📧 Email Deliverability
10 phút đọc
The Email Authentication Chain: SPF + DKIM + DMARC Together
How SPF, DKIM, and DMARC work together as a complete email authentication system to prevent spoofing and improve deliverability.
The Three Pillars
Each protocol addresses a different aspect of email authentication:
| Protocol | Verifies | Method |
|---|---|---|
| SPF | Sending server | IP address check against DNS record |
| DKIM | Message integrity | Cryptographic signature in email header |
| DMARC | Domain alignment | Policy that ties SPF and DKIM to the From domain |
Individually, each has limitations. Together, they form a robust anti-spoofing system.
How They Work Together
When a receiving mail server gets an email from [email protected]:
1. SPF Check
→ Query example.com TXT for SPF record
→ Is the sending IP authorized? (Pass/Fail)
→ Does the envelope sender domain align with From domain?
2. DKIM Check
→ Extract DKIM-Signature header
→ Fetch public key from DNS (selector._domainkey.example.com)
→ Verify cryptographic signature (Pass/Fail)
→ Does the signing domain (d=) align with From domain?
3. DMARC Check
→ Query _dmarc.example.com TXT
→ Did SPF pass AND align? OR did DKIM pass AND align?
→ Apply DMARC policy: none / quarantine / reject
Understanding Alignment
DMARC requires alignment — the domain in the From header must match the domain verified by SPF or DKIM:
From: [email protected]
Envelope-From: [email protected] ← SPF checks this
DKIM d=example.com ← DKIM signs this
SPF alignment: mail.example.com vs example.com
→ Relaxed: PASS (organizational domain matches)
→ Strict: FAIL (exact domain differs)
DKIM alignment: example.com vs example.com
→ Both: PASS (exact match)
Relaxed alignment (default) allows subdomains. Strict alignment requires exact domain match.
Implementation Order
- Start with SPF — Fastest to implement. List all authorized sending IPs.
- Add DKIM — Configure your mail server or ESP to sign outgoing emails.
- Deploy DMARC with
p=none— Collect reports without blocking email. - Analyze DMARC reports — Identify unauthorized senders and missing SPF/DKIM.
- Tighten to
p=quarantine— Suspicious emails go to spam. - Move to
p=reject— Unauthorized emails are rejected outright.
Monitoring with DMARC Reports
<!-- Aggregate report example (daily XML from receivers) -->
<record>
<row>
<source_ip>203.0.113.50</source_ip>
<count>142</count>
<policy_evaluated>
<dkim>pass</dkim>
<spf>pass</spf>
</policy_evaluated>
</row>
</record>
Use free tools like DMARC Analyzer, Postmark DMARC, or Google Postmaster Tools to visualize aggregate reports.
Common Pitfalls
- Forgetting to authorize third-party senders (Mailchimp, SendGrid) in SPF.
- DKIM key rotation — update DNS when rotating keys.
- Starting DMARC at
p=rejectbefore monitoring — this will block legitimate email. - SPF record exceeding 10 DNS lookups — use
includesparingly.