ReachScore Docs

SPF, DKIM & DMARC

Email authentication protocols that prove your emails are legitimately from your domain and prevent spoofing.

Why it matters: Emails that fail authentication are often filtered to spam or rejected entirely. Proper configuration is essential for deliverability.

SPF (Sender Policy Framework)

SPF specifies which mail servers are authorized to send email on behalf of your domain. It is published as a TXT record in your DNS.

Example SPF Record
v=spf1 include:_spf.google.com include:amazonses.com ~all

Components:

  • v=spf1 - SPF version (always spf1)
  • include: - Authorize another domain's SPF record
  • ip4: / ip6: - Authorize specific IP addresses
  • ~all - Soft fail for unauthorized senders (recommended)
  • -all - Hard fail for unauthorized senders

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to your emails that proves they were not modified in transit and came from your domain.

Example DKIM Record (selector._domainkey.example.com)
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...

How it works:

  1. Your mail server signs outgoing emails with a private key
  2. The signature is added to the email headers
  3. Receiving servers fetch your public key from DNS
  4. The signature is verified against the public key

DMARC (Domain-based Message Authentication)

DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. It also enables reporting.

Example DMARC Record (_dmarc.example.com)
v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com; pct=100

Policy options:

  • p=none - Monitor only (no action taken)
  • p=quarantine - Send failing emails to spam
  • p=reject - Reject failing emails outright

Start with p=none: Begin monitoring before enforcing. This lets you identify legitimate mail that might fail authentication before blocking it.

DMARC Alignment

DMARC requires "alignment" - the domain in the From header must match the domain authenticated by SPF or DKIM.

TypeRequirement
SPF AlignmentReturn-Path domain matches From domain
DKIM AlignmentDKIM d= domain matches From domain

DMARC passes if either SPF or DKIM passes AND aligns. You do not need both.

Quick Setup Checklist

1. Set up SPF

Add a TXT record with all your authorized sending services (ESP, transactional email, etc.)

2. Configure DKIM

Generate DKIM keys through your email provider and add the public key to DNS

3. Add DMARC (monitor mode)

Start with p=none to collect reports without affecting delivery

4. Test with ReachScore

Run a deliverability test to verify all authentication is working correctly

5. Enforce DMARC

Once verified, move to p=quarantine then p=reject

Previous: Deliverability ScoreNext: Test Modes