the Bento growth platform

DMARC, SPF and DKIM Simplified

Thoughts by Alyssa Jean • Writer Bento

In Email Marketing, ensuring your emails hit the inbox stage without a hitch is crucial. This is where the trio of DMARC, SPF, and DKIM takes the spotlight, acting as the guardians of your email's integrity and deliverability.

But don't let the acronyms intimidate you; think of them as the trusty tools that keep your emails safe and sound, ensuring they reach your audience just as you intended.

DMARC: The Bouncer

Imagine DMARC as a bouncer you hire at the club (a club called Gmail and Yahoo), deciding the fate of your emails based on the rules you set. DMARC checks if your email has passed the SPF and DKIM checks (more on these soon) and then follows your instructions on what to do if the checks fail. It's like telling the bouncer to give a warning, send the guest away, or let them in but keep an eye on them.

Actionable Steps:

  1. Understand Your Policy Options:
    • None: The bouncer observes and reports but takes no action.
    • Quarantine: The bouncer puts the questionable emails in a corner to review (aka the spam folder).
    • Reject: The bouncer turns away the emails that fail checks. The recipient will never see them. Good option for enterprises.
  2. Set Up DMARC:
    • Publish a DMARC record in your domain's DNS settings.
    • Start with a None policy to monitor your emails without impacting delivery.
    • Gradually adopt a stricter policy based on the insights you gather.

We recommend using this generator by DMARCIAN to create your DMARC policy. It's got a nice questionnaire.


SPF is like your club's exclusive guest list. It's a way to tell email servers which 'guests' (email servers) are allowed to send emails on your behalf. When an email arrives at its destination, the receiving server checks this list.

If the sender isn't on your list, the email could be turned away or marked as suspicious (per the instructions you gave the bounder).

Actionable Steps:

  1. Create Your Guest List:
    • Set up an SPF record in your DNS that lists all the servers and services allowed to send emails for your domain.
  2. Keep It Updated:
    • Regularly review and update your SPF record to include any new email services you use.

If you use Bento, we handle this automatically based on the records you generate in your account.

DKIM: The Verified ID

DKIM is your way of attaching a verified ID to your emails, proving they're genuinely from you and haven't been tampered with along the way. It's like giving your emails a seal of authenticity that the recipient's email server can check.

Or, using our bouncer analogy, it's like a drivers license.

Actionable Steps:

  1. Set Up Your ID System:
    • Generate a DKIM key pair and add the public key to your domain's DNS records.
    • Ensure your email service is attaching the DKIM signature to your outgoing emails.

Again, if you use Bento we'll generate these for you.

Once you've set the stage with DMARC, SPF, and DKIM, the next crucial step is to keep a vigilant eye on the performance and security of your emails. This is not a set-it-and-forget-it scenario; it's about continuously adapting and enhancing your defenses based on real feedback.

  1. Review DMARC Reports: DMARC reports are like detailed feedback from your audience. They tell you how your emails are being perceived and treated by different email servers.

    What to Look For:

    • Delivery Issues: Are a significant number of your emails not reaching inboxes or landing in spam? This might indicate issues with your SPF or DKIM setup.
    • Sources of Failure: Are emails failing SPF or DKIM checks? Determine if these failures are from your legitimate email sources or unauthorized sources.
    • Geographical Anomalies: Are your emails being sent from unexpected locations? This could be a sign of email spoofing or compromise.
  2. Adjust Based on Insights: The insights from your DMARC reports are actionable. They guide you on where to tweak your settings to enhance the security and deliverability of your emails.

    Actionable Steps:

    • Refine Your SPF Record: If legitimate emails are failing SPF checks, ensure that your SPF record includes all authorized sending IPs and services.
    • Review DKIM Signatures: If emails are failing DKIM checks, ensure that your DKIM signatures are correctly configured and that your email service is signing emails properly.
    • Strengthen DMARC Policy: If you notice unauthorized use of your domain, consider moving from a p=none policy to a more protective p=quarantine or p=reject policy, based on your comfort level and the maturity of your SPF and DKIM setups.
  3. Stay Proactive with User Feedback: Beyond automated reports, direct feedback from your recipients can provide invaluable insights. Tools like SurveyMonkey integrated into your emails can help gather user experiences and perceptions, offering a direct line to understand how your audience interacts with your emails.

Regularly monitoring these protocols and adapting based on real-world insights ensures your emails not only reach your audience but also uphold the integrity and trust of your brand.