Help Center
How can we help? 👋
All Categories
Deliverability
What is SPF & DKIM?

What is SPF & DKIM?

SPF is a security record that lists which IP addresses or servers are allowed to send emails on behalf of your domain. DKIM is a digital signature added to your emails. It proves that the email was truly sent by you and was not altered or hacked while it was traveling to the recipient.

Notion image

SPF (Sender Policy Framework) is a rule you publish that tells inbox providers which servers are allowed to send email for your domain.

When an email is sent, Gmail or Outlook asks one question:

“Is this server allowed to send mail for this domain?”

SPF is where they look for the answer.

What Happens When an Email Is Sent

  • You send an email from john@yourdomain.com
  • The receiving server checks your domain’s SPF record
  • It compares the sending server’s IP to the approved list
  • On the list → Email passes SPF
  • Not on the list → Email is flagged or rejected

No guessing. No trust. Just rules.

Why SPF Is Mandatory

Without SPF, anyone could impersonate your domain.

A scammer could send:

ceo@yourcompany.com

From their own server.

SPF prevents this by saying:

“Only THESE servers are allowed to send email for me.”

Inbox providers do not trust domains without SPF. Period.

What an SPF Record Looks Like

SPF lives in your DNS as a TXT record.

Example:

v=spf1 include:_spf.google.com ~all

What each part means:

  • v=spf1 Declares this as an SPF record
  • include:_spf.google.com Allows Google Workspace to send email
  • ~all (Soft Fail) Any server not listed should be treated as suspicious (Recommended for cold email)

Other option:

  • all (Hard Fail) → Reject completely (too aggressive for cold)

Critical SPF Rules

  • ✅ You can only have ONE SPF record per domain
  • ❌ Multiple SPF records = broken authentication
  • ✅ If you use multiple tools, they must be combined into one line

Bad:

v=spf1 include:_spf.google.com ~all

v=spf1 include:mailchimp.com ~all

Good:

v=spf1 include:_spf.google.com include:mailchimp.com ~all

Tools to Check SPF

  • MXToolbox
  • EasyDMARC
  • Google Admin / Microsoft Admin

If SPF fails, deliverability dies immediately.

 
Notion image

DKIM (DomainKeys Identified Mail) is a cryptographic signature attached to every email you send.

SPF checks where the email came from. DKIM proves the message wasn’t altered and truly belongs to the domain.

Think of DKIM as a tamper-proof seal.

How DKIM Works (Simple Version)

DKIM uses two keys:

  • Private Key → Stays on your email server Signs every outgoing email
  • Public Key → Published in DNS Used by inbox providers to verify the signature

If the signature matches → email is trusted. If it doesn’t → email is filtered.

What Inbox Providers Are Checking

When your email arrives, Gmail asks:

“Was this email modified after it was sent?”

If DKIM passes:

  • Message is authentic
  • Domain integrity is intact

If DKIM fails:

  • Message could be altered
  • Trust is reduced immediately

How DKIM Is Set Up

You do not write DKIM yourself.

Your email provider generates it.

Setup Flow

  • Go to your email admin (Google Workspace / Microsoft 365)
  • Generate DKIM
  • Copy the TXT record (starts with v=DKIM1; k=rsa; p=...)
  • Paste it into your domain’s DNS
  • Click Start Authentication

That’s it.

DKIM Record Example

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A...

Long, ugly, unreadable — and extremely important.

Tools to Test DKIM

  • Mail-Tester
  • GlockApps
  • MXToolbox

If DKIM fails, your emails will not scale.

SPF vs DKIM (Clear Difference)

  • SPF → “Is this server allowed to send?”
  • DKIM → “Is this message authentic and unchanged?”

You need both.

Passing one without the other is not enough.

Key Takeaway

SPF and DKIM don’t boost deliverability. They remove distrust.

Without them:

  • Inbox providers assume risk
  • Filtering increases immediately

With them:

  • You earn the right to be judged on behavior

Authentication is the price of entry, not the reward.

Powered By HelpKit Powered by HelpKit