Unraveling DMARC, DKIM, and SPF

Fabrício Yutaka Fujikawa,

Hi,

I needed to explain the DMARC, DKIM, and SPF protocols in simple terms to a non-technical person. As an experiment, I asked Claude for help, and he generated the following explanation:

“Imagine that SPF and DKIM are like two security guards at a building, checking if the person (the email) entering has authorization to do so.

SPF checks if the person came from a known address (server), and DKIM verifies if the signature on the badge is valid (the message content hasn’t been altered). So far, everything seems fine, but there’s a third level of security: DMARC.

DMARC is like a building manager who, in addition to verifying that the two guards authorized entry, wants to ensure that the company (domain) this person represents is indeed the one written on their uniform (the “From:” field in the email). The problem occurs when the person is authenticated, but the uniform they’re wearing (the “From:” field) doesn’t match the company represented by the person.

This misalignment happens when the domain that appears in the “From:” field (the uniform) is different from the domain authenticated by SPF or DKIM. In other words, even if SPF and DKIM are correct, DMARC will fail because the domains are not aligned, indicating potential forgery or a configuration issue.

In practical terms:

  • SPF confirms that the server the email came from is authorized to send emails on behalf of the domain.
  • DKIM confirms that the email content hasn’t been altered.
  • But DMARC fails because the domain that appears in the “From:” field of the email doesn’t correspond to the one authenticated by SPF or DKIM.

Imagine that, in addition to the security guards and the manager (SPF, DKIM, and DMARC), there are different buildings (mailbox providers, like Gmail, Outlook, etc.), and each of these buildings has its own rules on how to deal with people who don’t pass all security checks.

When an email fails DMARC authentication because the domain in the “From:” field isn’t aligned with the domains authenticated by SPF or DKIM, each mailbox provider (ESP) may react differently:

  • Some providers might put this email directly in the SPAM box, as they see this failure as a possible fraud or phishing attempt.
  • Other providers might simply reject the email and not deliver it to the inbox, meaning the recipient will never see the message.
  • Depending on the DMARC policy configured for the domain (for example, “none,” “quarantine,” or “reject”), the provider may take more severe measures. If the sender’s DMARC policy is set to “quarantine,” there’s a good chance the email will go straight to SPAM. If it’s “reject,” the provider might not even allow the email to reach the recipient.

In other words, the risk of not properly aligning SPF, DKIM, and DMARC is that your messages may end up being filtered as SPAM or not delivered at all, depending on the rules and settings of each provider. This is particularly dangerous because, even if the sender is legitimate, a DMARC failure can prevent the message from reaching the inbox, harming the domain’s deliverability and reputation.

With this, ensuring that all domains are aligned in SPF, DKIM, and DMARC not only improves security but also increases the chances of your messages reaching recipients correctly.”

What did you think of the explanation? Overall, I found it easy to understand.

To generate the post image, I asked Claude to create a description. The result was this:

“A minimalist and professional vector illustration using pastel tones. The image depicts a modern corporate building seen from the front, with a main entrance.

In the center of the image, there are three stylized figures representing:

A security guard (SPF) checking a badge. Another security guard (DKIM) examining a signature on a document. A manager (DMARC) standing between the two guards, observing attentively. In front of the building, there’s a line of people (representing emails) waiting to enter. Some people wear uniforms that match their badges, while others have different uniforms.

At the top of the building, there’s a discreet sign with the acronyms “DMARC, DKIM, SPF.

The background of the image is simple, with a sky in a soft pastel tone, creating a subtle contrast with the building.

The color palette should be predominantly in pastel tones, such as light blue, aqua green, beige, and light gray, to maintain a professional and sober appearance.

The image should be in 16:9 (landscape) format and optimized for a blog post.”

Then, in ChatGPT, I used the Custom GPT Image Generator Pro and asked it to generate the image. The first version was this:

Lastly, I asked it to focus only on the security guard and manager figures, as I wanted to emphasize DMARC’s “orchestrator” function. And then it generated the image at the top of the post.

Do you have any questions about email deliverability or want to share your experience? Leave a comment below!

Cheers,
Fabrício

Email Deliverability

Related Posts

Deliverability Journal – Apr 5th, 2023

Continuing with the ongoing cases: Regarding the Kinsta.com case, we received a response from support: We don’t support outgoing DKIM signing with our relay service. In this case, you will need to use a 3rd party provider. An example is gmail which is currently the site’s mail provider. Here‘s how…

Read More

Deliverability Journal – Oct 27th, 2022

Client: VK We acquired three new domains and defined which existing ones we will use in the Mail Click Convert platform. I’m looking forward to my first experience with Mail Click Convert. Client: LHM We monitored our deliverability on Google Postmasters and ran a new “inbox placement” test with Warmy.io….

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *