What is DMARC, DKIM and SPF email authentication?

DMARC, DKIM and SPF email authentication records in DNS specify which service providers are authenticated to send email for your business. Recently Microsoft and Google decided their email services require updated DMARC and DKIM records for your emails and newsletters to be delivered.

What is DMARC, DKIM and SPF email authentication?

Old School SPF record

SPF or Sender Policy Framework was the original email authentication record developed back in 2005. Previously most email newsletter services and email providers only required an SPF text record in DNS to authenticate sending. Example below shows an SPF record for Microsoft Exchange Online PLUS info required to send newsletters from Campaign Monitor.

I created this record for a client when we moved them to CloudFlare for their DNS servers. CloudFlare supplies the useful notes feature to each DNS record so you can track details like why you created the record and when. As I have updated clients’ DNS records I have found all kinds of old records and odd records where I could used such information. If your DNS server company doesn’t have such a feature I recommend you download your records into a spreadsheet and add those details for future reference.

Microsoft mandates DKIM

Microsoft recently mandated DKIM records if you use Exchange Online for your business email. You might have received a notification like below in Outlook and/or the service health section of M365 admin centre.

Google also requires DKIM records for bulk email senders (a newsletter service like Mailchimp or Campaign Monitor) starting February 2024. The format of these records depends on your email service. The DKIM record requirement for Microsoft is different than Google for example. You can’t just copy and paste something you find on the internet. Further some DNS server companies have limitation on what you can input into the record fields which can also cause problems. I moved several clients from one DNS provider to another in order to get the right output.

Even after you set up the DKIM records for ExchangeOnline you have to take an extra step to authorize it in Microsoft 365.

What is a DKIM record?

DKIM record is a type of CNAME (or canonical name) record in DNS. DKIM stands for DomainKeys Identified Mail. Usually there are two records for your email service provider and possibly two records for your email service. If you have a store as part of your web site like mystore.mybusiness.ca you will have to create records for the subdomain mystore.mybusiness.ca as well as for mybusiness.ca.

The above picture shows example of two DKIM records required for ExchangeOnline for example domain mybusiness.ca.

What is DMARC?

DMARC stands for Domain-Based Message Authentication Reporting and Conformance. DMARC is a txt record that sets out a policy for how to handle emails sent from a domain and provides reporting. Think of DMARC as parsing the SPF and DKIM records to decide on whether an email is authentic.

Google now requires DMARC for bulk senders. More details on the Google requirements for all senders here.

Below is an example of a DMARC record.

What is DMARC, DKIM and SPF email authentication?

You need these DNS records updated so receiving email servers don’t block or spam your emails. You can’t copy and paste the above examples. For correct DMARC, DKIM and SPF email authentication you need to tailor these records for your email service provider and newsletter service. For more on this, read Why Does Your Business Email End Up In Spam?