Understanding SPF and DKIM to Improve Email Deliverability

Bird

11 May 2018

Email

1 min read

Understanding SPF and DKIM to Improve Email Deliverability

Key Takeaways

    • Premise: SPF and DKIM are foundational email authentication protocols that protect sender reputation, prevent spoofing, and improve inbox placement.

    • Goal: Help businesses understand how these mechanisms work, their limitations, and why implementing both is essential for improving deliverability and customer trust.

    • Highlights:

      1. SPF (Sender Policy Framework):

        • Defines which mail servers are authorized to send email for your domain.

        • Helps prevent forgery and phishing by validating the sender’s IP address against published DNS records.

        • Benefits: Strengthens domain credibility and improves deliverability.

        • Drawbacks: Can break when messages are forwarded (unless using Sender Rewriting Scheme), and SPF records must be updated whenever new sending services are added.

      2. DKIM (DomainKeys Identified Mail):

        • Uses cryptographic signatures to verify that messages are unaltered in transit and actually originate from your domain.

        • Benefits: Prevents tampering, spoofing, and phishing while reinforcing sender authenticity.

        • Drawbacks: Forwarding issues and short key lengths can lead to failed validations.

      3. How They Work Together:

        • SPF checks the sending server’s identity, while DKIM validates message integrity and authenticity.

        • Together, they form the core of secure email authentication.

      4. Alignment & Deliverability:

        • Domain alignment ensures that your visible “From” address matches the domains used for SPF and DKIM authentication.

        • Aligned domains build stronger trust signals and increase inbox placement rates.

      5. Practical Tools & Next Steps:

        • Use tools like the SPF Inspector, SPF Builder, and DKIM Validator to audit and configure your records.

        • Combine SPF and DKIM with DMARC and email validation for a complete deliverability strategy.

        • For sensitive communications, consider S/MIME encryption for additional protection.

      6. Business Value:

        • Proper authentication protects customers from scams, improves sender reputation, and ensures legitimate marketing and transactional emails reach the inbox.

Q&A Highlights

  • What’s the difference between SPF and DKIM?

    SPF validates which servers can send email on behalf of a domain, while DKIM verifies that the message itself hasn’t been altered and truly comes from the claimed sender.

  • How do SPF and DKIM improve deliverability?

    They enhance sender reputation and reduce spam filtering, making it more likely your emails reach inboxes instead of being flagged or quarantined.

  • Why does forwarding sometimes break SPF or DKIM?

    Forwarding can alter the message path or headers, creating mismatches with the domain’s SPF or DKIM records. Using Sender Rewriting Scheme (SRS) and maintaining proper alignment mitigates this.

  • What is “alignment” in email authentication?

    It means the “From” domain visible to recipients matches the domains used in SPF and DKIM checks — a key factor for DMARC compliance and deliverability strength.

  • Is SPF or DKIM enough on their own?

    No. Each addresses different vulnerabilities — SPF ensures authorized senders, DKIM ensures message integrity. Combined, they form the foundation of trusted email authentication.

  • How can businesses get started?

    Publish SPF and DKIM records through your DNS, test them with available tools, and ensure they remain updated as you add new sending services or platforms.

If you’re aware of how email can play a critical role in acquiring and retaining customers, then you’ve probably heard of SPF and DKIM.

Understanding SPF and DKIM to Improve Email Deliverability

If you’re aware of how email can play a critical role in acquiring and retaining customers, then you’ve probably heard of SPF and DKIM. You might even know that SPF and DKIM are fundamental components of email authentication and help protect email senders and recipients from spam, spoofing, and phishing.

But what do these terms actually mean and how are they related to email deliverability? If you’re looking to better understand SPF and email DKIM, let’s start with some definitions.

Sender Policy Framework (SPF) Definition:

SPF is a form of email authentication that defines a process to validate an email message that has been sent from an authorized mail server in order to detect forgery and to prevent spam. The owner of a domain can identify exactly which mail servers they are able to send from with SPF protocols.

DomainKeys Identified Mail (DKIM) Definition:

DKIM is a form of email authentication that allows an organization to claim responsibility for a message in a way that can be validated by the recipient. DKIM uses “public key cryptography” to verify that an email message was sent from an authorized mail server, in order to detect forgery and to prevent delivery of harmful email like spam.

SPF and DKIM Explained Simply

In the early days of ‘modern email’, there were limited mechanisms available to support sender verification. Nearly all spam, scams, and viruses that spread through email did so using falsified sender information – as some still do today. Verifying who email senders actually are was and still is a difficult process.

