What is SPF, DKIM, and DMARC authentication?

Major changes will take place starting February 2024 regarding the sending of emails to recipients with email addresses hosted by Gmail or Yahoo (AOL) that require changes to your sending domain. Read our article to find out what to do >

SPF, DKIM and DMARC authentication processes

The implementation of SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) authentication on email sending domains is crucial to build trust, reduce phishing risks, protect against fraud, ensure the legitimacy of electronic messages, and improve email deliverability. By combining SPF, DKIM, and DMARC, organizations can establish a multi-layered approach to strengthen the security of outgoing emails.

SPF (Sender Policy Framework)

SPF allows the owners of a domain to specify the mail servers authorized to send email on its behalf. SPF authentication is verified on the domain of the "Return-path" address.

What is the Return-path?
It is an email address generally not visible to recipients, found in email headers. It is used, among other things, for bounce management. Since the domain of the Return-path for our clients is cyberimpact.com, all emails sent through our service are authenticated with Cyberimpact's SPF.

Why use SPF

SPF authentication protects against identity theft by preventing the sending of fraudulent emails from unauthorized servers. This helps ensure that emails are sent by legitimate sources.

DKIM (DomainKeys Identified Mail)

DKIM authentication process

DKIM is an email authentication method that allows the sender to use a digital signature to associate the message with their domain.

Why use DKIM

This signature (DKIM) is included in the headers of an email and is used to verify that the email was indeed sent by the claimed domain and has not been altered in transit. It also helps combat content forgery and strengthens recipient trust.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

What is DMARC policy ?

DMARC is an authentication method for ensuring that messages sent from your email address really do come from you, and for specifying to others how emails that fail authentication tests should be handled. For DMARC authentication to pass, the email must be correctly authenticated with SPF or a DKIM signature, and the domain in the "From:" field (the visible header) must match the one of the SPF authentication or DKIM signature (also known as SPF or DKIM alignment).

Why use DMARC

The DMARC policy complements SPF and DKIM by providing an authentication policy for the domain. It helps define actions to be taken for emails that fail SPF and/or DKIM checks, such as quarantining or rejecting them. If someone tries to forge your email address, this will prevent forged emails from reaching their destination and damaging your reputation. Additionally, DMARC allows you to receive detailed reports on identity spoofing attempts if you include an email address in your record to receive them.

Learn how to setup DMARC authentication >

Not sure if your domain name already has DMARC authentication in place? You can check with online tools like MXToolbox. Simply enter your domain name (e.g., pizza.com) and launch the search by clicking on DMARC Lookup. The tool will then tell you whether or not it has found a DMARC record on your domain.

Example of the result when there is no DMARC authentication found:

domain with no dmarc

Example of the result when DMARC authentication is found:

domain with DMARC

If you're not sure of the result, contact our team for help.

How to authenticate emails sent via Cyberimpact

All emails sent through our services automatically have Cyberimpact's SPF and DKIM authentication to ensure you get the best deliverability rate possible. Our authentication also allows you to benefit from the good sending reputation of our clientele. However, as of January 23, 2024 (for free accounts) and January 30, 2024 (for all our customers), to continue sending your mailings from your own sender address and comply with the new Gmail and Yahoo requirements that will come into force in February 2024, you must now activate a custom DKIM signature with your sending domain on your account and ensure that it has been authenticated with DMARC. Please note that no changes are required to the SPF, as your emails will continue to be authenticated with Cyberimpact SPF. Learn how to authenticate your mailings >