DNSLOOKUP
Docs
Best Practices
Email Authentication

Email Authentication Best Practices

Email authentication protocols are essential for preventing email spoofing, improving deliverability, and protecting your domain reputation. This guide provides comprehensive best practices for implementing SPF, DKIM, and DMARC effectively.

Understanding Email Authentication

Email authentication consists of three complementary protocols that work together to verify the authenticity of email messages:

SPF (Sender Policy Framework)

SPF verifies that email messages claiming to come from your domain are sent from servers authorized by your domain owners. It works by publishing a DNS record that lists all servers permitted to send email on behalf of your domain.

What it prevents: Unauthorized servers sending email that appears to be from your domain.

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to email messages, allowing receiving servers to verify that the message content hasn't been altered in transit. The signature is created using a private key, and verified using a public key published in your DNS.

What it prevents: Email content tampering and certain types of spoofing.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC builds on SPF and DKIM by providing a policy framework for handling authentication failures and generating reports. It allows domain owners to specify how receiving servers should handle messages that fail authentication checks.

What it provides: Policy enforcement, visibility into email authentication, and protection against domain spoofing.

Implementation Best Practices

SPF Best Practices

1. Identify All Email Sources

Before creating your SPF record, identify all legitimate sources that send email on behalf of your domain, including:

  • Your mail servers
  • Third-party email services (marketing platforms, CRM systems, etc.)
  • Cloud services that send email on your behalf
  • Website contact forms or notification systems

2. Create a Comprehensive SPF Record

Your SPF record should include all legitimate email sources while being as specific as possible:

  • Use IP addresses or ranges when possible (e.g., ip4:192.0.2.0/24)
  • Use the include: mechanism for third-party services (e.g., include:_spf.google.com)
  • Avoid using +all (permit all), which defeats the purpose of SPF
  • End with -all (hard fail) for the strongest protection

Example SPF Record: v=spf1 ip4:192.0.2.0/24 include:_spf.google.com include:sendgrid.net -all

3. Avoid SPF Record Limitations

SPF has some technical limitations to be aware of:

  • DNS lookup limit: SPF allows a maximum of 10 DNS lookups (includes and redirects)
  • 255-character TXT record limit: Keep your SPF record concise
  • If needed, use the redirect modifier to point to another domain's SPF record

4. Test Your SPF Record

Before publishing your SPF record, validate it to ensure it's correctly formatted and includes all necessary email sources. Use our SPF Validator to check your record.

DKIM Best Practices

1. Use Strong Keys

Generate strong DKIM keys to ensure the security of your email signatures:

  • Use RSA keys with at least 2048 bits (preferably 3072 bits for future-proofing)
  • Keep your private keys secure and accessible only to your mail servers
  • Store private keys in a secure location with appropriate access controls

2. Implement Multiple Selectors

DKIM uses "selectors" to identify which key to use for verification. Using multiple selectors provides flexibility:

  • Create different selectors for different email sources (e.g., marketing, transactional)
  • Use date-based selectors to facilitate key rotation (e.g., jan2023, jul2023)
  • Maintain consistent naming conventions for your selectors

Example DKIM Record: v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...

3. Regularly Rotate Keys

Regularly rotating your DKIM keys enhances security:

  • Rotate keys at least annually, or more frequently for high-security environments
  • Use a phased approach: publish new keys before using them, then gradually transition
  • Keep old selectors active for a period after transitioning to new ones
  • Document your key rotation procedures and schedule

4. Configure Appropriate Signing Practices

Configure your mail servers to sign emails effectively:

  • Sign all outgoing emails, not just some
  • Include essential headers in the signature (From, Subject, Date, etc.)
  • Consider using relaxed/relaxed canonicalization for better compatibility
  • Test your DKIM configuration with our DKIM Validator

DMARC Best Practices

1. Start with Monitoring Mode

Begin your DMARC implementation with a monitoring policy to understand your email ecosystem without affecting delivery:

  • Start with p=none to collect data without affecting email delivery
  • Set up reporting addresses to receive aggregate (rua) and forensic (ruf) reports
  • Analyze reports to identify legitimate sources that may not be properly authenticated
  • Use a DMARC report analyzer to interpret the data

Example Initial DMARC Record: v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-forensic@example.com; fo=1

