DMARC, DKIM, SPF: Email Authentication Best Practices | EasyDMARC

DMARC, DKIM, SPF: Email Authentication Best Practices

6 Min Read
Blue cover

Email attacks are on the rise, and several organizations have implemented different email authentication protocols like DKIM, SPF, and DMARC to help mitigate the risks of such incidents. To implement these protocols, you need to publish certain TXT records in your Domain Name System (DNS) settings. 

However, simply configuring these protocols isn’t enough; you must follow the best practices to ensure optimal function and robust email security.

In this article, we’ll discuss the SPF, DKIM, and DMARC best practices.

SPF Best Practices

The Sender Policy Framework is an email authentication protocol that restricts who can send emails on your domain’s behalf. The protocol prevents domain spoofing by authenticating the source IP address of the email and comparing it to your authorized list of sending sources contained in your SPF record. 

The SPF authentication protocol can work well when you properly configure it in your DNS. Below are some SPF configuration best practices. 

Don’t Overcrowd the SPF Record

Keep your SPF record as simple as possible—don’t overcrowd it with too many authorized sending sources. Loading your SPF record with multiple hosts can result in errors, causing email receivers to ignore your messages. This can affect your sender reputation and deliverability rates. 

Don’t Use the “+all” Mechanism

You should never use the “+all” mechanism in your SPF record. This tag validates all IP addresses sending emails on your domain’s behalf (even fraudulent ones). So we advise against it. 

When you use the “+all” mechanism, your SPF record is essentially rendered useless, and any sender (including malicious actors) can deliver messages on your behalf. This can result in recipient servers blocking your domain altogether, thereby affecting your sender reputation.

DKIM Best Practices

DKIM or DomainKeys Identified Mail is an email authentication protocol that allows an organization to prove the ownership of a message by signing it in a way that email receivers can validate. DKIM uses cryptographic authentication. 

To deploy DKIM, you should create one or more public keys and publish them in your DKIM record so that the email receiver can easily retrieve it to validate the signature. Follow the below best practices to configure your DKIM protocol properly.

Make DKIM Keys at Least 1024 Bits Long

Organizations should take this as their first rule for DKIM implementation: The least amount of characters for your DKIM keys should be 1024 bits long. It’s even more advisable to use 2048 bits to enhance your email protection. 

The longer your DKIM keys, the more challenging it is for hackers to break them. DKIM keys configured with less than 1024 bits will be completely ignored, which can negatively affect your email security and sender reputation. 

Rotate your DKIM Keys Regularly

It’s no news that the DKIM email authentication protocol leverages cryptographic digital signatures to prove the legitimacy of a message. Therefore, organizations should change their DKIM keys regularly, making it challenging for hackers to discover and exploit.. 

Some organizations use DKIM keys they created several years ago, which isn’t a good idea. The more sensitive your messages are, the more often you should rotate your DKIM keys. Don’t use a single key for all your clients—ensure each client has a unique key.

DMARC Best Practices

DMARC or Domain-based Message Authentication, Reporting & Conformance is an email authentication standard that leverages SPF and DKIM while adding an extra layer of protection. DMARC validates the “From” address in each email, provides reporting mechanisms for valuable insights, and strengthens overall email authentication

Organizations that haven’t deployed DMARC should get started now. At EasyDMARC, we’ve made the process easy for you with our suite of innovative tools, such as the DMARC Record Generator, which helps you create the TXT record you’ll include in your DNS settings. 

You can also use our DMARC Record Lookup tool to check whether your domain has any DMARC records.

Below are some DMARC best practices you should follow to avoid any issues. 

Get the Most Out of DMARC Reporting

When you deploy this protocol, you can get DMARC reports that provide insights into your email channel and the sources sending messages on your domain’s behalf. However, such reports come in XML format, so they’re hard to understand and analyze.

With EasyDMARC’s reporting tools like our DMARC Aggregate XML Reports Analyzer, you can quickly parse your DMARC reports in easily understandable language to identify and resolve issues efficiently, as well as: 

  • Maintain verified senders
  • Monitor authentication results
  • Instruct email receivers how to handle messages that fail authentication checks.
  • Detect and block suspicious IP addresses using your domain. 

This can increase your sender’s reputation and increase your deliverability rate, so your messages can always land in your receiver’s inbox. 

Pay Attention to DMARC Alignment

DMARC alignment helps to add a layer of security to your email channel by comparing the “From” Header to the DKIM’s domain tag and SPF’s return-path address. Each email must have an identifier alignment, so it can pass SPF, DKIM, and DMARC authentication checks. If you omit this configuration, your legitimate emails might be ignored and considered suspicious. 

Go Through DMARC Enforcement Gradually

Organizations should follow the regular DMARC enforcement route. Don’t jump straight to the “p=reject” policy if you’re just starting with DMARC deployment. You should begin with “p=none”, which is the monitoring DMARC policy

With this policy, you’ll receive DMARC reports about all your sending sources and authentication status.

Once you pass the monitoring stage, you can escalate your policy to quarantine, and finally, to reject. 

Don’t Ignore the “Parked” Domains

Some organizations believe that DMARC deployment is only valid for domains that are active and sending emails, but this isn’t the case. Hackers can spoof any domain, whether active or not. So don’t ignore domains or subdomains without email traffic.

Configure DMARC for these domains too, so that email receivers can verify their authenticity. Otherwise, hackers can exploit them for cybercrimes, which can spoil your domain’s reputation, business reputation, and credibility.

Bonus Tip: Keep Monitoring After Reaching Compliance

Organizations must remember that reaching DMARC compliance doesn’t mean you can relax and sleep with two eyes closed—this is just the beginning of your email security. Even if you set your policy to “reject”, you need to consistently monitor your email channel for any changes, red flags, or configuration issues.

Final Thoughts

DMARC email authentication can help protect your domain from BEC, spoofing, and other phishing attacks. However, this is only possible with proper DMARC configuration. Since DMARC can only be effective with SPF and DKIM protocols in place, correct deployment of these standards is essential.

Follow the best practices for deploying SPF, DKIM, and DMARC policies for the utmost email protection and security.

Various authors from EasyDMARC teams have contributed to our blog during company's lifetime. This author brings everyone together.


Inline Feedbacks
View all comments

succees We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.

succees You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us