Have you ever wondered why your emails end up in the Spam folder, even when you’ve put effort into writing them and sending them to known contacts?
There are various reasons why an email fails to reach its intended inbox, but today, I want to focus on SPF, DKIM, and DMARC. Although these terms sound technical, they solve between 70% and 80% of email deliverability issues. I’ll use simple examples to explain how they work. If it gets a bit complex, don’t worry: remember, we all use phones daily without fully understanding their internal workings.
SPF (Sender Policy Framework)
How does it work?
When you send an email from your domain (e.g., @yourdomain.com), the receiving server (Gmail, Outlook, etc.) checks your DNS for the SPF record.
This record acts like a “guest list,” specifying which servers are allowed to send emails as if they were from @yourdomain.com.
The receiving server, acting like a “security guard,” verifies if the sender is on this list.
If the sender is listed, the email is trusted and more likely to reach the inbox.
If not listed, the email is marked as suspicious, often in spam or outright rejected.
Example:
Imagine attending a private party with a security guard at the entrance holding a guest list. If your name is on the list, you enter without issues. If not, entry is denied. Similarly, emails claiming to originate from your domain without proper SPF authorization are considered unauthorized.
DKIM (DomainKeys Identified Mail)
What is it?
DKIM adds a digital signature to every email you send. This signature enables receiving servers to confirm that the message truly came from you and wasn’t altered in transit.
How does it work on the receiver’s end?
When an email server receives your message, it notes it’s from @yourdomain.com.
The server then retrieves the public DKIM key you’ve published in your domain’s DNS.
Using this public key, it verifies the signature included in your email.
If the signature matches, it confirms the message was genuinely sent by you (or an authorized service) and hasn’t been modified.
If there’s a mismatch, the email might be seen as fraudulent or tampered with, likely resulting in it being marked as spam.
Example:
Every email is like a letter sealed with a unique wax stamp (created with your “private key”). Your domain publishes a “public key” in the DNS to verify this stamp. If the seal matches the public key, the recipient knows the message is genuine and intact.
DMARC (Domain-based Message Authentication, Reporting & Conformance)
What is it?
DMARC is an additional policy combining SPF and DKIM. It dictates how the receiving server should handle emails from your domain that fail SPF or DKIM checks. Additionally, DMARC allows receiving servers to send you reports detailing emails that pass or fail these validations.
How is it executed upon reception?
The receiving server first checks if the email complies with SPF and DKIM rules.
It then consults your domain’s DNS for your DMARC policy, specifying actions to take if validations fail (reject, quarantine in spam, or simply mark as suspicious).
DMARC also instructs the receiver to send you reports about these events, enabling you to monitor failed validations, detect spoofing attempts, and take appropriate action.
Example:
Besides your “guest list” (SPF) and “wax seal” (DKIM), you establish a policy saying: “If someone isn’t listed or has an altered seal, either reject or hold them aside for review.” That’s DMARC. Additionally, you request the “security guard” (receiving server) to inform you whenever such an incident occurs, helping you track fraudulent attempts.
Conclusions
These protocols are vital as they enhance your domain’s credibility with email providers while protecting your recipients from phishing or fraud. If you’re experiencing high bounce rates or numerous emails landing in Spam folders, ensure SPF, DKIM, and DMARC are correctly configured.
Check with your security team to verify and implement these configurations on your domain, significantly improving your email deliverability and security.
