Understanding why SPF and DKIM records are important for your success is crucial to ensure best possible deliverability of your emails. Both these records are set up in your DNS Zone - the administrative space on your hosting where domains and their records are managed.

DNS Zones differ a bit depending on what hosting they belong to, so if you encounter any problems with setting up these records, please contact your hosting provider.

Sender Policy Framework

SPF (Sender Policy Framework) is an authentication protocol. It helps recipient servers to identify you as a legitimate sender and owner of your FROM address. Setting up a correct SPF record will prevent other people from sending emails on your behalf. Simply put, it allows you to specify who will be allowed to send emails on behalf of your domain. If you aim for best email deliverability, SPF is absolutely essential.

It is also set up in order to stop phishing attacks. SPF record tells email servers if an email was sent from authorized sender IP address. Thanks to this information, server administrators can easily detect and block phishing emails.

Elastic Email SPF record looks as follows. Below you will find a breakdown of its syntax:

v=spf1 a mx include:_spf.elasticemail.com ~all

"v=spf1" - this simply indicates the version of SPF record. Current standard is always version 1

a - a test for the A record of the domain. In order to pass, it should match the sender IP.

mx - a test for the MX record of the domain. In order to pass, it should match the sender IP.

include - The third-party domain that is defined after the "include" directive (in this case it would be spf.elasticemail.com) is allowed to send on your behalf.

~all - This directive indicates that any other IPs or domains than the ones specified in the record are not authorized to send on your behalf and will soft-fail.

You can read more about how to set up this record in the SPF section of our domain verification article.

It's also important to familiarize yourself with common SPF errors.

DomainKeys Identified Mail

DKIM (DomainKeys Identified Mail) allows receiving servers to confirm that mail coming from a domain is authorized by the domain's administrators.

It is achieved thanks to a pair of cryptographic keys – one is a public key published in a TXT record and the other is a private key encrypted in a signature affixed to outgoing messages. Both are generated by Elastic Email.

DKIM is not as essential as SPF but having your emails signed with DKIM will further help recipient servers with treating you as a legitimate sender. It further improves the chances of your emails not landing in your recipient's spam folder.

Correctly set up DKIM record will also make it harder to spoof your emails for any malicious third party.

An example of a decrypted Elastic Email DKIM record (as you will see it in the email headers after receiving it in your inbox) looks as follows. Below you will find a breakdown of its syntax:

DKIM-Signature: v=1; a=rsa-sha256; d=elasticemaildemo.com; s=api; c=relaxed/simple; t=1657630312; h=from:date:subject:reply-to:to:mime-version; bh=WP7kmx0OyB67VOSbecKqjSAS/xemAzmsmWxeqZCvzfU=; b=jGwN8zV3F/KfjxArDVQIe9NT7k2Hrf68w041Wwd11L6WyXn2lypT4UXH+sQjr7l+2/heM2IYt24 FaqzLOZKtjAXZCyCU5GeJHkZiUxkd1NO6ARYESncklONZKdfxxlx1LN7QY16HZDPWJY6hYH7VwffF V/CtBfGOanpaqak+lNA=

DKIM-Signature - a header indicating the beginning of DKIM entry

v=1 - the version of DKIM used by the sender

a=rsa-sha256 - the algorithm used to generate the hash for the public and private keys.

c=relaxed/simple - canonicalization posture for the sending domain. In simple terms, it regulates whitespace and text wrapping changes that may occur in the email.

s=api - selector for the public DKIM key used when verifying it. A domain can have multiple DKIM keys. The role of the selector is to make sure that recipient servers use the right public key.

d=elasticemaildemo.com - domain used when signing the email message. It's crucial to use your own domain here. This practice will help improve your sender reputation over time.

h=from:date:subject:reply-to:to:mime-version; - headers included in the message when it was signed

bh=WP7kmx0OyB67VOSbecKqjSAS/xemAzmsmWxeqZCvzfU= - The value of a body hash that's generated before the headers are signed.

b=jGwN8zV3F/KfjxArDVQIe9NT7k2Hrf68w041Wwd11L6WyXn2lypT4UXH+sQjr7l+2/heM2IYt24 FaqzLOZKtjAXZCyCU5GeJHkZiUxkd1NO6ARYESncklONZKdfxxlx1LN7QY16HZDPWJY6hYH7VwffF V/CtBfGOanpaqak+lNA= - The cryptographic signature of all the previous information from the DKIM-Signature field.

t= this tag indicates that the domain is testing DKIM or is requiring a domain match in the signature header between the "i=" and "d=" tags.

You can read more about how to set up this record in the DKIM section of our domain verification article.

Did this answer your question?