SPF and DKIM protocols: why and how to configure them?


Attacks based on sending emails are becoming more and more numerous and targeted. Phishing is a technique used by fraudsters to obtain personal information. Phishers send an email pretending to be a trusted organisation (bank, Paypal, eBay, Amazon...), in order to retrieve confidential data. Depending on the data collected (banking information, login details, etc.), the fraudsters can, for example, make bank transfers to their accounts or connect to a site to send spam.

In order to prevent malicious people from stealing your identity by using the same domain name, there are solutions. This is where the SPF, DKIM and DMARC authentication protocols come in. From the definition of these terms to the steps you need to take to define Mailjet as a legitimate sender, we explain everything in this article.

Definition of SPF, DKIM and DMARC
The Sender Policy Framework, or SPF, is an authentication standard for linking a domain name to an email address. It consists in defining the sender(s) authorised to send emails with a given domain. It allows email clients (Gmail, Outlook...) to verify that incoming email from a domain comes from a host authorised by the domain administrator.

DomainKeys Identified Mail, or DKIM, is an authentication protocol that links a domain name to a message. The protocol allows you to sign your email with your domain name. The purpose of the DKIM protocol is not only to prove that the domain name has not been spoofed, but also that the message has not been altered during transmission.

Domain-based Message Authentication, Reporting and Conformance, or DMARC, is a complementary authentication standard to SPF and DKIM that is designed to combat phishing and other spamming practices more effectively. It allows domain owners to tell ISPs (Internet Service Providers) and email clients what to do if a signed message from their domain is not formally identified by an SPF or DKIM standard.

Why use the SPF, DKIM and DMARC protocols?
These are the main protocols for verifying the identity of senders. This is one of the most effective ways to prevent phishers and other fraudsters from impersonating a legitimate sender by using the same domain name.

There is another advantage, and not the least. Indeed, the implementation of these protocols allows you to improve the deliverability of the emails you send, since you will be better identified by the ISPs (Internet Service Providers) and email clients of your recipients. You will then optimise your chances of having your emails arrive in your recipients' inboxes and not in the "spam" or "junk" folder.

These protocols have become standard in email delivery. A message sent without an SPF and/or DKIM signature is viewed with suspicion by the various email analysis tools.

Limitations of SPF and DKIM protocols
SPF has its limitations. For example, if the email is forwarded, verification may not take place, as the address sending the forwarded message may not be included in the list of addresses validated by SPF. You should therefore be as thorough as possible when adding new addresses to your SPF record.

As a sender, the DKIM signature will not prevent you from being considered a spammer if you do not apply good emailing practices. You should therefore make sure that you respect these good practices when designing the content of your emails: pay attention to the text/image ratio, avoid using words identified by anti-spam filters as being at risk, etc.

Another point is that SPF and DKIM do not specify the action to be taken if the verification fails. This is where DMARC comes in, telling the recipient's server what to do if the sender authentication processes fail.

Authenticate your domains with SPF, DKIM and DMARC
To configure your domain's SPF, DKIM and DMARC authentication settings, you need to access the DNS records of your hosting account (OVH, 1&1, HostGator, etc.). If you cannot find them or do not have access to them, your hosting provider can help you.