Geek Culture
Published in

Geek Culture

Fully Understand Email Authentication Protocols(SPF, DKIM, DMARC) in One Go

When I learn about email authentication protocols, I learn them quite separately from different blogs or websites. I figure it would be much more efficient and helpful for newcomers to understand all of them and get a clearer full picture in a single article, and that is the aim of my article.

SPF (Sender Policy Framework)

In one sentence, an SPF record states all the authorized sources that can send email messages from your domain name.

In more technical terms, an SPF record is a DNS TXT record having/referring to the list of authorized IP addresses that can send emails on behalf of your domain. Take the following SPF record for an example:

v=spf1 ~all

The statement instructs the receiving server to include SPF record from as well, which should finally consist of a list of authorized IP addresses.

The v statement indicates the SPF version being used. The final ~all means all other emails that fail to match with should be tagged as “Soft Fail”.

If you don’t set up SPF for your sending domain, others who pretend to send from your domain name could send emails as you and cause negative damage to your business and reputation.

Here’s a very helpful image that I found on Zoho that explains the whole email sending process involving the role of SPF:


For a more detailed explanation on SPF syntax, see this article:

DKIM (DomainKeys Identified Mail)

In one sentence, DKIM is an email security standard designed to make sure messages aren’t changed while being sent.

In more technical terms, DKIM is a DNS TXT record that contains a published public key. The sending mail server creates hashes from the content and headers of the mail message and then uses the private key to sign the mail. The DKIM signature is included as a header of the sent mail. The receiving server gets the public key from the queried DKIM record and uses it to decrypt the DKIM signature. If the decrypted content and headers match with the mail’s content and headers, the mail message passes DKIM and is considered authentic.

I found a flow chart that explains DKIM pretty well:


DMARC (Domain-based Message Authentication Reporting and Conformance)

In one sentence, DMARC ensures the authentication of your sent emails and instructs the receivers on what to do to spamy emails that claim to be sent from your domain.

In more technical terms, DMARC is based upon the results of SPF and/or DKIM, so at least one of those has to be set up for the email domain. To deploy DMARC, you need to publish a DMARC record(TXT record) in the DNS. DMARC authenticates if either SPF, DKIM, or both pass. You can set the DMARC policy to one of the 3 options below:


Monitors your email traffic. No further actions are taken.


Sends unauthorized emails to the spam folder.


The final policy and the ultimate goal of implementing DMARC. This policy ensures that unauthorized email doesn’t get delivered at all.

A DMARC record also instructs receiving email servers to send XML reports back to the reporting email address listed in the DMARC record. These reports provide insight on how your email is moving through the ecosystem and allow you to identify everything that is using your email domain.

For more information, visit




A new tech publication by Start it up (

Recommended from Medium

Digital Democracy 4–7 January

Are we heading towards digital identity crisis?

Big Tech Alternatives

Locks In the Time Of Lockpickers

Rate Limit Bypass at


cybersecurity in, no, FOR healthcare

What is a White Hat Hacker❓ | Ethical Hackers

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Franky Hung

Franky Hung

Founder of Arkon Digital. I’m not a code fanatic, but I’m always amazed by what code can do. The endless possibilities in coding is what fascinates me everyday.

More from Medium

Perilous Wilde Post-Mortem

Why Desktop Modes are bad but Desktop Browsers are good

It’s Alive! Drupal 7 gets another year

The everliving Drupal 7