Skip to main content
Newspaper illustration

SPF and DKIM Records Explained


Businesses worry about whether or not their emails ever reach their intended recipients – subscribers, prospects and customers. To support good deliverability, companies should do everything they can from both technical and business practice perspectives. Thankfully the technical aspects such as setting up SPF and DKIM can be fairly straightforward – but they can seem confusing if you aren’t sure where to look.

Email Verification Protocols

Sender Policy Framework (SPF) defines which internet protocol (IP) addresses can send email for a particular domain, such as Many email systems check SPF to tell whether an email is coming from a trusted source or not. This can help filter out messages that are spoofing a legitimate domain, since their sending IP won’t have been listed as trusted for that domain. The receiving email server may reject it outright or mark it as spam.

DomainKeys Identified Mail (DKIM) verifies an email wasn’t forged or altered. Each outgoing email message includes an encrypted digital signature. The receiving email server decrypts the digital signature using a public key from the DNS for the sender’s (supposed) domain. If the keys match, the email server will more likely accept the message and allow it to reach its intended recipient.

Together, these protocols provide data points to help distinguish legitimate emails from malicious (or at the very least, annoying) email messages. There is a related protocol called Domain-based Message Authentication, Reporting & Conformance (DMARC). It uses SPF and DKIM in combination and tells the recipient ISP what to do with messages that can’t be authenticated: deliver as usual, quarantine or reject the message outright.

Email Deliverability Fundamentals

Implementing SPF and DKIM help both the business and the recipient. From an organization’s standpoint, validating the emails they send can protect their brand and sender reputation. In fact, this is probably a critical step to support good email deliverability. Without SPF and DKIM in place, a legitimate organization’s emails can be prevented from reaching the recipients. Recipients can also look at an email’s header (not a banner image, but an actual snippet of code) that will verify the sender and even provide information about whether it passed SPF, DKIM and DMARC. From the recipient’s perspective, they’re less likely to be bombarded with spam, spoof and phishing emails the more that organizations protect their domains.

Every Email System Should be Verified

SPF and DKIM should be one of the first tasks done as soon as an organization gets a new email messaging tool, whether a simple email service provider (ESP) or a marketing automation platform (MAP). If additional email tools are acquired in the future – sometimes this happens across different departments or for special use cases – they, too, need to be accounted for in the DNS.

Adding MAPs to the DNS

The MAP admin settings typically provide guidance on what specific text needs to be added to the Domain Name System (DNS) records. DNS entries connect domain names (such as and tie them to an IP address (such as, which is the actual unique identifier of a server/device.

To implement SPF and DKIM, specific entries need to be added to the DNS following the guidance from the MAP. This may include:

  • The company’s domain
  • The company’s email server IP address
  • A specific TXT record

To confirm that SPF and DKIM are set up correctly, the MAP typically displays the status next to the settings; there may be a link/button to initiate the verification process. This basically pings the server to check that the DNS record matches what’s expected. It may take a little time for the record to “propagate” across the internet, so if it doesn’t work immediately, check again in a few hours or even a day later.

While we’re on the topic of DNS records, you may also have to set up a CNAME record pointing the MAP’s email tracking link domain and/or landing page domain to the company’s domain. A tracking link domain is used to create a unique URL so the MAP can tell which individual recipient clicked on which link in an email before it redirects to the actual destination webpage. The landing page domain allows landing pages created in the MAP to have URLs with the company’s domain rather than that of the MAP. If these are relevant for your MAP, it will be most efficient to update the DNS with all of these items at once.

Partnering with the Network Administrator

The marketing operations team can initiate a conversation about setting up SPF and DKIM for the email tools they acquire. However, they cannot complete the task on their own and need to work with IT – whoever is the network administrator – to actually update the domain record. Marketing operations can provide the appropriate team member with the technical details from the MAP settings to add to the record.


Emails need to be verified through SPF and DKIM to have the best chance of reaching the recipient. Companies should ensure that any and all MAPs and ESPs are accounted for in the DNS record. This is a key step for good deliverability to ensure email campaigns are effective.

Get in Touch with Us

At Etumos, we love what we do and we love to share what we know. Call us, email us, or set up a meeting and let's chat!

Contact Us