2. Gradually Increase Enforcement

Once you've analyzed your DMARC reports and ensured legitimate emails are properly authenticated, gradually increase enforcement:

  1. Start with p=none for at least 2-4 weeks
  2. Move to p=quarantine with a low percentage (e.g., pct=5)
  3. Gradually increase the percentage (e.g., 5%, 25%, 50%, 100%)
  4. Finally, move to p=reject with a similar gradual percentage increase

Example Quarantine DMARC Record: v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-forensic@example.com; fo=1

3. Configure Appropriate Subdomains Policy

DMARC allows you to set a separate policy for subdomains:

  • Use sp=reject to protect unused subdomains from spoofing
  • If you use subdomains for email, consider a more cautious approach
  • Publish separate DMARC records for actively used subdomains

Example with Subdomain Policy: v=DMARC1; p=quarantine; sp=reject; rua=mailto:dmarc-reports@example.com

4. Set Up Effective Reporting

DMARC reporting provides valuable insights into your email authentication:

  • Set up dedicated email addresses for aggregate (rua) and forensic (ruf) reports
  • Consider using a third-party DMARC reporting service for analysis
  • Use multiple reporting addresses for redundancy (separate with commas)
  • Set the fo flag to specify when to receive forensic reports

Use our DMARC Analyzer to verify your DMARC configuration.

Advanced Considerations

Handling Email Forwarding

Email forwarding can break SPF authentication, as the forwarding server is not in your SPF record. To address this:

  • Ensure strong DKIM implementation, as DKIM signatures can survive forwarding
  • Use adkim=r and aspf=r in your DMARC record for relaxed alignment
  • Consider using Authenticated Received Chain (ARC) if you control the forwarding infrastructure

Handling Mailing Lists

Mailing lists can present challenges for email authentication:

  • Some mailing lists modify email content, breaking DKIM signatures
  • Use relaxed DMARC alignment settings (adkim=r and aspf=r)
  • Consider using a dedicated subdomain for mailing list subscriptions
  • Work with mailing list operators to ensure they implement ARC or other authentication-preserving measures

Third-Party Senders

When third parties send email on behalf of your domain:

  • Ensure they implement proper authentication (SPF, DKIM) for your domain
  • Consider using dedicated subdomains for different third-party services
  • Regularly review third-party sending practices and authentication configurations
  • Include third-party sending IPs in your SPF record or have them use their own sending domain with proper DKIM signing

BIMI (Brand Indicators for Message Identification)

BIMI allows you to display your logo in supporting email clients when your email is properly authenticated:

  • Requires strong email authentication (SPF, DKIM, and DMARC with enforcement)
  • Publish a BIMI record in DNS with a link to your logo in SVG format
  • For full support, obtain a Verified Mark Certificate (VMC) from a certification authority
  • Consider BIMI as a reward for implementing strong email authentication

Best Practice

Implement all three authentication protocols (SPF, DKIM, and DMARC) for comprehensive protection. SPF and DKIM alone provide some benefits, but DMARC is essential for enforcing policies and gaining visibility into authentication results. Start with monitoring mode and gradually increase enforcement as you gain confidence in your implementation.

Implementation Checklist

Use this checklist to guide your email authentication implementation:

Preparation

  • Identify all sources that send email on behalf of your domain
  • Document your email infrastructure and sending patterns
  • Determine which authentication methods each email source supports
  • Create a phased implementation plan

SPF Implementation

  • Create a comprehensive SPF record including all legitimate email sources
  • Validate the SPF record syntax
  • Publish the SPF record in DNS
  • Test SPF authentication with sample emails

DKIM Implementation

  • Generate strong DKIM key pairs
  • Publish DKIM public keys in DNS
  • Configure mail servers to sign outgoing emails
  • Test DKIM signing and verification

DMARC Implementation

  • Create an initial monitoring-only DMARC record (p=none)
  • Set up reporting addresses for aggregate and forensic reports
  • Publish the DMARC record in DNS
  • Analyze DMARC reports and address authentication issues
  • Gradually increase enforcement levels

Ongoing Maintenance

  • Regularly review DMARC reports
  • Update SPF records when email sources change
  • Rotate DKIM keys periodically
  • Monitor email deliverability and authentication failures
  • Stay informed about email authentication best practices and standards

Next Steps

To implement and verify your email authentication:

PreviousNext
Edit this page on GitHub