< Glossary

SPF, DKIM, DMARC Explained

Three DNS-based email authentication protocols that work together to verify sender identity and prevent spoofing.

Why Email Authentication Matters

Email was designed without built-in identity verification. Anyone can send an email claiming to be from your domain. SPF, DKIM, and DMARC are protocols that receiving mail servers use to verify that an email actually came from an authorized sender. Without them, your cold emails are more likely to land in spam.

SPF (Sender Policy Framework)

SPF is a DNS record that lists which mail servers are authorized to send email on behalf of your domain. When a receiving server gets your email, it checks your SPF record to confirm the sending server is on the approved list.

  • Published as a TXT record in your DNS.
  • Lists authorized IP addresses and include directives.
  • Fails if the sending server isn't listed.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to your outgoing emails. Your mail server signs the email with a private key; the receiving server verifies it using a public key published in your DNS. This proves the email wasn't modified in transit and came from an authorized source.

  • Uses public/private key cryptography.
  • Public key is a TXT record in DNS.
  • Protects against message tampering.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. You can instruct servers to monitor (none), quarantine (send to spam), or reject failing emails entirely. DMARC also provides reporting — you receive daily reports on who is sending email as your domain.

  • p=none — Monitor only, don't take action.
  • p=quarantine — Send failing emails to spam.
  • p=reject — Block failing emails entirely.

Setting Them Up

All three are configured as DNS TXT records. Most email providers (Gmail Workspace, Outlook) provide setup guides. If you use a CRM like Enough CRM that sends on your behalf, you'll need to include their sending servers in your SPF record and configure DKIM signing for your domain.

Impact on Cold Email

Sending cold email without proper SPF, DKIM, and DMARC is a fast path to the spam folder. These protocols are table stakes for email deliverability. Set them up before you send your first sequence.

Related