing. This article explains their importance, how to configure them, and how to check their status.

If you have not saved any DNS records to your domain to register it in Spark (which you should so that you can send emails via Spark from your email domain), see Email Settings to learn how to generate the necessary DNS records. You will need to send these records to your network administrator to save to your email domain host.

 

You should also ensure that you send emails from your registered domain. If you send emails from multiple domains, verify all of them and ensure you choose the correct one in your email settings before sending each campaign.


DKIM Records (DomainKeys Identified Mail)

What is DKIM?

DKIM is an email authentication method that uses cryptographic signatures to verify that an email was sent from an authorized mail server and hasn’t been altered in transit. DKIM is an important way to enhance email trustworthiness and prevent spoofing and phishing attacks. Additionally, many receiving servers, including Gmail and Microsoft Outlook check DKIM before accepting an email into the inbox, so if you have not set up a DKIM record, your email might go to spam or not be delivered at all.

In Spark, a DKIM record is generated for you when you add a registered domain, but your network administrator needs to save it to your email host provider.


Example record:

Type: TXT

Hostname: mailo._domainkey.awesomeproject.com

Value: k=rsa p=your_pubic_key_here

 

SPF Records (Sender Policy Framework)


What is SPF?


SPF is a DNS record that lists all authorized servers allowed to send email on behalf of your domain. SPF records must not be duplicated. Multiple SPF records cause validation failures, which can result in email rejection or spam classification. SPF should be combined into a single record using the include mechanism to add multiple sending services.

In Spark, an SPF record is generated for you when you add a registered domain, but your network administrator needs to save it to your email host provider and merge it if necessary.

How to Merge Multiple SPF Records:


If you have multiple services (e.g., Google Workspace and Spark), instead of creating separate SPF records, combine them into one:


Incorrect:

v=spf1 include:_spf.google.com ~all  

v=spf1 include:mailgun.org ~all

Correct (merged):

v=spf1 include:_spf.google.com include:mailgun.org ~all

 

Always end the SPF record with -all, ~all, or ?all, depending on how strictly you want to enforce it.


DMARC Compliance (Domain-based Message Authentication, Reporting, and Conformance)


What is DMARC?


DMARC builds on SPF and DKIM by specifying how to handle messages that fail authentication and provides a mechanism for receiving reports on those failures. This helps prevent email spoofing and domain abuse, tells mailservers how to handle unauthenticated messages, and provides reporting to monitor your domain’s email activity and authentication issues.

If you do not already have a DMARC policy in place, Spark strongly recommends that you set one up. We suggest starting with p=none as your policy to start - you can always update it to quarantine or reject mail later!


The p=none policy is a monitoring-only mode that doesn’t affect mail delivery but allows you to collect reports.


Spark does not generate a DMARC record for you when you add a registered domain, but they are easy to create.


Example DMARC record:

Type: TXT

Name/Host: _dmarc.example.com

Value: v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-failures@example.com; fo=1;

 

Some important things to note:

  • rua is the address for aggregate reports; you should send these to a monitored address so they can be reviewed by your network administrator
  • ruf is for forensic (detailed) reports; you should send these to a monitored address so they can be reviewed by your network administrator
  • fo=1 requests detailed failure info and is helpful to diagnose email delivery issues, but is not required

Tools to Check DNS Record Status

There are many tools available to verify your DKIM, SPF, and DMARC records.  Here are some suggestions:

  1. MXToolbox – https://mxtoolbox.com
  2. DNS Checker – https://dnschecker.org/domain-health-checker.php
  3. Digital Ocean – https://www.digitalocean.com/community/tools/dns

 

Correctly configuring these records significantly improves your email deliverability and domain security.