Improve Outbound Email with SPF, DKIM, and DMARC

“Oh sorry, I missed your email. It got dropped into my SPAM folder for some reason.”

Ski Mask, by Dave Wasson

Isn’t that frustrating? All you did was send over a proposal and it got dropped into the SPAM folder. Perhaps it was word choice, perhaps you ended up on a list somewhere, or perhaps you are not doing your part to elevate the confidence of your emails leveraging the tripod of email security frameworks known as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC).

I started experimenting with these years ago noting that there are several vendors who will happily do this for you—and by the way, their products are pretty awesome. Given that I’m running this individually, I wanted to see how hard it was to set up and manage. With a few tools, some I wrote, it turns out to be pretty simple!

Here’s a quick review of what these three frameworks are and how they work together:

  • SPF allows domain owners to define the valid mail servers authorized to distribute their email. Meaning, if an email from your domain comes from, and you didn’t specifically authorize as someone who can send email from your domain, look at that email suspiciously.
  • DKIM creates a digital signature on some of your email headers so receiving servers can cryptographically authenticate those headers as valid and original. Headers typically signed are From, To, Subject, and Date.
  • DMARC is the enforcement leg of the tripod and tells remote servers how to handle emails that fail SPF or DKIM checks. Remote servers can choose to ignore this policy, but most will follow your lead.

Once you get SPF and DMARC set up, you can pretty much set those and forget them unless you make changes to your outbound email infrastructure. Don’t forget to make those changes to your DNS records!

DKIM, however, requires periodic key rotation. If you manage a lot of domains, that can be a pain to do. I wrote a quick script to do all that automatically, to the point where it can be thrown in a cron job without even thinking about it. Also, for some more details on how all this works together, check out this presentation I gave a couple of years ago.

Possibly Related Posts:

*** This is a Security Bloggers Network syndicated blog from Branden R. Williams, Business Security Specialist authored by Branden Williams. Read the original post at:

Avatar photo

Branden Williams

Dr. Branden R. Williams has more than twenty-five years of experience in business, technology, and cybersecurity as a consultant, strategist, and executive. Dr. Williams has experience working for the largest and smallest institutions as an entrepreneur, practitioner, and advisor. His specialty is navigating complex landscapes—be it compliance, security, technology, or business—and finding innovative solutions that promote growth while reducing risk. He is a practitioner and advisor for the operation, engineering, and management of IT and IS tools. He’s held several executive roles in the industry and served on both the PCICo and EMVCo boards.

branden-williams has 22 posts and counting.See all posts by branden-williams