Take the example of visiting www.google.com and submitting a search. You’re generally pretty confident that Google has control over what gets sent back to you for your search and the search results are secure. This is because the Domain Name System (DNS)—a distributed network of servers that act as a phonebook—connects the domain with a variety of records, including where to find the real google.com.

Email uses a later adaptation of this same system to verify senders, which is exactly what a Sender Policy Framework (SPF) record is.

Advantages and Potential Drawbacks of SPF

SPF is adept at preventing phishing. Without it, SMTP would expose your address to those who could forge it for spamming purposes. With SPF in place, when a hacker attempts to initiate an email from your address, the receiving server’s SPF security detects it and identifies it as invalid. Using SPF shows your organization is committed to protecting against cyber threats, a sign that positively impacts your sender reputation.

When a user outside your domain forwards an email that originated from you, the delivery may not occur because of a mismatch between the IP record and the SPF record. Many mail exchange and transfer agents are now using the Sender Rewriting Scheme (SRS) to enhance the deliverability of email forwards. The SPF record also must reflect any changes in third-party email services providers to ensure they correspond for deliverability.

How SPF Works

At the most basic level, SPF email establishes a method for receiving servers to verify that incoming email from a domain was sent from a host authorized by that domain’s administrators. The following three steps outline how SPF works:

  1. A domain administrator publishes the policy defining mail servers that are authorized to send email from that domain. This policy is called an SPF record, and it is listed as part of the domain’s overall DNS records.

  2. When an inbound mail server receives an incoming email, it looks up the rules for the bounce (Return-Path) domain in DNS. The inbound server then compares the IP address of the mail sender with the authorized IP addresses defined in the SPF record.

  3. The receiving mail server then uses the rules specified in the sending domain’s SPF record to decide whether to accept, reject, or otherwise flag the email message.


To take the first step of inspecting your own SPF record, you can do so with SparkPost’s free tool – the SPF Inspector.

Once you’ve identified which servers are authorized to send on behalf of a domain, you can then create an SPF record for your domain through the SPF Builder.

Creating an SPF record will move you one step closer to ensuring that legitimate email that comes from your domain is successfully delivered to customer inboxes.

When it comes to verifying that an email message was sent from an authorized mail server, that’s where DKIM comes in.

Advantages and Potential Drawbacks of DKIM Authentication

DKIM email’s primary advantage is its ability to protect against both spoofing and phishing attacks. The authentication appears within the message itself to prevent forgery and safeguard users from replying to illegitimate emails with sensitive personal data. Both spoofing and phishing have the potential to harm your sending reputation and future deliverability, so protection against the two is beneficial.

Creating an email with DKIM has the same potential disadvantage as SPF when it comes to forwarding messages. For example, an email that automatically routes from an office computer to a user’s mobile may appear as illegitimate to the receiving server. Many popular email services have resolved this issue. One other challenge that may present itself is a DKIM that is too short in length. With more support for longer keys, shorter ones may not pass authentication.

How DKIM Works

Simply put, DKIM works by adding a digital signature to the headers of an email message. This signature can then be validated against a public cryptographic key that is located in the organization’s DNS record.

The domain owner publishes a cryptographic key. This is specifically formatted as a TXT record in the domain’s overall DNS record.

After a message is sent by an outbound mail server, the server generates and attaches the unique DKIM signature to the header of the message.

The DKIM key is then used by inbound mail servers to detect and decrypt the message’s signature and compare it against a fresh version. If the values match, the message can be proved authentic, and unaltered in transit, and therefore, not forged or altered.

You can validate your email with the DKIM Validator.

In the early days of ‘modern email’, there were limited mechanisms available to support sender verification. Nearly all spam, scams, and viruses that spread through email did so using falsified sender information – as some still do today. Verifying who email senders actually are was and still is a difficult process.

Take the example of visiting www.google.com and submitting a search. You’re generally pretty confident that Google has control over what gets sent back to you for your search and the search results are secure. This is because the Domain Name System (DNS)—a distributed network of servers that act as a phonebook—connects the domain with a variety of records, including where to find the real google.com.

Email uses a later adaptation of this same system to verify senders, which is exactly what a Sender Policy Framework (SPF) record is.

