Untangling Email: SPF, DKIM, & DMARC

by C.W. Holeman III


Email can be a very tangled subject. Rather than dealing with it, you may wish to enable Wisetail Managed Email.

In this article I hope to help untangle the general functionality of three tools you can use in conjunction with Wisetail when you configure email addresses under:

Admin Tool --> System --> Basic Settings --> System 'From' Email Address.

Email spoofing is when an unrelated party sends email using your domain. Spoofing can be used for evil (AKA fraud and SPAM), or good (Allowing Wisetail to send branded email on your behalf). In order to allow Wisetail to send mail from your domain, you will need to have properly configured SPF & DKIM records.

But first, what Do the acronyms mean?

Big Picture

SPF = Sender Policy Framework. A DNS record that lists what domains can send mail for you.

DKIM = Domain Keys Identified Mail.  Emails get signed with an encryption key for authentication.

DMARC = Domain-based Message Authentication, Reporting & Conformance. A DNS record that tells others how to handle messages from your domain.

Breaking Down SPF

An SPF record is essentially a list of domains that are authorized to send email on behalf of your domain. You will configure an SPF record adding Wisetail's servers to the list of servers which are authorized to send email on your behalf. When someone receives an email, their email server will do a lookup of the sender's IP address/domain to ensure it came from an authorized server.


Read our article on configuring an SPF Record here.


Breaking Down DKIM

In a nutshell, DKIM has two parts. First there is an DKIM record that you publish which is the the public key. Secondly, when email is sent from your domain, each message has a private key attached to it. This private key can be compared against the public, published, key. If the records match, this validates that the origin server of the email matches a valid sender for your domain. (Note that this is a ridiculously simplified explanation of private/public key paired encryption.)



Breaking Down DMARC

DMARC records are what tie your SPF & DKIM settings together. It's basically a public request to other email servers that can ask them to treat spoofed email from your domain in a particular way. Should spooked email be rejected, or should it be flagged and accepted, etc. It also allows external email servers to provide reports back to your email server to provide info on how your domain is being used or abused.


Final Thoughts

If you prefer to learn via video, MDaemon Technologies has put out this great video breaking things down:

Additional resources: 

Please reach out to Technical Support for additional help with email issues or more information.


Article is closed for comments.