Advantages and Potential Drawbacks of SPF

SPF is adept at preventing phishing. Without it, SMTP would expose your address to those who could forge it for spamming purposes. With SPF in place, when a hacker attempts to initiate an email from your address, the receiving server’s SPF security detects it and identifies it as invalid. Using SPF shows your organization is committed to protecting against cyber threats, a sign that positively impacts your sender reputation.

When a user outside your domain forwards an email that originated from you, the delivery may not occur because of a mismatch between the IP record and the SPF record. Many mail exchange and transfer agents are now using the Sender Rewriting Scheme (SRS) to enhance the deliverability of email forwards. The SPF record also must reflect any changes in third-party email services providers to ensure they correspond for deliverability.

How SPF Works

At the most basic level, SPF email establishes a method for receiving servers to verify that incoming email from a domain was sent from a host authorized by that domain’s administrators. The following three steps outline how SPF works:

  1. A domain administrator publishes the policy defining mail servers that are authorized to send email from that domain. This policy is called an SPF record, and it is listed as part of the domain’s overall DNS records.

  2. When an inbound mail server receives an incoming email, it looks up the rules for the bounce (Return-Path) domain in DNS. The inbound server then compares the IP address of the mail sender with the authorized IP addresses defined in the SPF record.

  3. The receiving mail server then uses the rules specified in the sending domain’s SPF record to decide whether to accept, reject, or otherwise flag the email message.


To take the first step of inspecting your own SPF record, you can do so with SparkPost’s free tool – the SPF Inspector.

Once you’ve identified which servers are authorized to send on behalf of a domain, you can then create an SPF record for your domain through the SPF Builder.

Creating an SPF record will move you one step closer to ensuring that legitimate email that comes from your domain is successfully delivered to customer inboxes.

When it comes to verifying that an email message was sent from an authorized mail server, that’s where DKIM comes in.

Advantages and Potential Drawbacks of DKIM Authentication

DKIM email’s primary advantage is its ability to protect against both spoofing and phishing attacks. The authentication appears within the message itself to prevent forgery and safeguard users from replying to illegitimate emails with sensitive personal data. Both spoofing and phishing have the potential to harm your sending reputation and future deliverability, so protection against the two is beneficial.

Creating an email with DKIM has the same potential disadvantage as SPF when it comes to forwarding messages. For example, an email that automatically routes from an office computer to a user’s mobile may appear as illegitimate to the receiving server. Many popular email services have resolved this issue. One other challenge that may present itself is a DKIM that is too short in length. With more support for longer keys, shorter ones may not pass authentication.

How DKIM Works

Simply put, DKIM works by adding a digital signature to the headers of an email message. This signature can then be validated against a public cryptographic key that is located in the organization’s DNS record.

The domain owner publishes a cryptographic key. This is specifically formatted as a TXT record in the domain’s overall DNS record.

After a message is sent by an outbound mail server, the server generates and attaches the unique DKIM signature to the header of the message.

The DKIM key is then used by inbound mail servers to detect and decrypt the message’s signature and compare it against a fresh version. If the values match, the message can be proved authentic, and unaltered in transit, and therefore, not forged or altered.

You can validate your email with the DKIM Validator.

In the early days of ‘modern email’, there were limited mechanisms available to support sender verification. Nearly all spam, scams, and viruses that spread through email did so using falsified sender information – as some still do today. Verifying who email senders actually are was and still is a difficult process.

Take the example of visiting www.google.com and submitting a search. You’re generally pretty confident that Google has control over what gets sent back to you for your search and the search results are secure. This is because the Domain Name System (DNS)—a distributed network of servers that act as a phonebook—connects the domain with a variety of records, including where to find the real google.com.

Email uses a later adaptation of this same system to verify senders, which is exactly what a Sender Policy Framework (SPF) record is.

Advantages and Potential Drawbacks of SPF

SPF is adept at preventing phishing. Without it, SMTP would expose your address to those who could forge it for spamming purposes. With SPF in place, when a hacker attempts to initiate an email from your address, the receiving server’s SPF security detects it and identifies it as invalid. Using SPF shows your organization is committed to protecting against cyber threats, a sign that positively impacts your sender reputation.

When a user outside your domain forwards an email that originated from you, the delivery may not occur because of a mismatch between the IP record and the SPF record. Many mail exchange and transfer agents are now using the Sender Rewriting Scheme (SRS) to enhance the deliverability of email forwards. The SPF record also must reflect any changes in third-party email services providers to ensure they correspond for deliverability.

How SPF Works

At the most basic level, SPF email establishes a method for receiving servers to verify that incoming email from a domain was sent from a host authorized by that domain’s administrators. The following three steps outline how SPF works:

  1. A domain administrator publishes the policy defining mail servers that are authorized to send email from that domain. This policy is called an SPF record, and it is listed as part of the domain’s overall DNS records.

  2. When an inbound mail server receives an incoming email, it looks up the rules for the bounce (Return-Path) domain in DNS. The inbound server then compares the IP address of the mail sender with the authorized IP addresses defined in the SPF record.

  3. The receiving mail server then uses the rules specified in the sending domain’s SPF record to decide whether to accept, reject, or otherwise flag the email message.


To take the first step of inspecting your own SPF record, you can do so with SparkPost’s free tool – the SPF Inspector.

Once you’ve identified which servers are authorized to send on behalf of a domain, you can then create an SPF record for your domain through the SPF Builder.

Creating an SPF record will move you one step closer to ensuring that legitimate email that comes from your domain is successfully delivered to customer inboxes.

When it comes to verifying that an email message was sent from an authorized mail server, that’s where DKIM comes in.

Advantages and Potential Drawbacks of DKIM Authentication

DKIM email’s primary advantage is its ability to protect against both spoofing and phishing attacks. The authentication appears within the message itself to prevent forgery and safeguard users from replying to illegitimate emails with sensitive personal data. Both spoofing and phishing have the potential to harm your sending reputation and future deliverability, so protection against the two is beneficial.

Creating an email with DKIM has the same potential disadvantage as SPF when it comes to forwarding messages. For example, an email that automatically routes from an office computer to a user’s mobile may appear as illegitimate to the receiving server. Many popular email services have resolved this issue. One other challenge that may present itself is a DKIM that is too short in length. With more support for longer keys, shorter ones may not pass authentication.

How DKIM Works

Simply put, DKIM works by adding a digital signature to the headers of an email message. This signature can then be validated against a public cryptographic key that is located in the organization’s DNS record.

The domain owner publishes a cryptographic key. This is specifically formatted as a TXT record in the domain’s overall DNS record.

After a message is sent by an outbound mail server, the server generates and attaches the unique DKIM signature to the header of the message.

The DKIM key is then used by inbound mail servers to detect and decrypt the message’s signature and compare it against a fresh version. If the values match, the message can be proved authentic, and unaltered in transit, and therefore, not forged or altered.

You can validate your email with the DKIM Validator.

The Importance of Authentication Alignment

Using the benefits of a third-party email service provider (ESP) is a wise investment that can still pose a challenge with domain alignment. In an aligned domain, your business appears as the sender even if your ESP is sending on your behalf. Your emails may still experience delivery even if your domain is out of alignment. An aligned domain passes through spam filters more easily to even further boost your inbox placement opportunities.

"An aligned domain passes through spam filters more easily to even further boost your inbox placement opportunities."

The Value of SPF and DKIM

If you are a business that sends commercial or transactional emails, it’s critical to use both SPF and DKIM. For businesses requiring encrypted communications, implementing S/MIME with streamlined recipient public key collection processes adds another crucial layer of email security. Not only will these protocols protect your business from phishing and spoofing attacks, but SPF and DKIM ultimately help protect your customer relationships and brand reputation. Bear in mind that these are just a few of the many steps you can take to ensure business-critical emails reach your customers’ inboxes on time and don’t end up in spam folders. Another critical step is implementing robust email validation techniques to ensure you're sending to valid, deliverable addresses from the start.

Summing Up

In a nutshell, SPF allows email senders to define which IP addresses are allowed to send mail for a particular domain. DKIM on the other hand, provides an encryption key and digital signature that verifies that an email message was not forged or altered.

Authentication itself is not a testimonial on the value of your content. Use proper email etiquette and best practices for inbox placement — spammy content will still generate complaints and unsubscribes even if authenticated.

When these email authentication methods are properly implemented, you will be one step closer to improving your email deliverability and sending secure emails that drive revenue for your business.

Other news

Read more from this category

A person is standing at a desk while typing on a laptop.

The complete AI-native platform that scales with your business.

Contact sales

Start for free

© 2025 Bird

Contact Support

A person is standing at a desk while typing on a laptop.

The complete AI-native platform that scales with your business.

Contact sales

Start for free

© 2025 Bird

Contact Support

A person is standing at a desk while typing on a laptop.

The complete AI-native platform that scales with your business.

Contact sales

Start for free

© 2025 Bird

Contact Support