Email authentication standards: DKIM and SPF - which one should you use?


The topic of how to best protect your email domains has been keeping many awake at night for years. Because we all already know that email protection is necessary and almost the most important among all precautions. Today, I am going to cover the email authentication standards topic. I will introduce DKIM and SPF terms, and when you should use them. 

Domain Records

Have you ever asked yourself who directs your internet traffic? The answer is: on the domain records. They inform the internet of the location that it should send the traffic to your internet. So far the most common records are the A records, C name records, NS servers records, and MX records. In other words, domain name records serve as a contact book for the internet that keeps individual addresses. The distinctions are based on the conversion of human language to a machine language known to computers in the form of IP addresses. For instance, you may not have memorized the numbers of people in your phonebook, yet you know their names, you will only look for the name and the number pops up. That is how domain records work for the internet. Therefore, when you search for a site in your browser, your gadget will employ domain records to identify the domain’s IP address. 

MX Records

MX is short for Mail Exchange record. It is responsible for the identification of the individual servers that receive emails for the domain names. In other words, it is the MX records that are important in the email delivery to your address. To put it plainly, the MX records are used to inform the world mail servers that accept mail for a particular domain and also show where emails sent to the domain are routed. Therefore, an MX record is an entry in the DNS that guides the sending server on where to send the email. If you look at the MX records, find the button “Go to start”, then select “Run and type cmd”. You will be prompted to the text box, where you should type 'nslookup' and hit 'Enter'. It will prompt you to type in your domain name. At this point, your MX record will be displayed after hitting 'Enter'. For identification purposes, the MX records would appear as follows: domain name.com1200inMX0mail For the record, you do not need an MX record to send emails. It directs the emails and not where they come from.

SPF Key and its Details

Spammers are all over the internet. They can endeavor their activities by sending spam emails on behalf of a domain. To prevent the vice, SPF is used to authenticate emails. Therefore, an SPF is a technique employed to cushion domains from unverified emails purported to have been sent on their behalf. Additionally, with SPF utilization, a firm can list down verified and valid email servers. Originally, the SPF was known as 'Sender Permitted From', however with time it changed to 'Sender Policy Framework'. Nevertheless, the world has witnessed tremendous advancements in SPF resulting in other versions such as DMARC and DKIM. SPF still plays an important role in the determination of email DMARC compliance. In this case, one of the importance of the SPF record is that it prevents email forgeries, so by adding SPF to your domain you are protected from others intruding on your domain. How SPF works is that the SPF compares the incoming mail servers with the details of outgoing mail servers. If it notes any mismatch and discrepancies, it filters them and, at the same time, marks them as unauthorized hence rejecting them or just marking them as spam. There are several tools to use to accomplish it and make your email secure. For instance, if your domain has an SPF key, Sailing Byte monitors will help you a big deal. The main information that the SPF keys contain is the list of all authentic IP addresses that can send emails on behalf of your domain. It also contains the servers associated with your domain regarding mail sending and incoming mail.

DKIM and the Information it Contains

This is yet another email authentication key that detects unverified emails and marks them as spam or unauthorized. In the real sense, it is designed to identify mail that originates from a forged sender’s address. For the DomainKeys Identified Mail to achieve its objective of identifying forged mail addresses, it uses a concept known as Digital Signature affixation. It is linked to the domain for every email that is sent out. The digital signature is a part of identification from the receiver’s side. By verifying the signature on the email received they can confirm the authenticity of the email as validly sent from the sender or a particular domain. On the other hand, it is proof that the email contents have not been tampered with since the signature affixation has been included. To make it more secure, digital signatures in DKIM are not visible to both the sender and the recipient. Therefore, DKIM allows the endorsement of a message by a signature and gives a platform for the sending organization to share information as to which emails are authentic or legitimate. However, it does not single out abusive behavior or disclose it. Tentatively, DKIM also relays a process by which one can verify a signed message. The importance of DKIM at an organizational level is to form the basis of claiming responsibility for email messages sent out by the use of Public Key Cryptography. The major information therein is the digital signature included in the systems. On the other hand, a DKIM signature is a form of a header that is included in the mail message. The information in the header included the tag value parts like 'd⁼' in the case of the signing domain and 'b₌' for the actual signature. There are two main cryptographic hashes. One is meant for the specified header and the other for the message mail body while the header has information about how the email signature was generated. An SPF record comprises version numbers that are preceded by strings that include modifiers, mechanisms, and qualifiers.

How Hackers Can Use a Domain without SPF or DKIM to Forge Emails

As previously mentioned, the objective of the SPF records is to verify emails from both the recipient side and the sender’s side. The absence of the SPF and DKIM records simply means that your domain is at risk of being attacked by a hacker. First and foremost, it is a good ground for hackers to convert your authentic emails to spam, and at the same time, they are easily forged. For this reason, having an SPF record for your domain is for security reasons and a means of email verification. It will be easier for them to send email messages that purport to be from your domain and appear as if sent from an authentic server. By encrypting a digital signature, hackers possibly cannot send emails on your domain's behalf, and then, again, the encryption cannot be forged hence securing your email not marked as spam. However, you can use Sailing Byte if your domain has DKIM or SPF. It has a panel that can easily generate both DKIM and SPF. Nevertheless, there are many ways a hacker can pretend to be you. When they want to impersonate your emails they will use one of the free online SMTP servers and then modify it in their desired way in the ‘FROM’ field that sends it. Once the receiver replies, it will go to the authentic sender but the hacker’s main objective is for you to click on the link and follow the prompts that come with the unauthentic mail. To help you be identified by mail, the digital signature is imperative which can only be possible by the SPF key for easier recognition and validation by the receiver.


It is important to use SPF and DKIM more, especially if you are an organization that sends commercial transactional details via mail. It is crucial to have SPF and DKIM to maintain a good relationship with your clients. Thanks to that they can perceive you as a serious business partner who keeps them away from loss and inconvenience caused by spoofing and scammers. Particular mail managers and administrators may have their own rules and regulations. However, if you are a serious organization with standard email protocols, SPF and DKIM are an integral part of your business operations. Understanding the security and authenticity of systems is part of understanding the needs of a domain name and all that domains incorporate. You can rely on Sailing Byte for more help in not only securing your domain but also all that relates to domain systems. Book a call to discuss your specific case.




Łukasz Pawłowski

CEO of Sailing Byte

I am running Sailing Byte - a Software House that focuses on Laravel and React, but doesn't constrain to it; we have also done projects using C#, Unity, Flutter, SwiftUI and other. My role is to organize and deliver software using Agile methods - by providing experience and technical knowledge and proper set of tools to cooperate with our clients.

During our journey I have met all kind of great people, who also took part in our success - both our clients and business partners who are part of our success and who also helped us to elevate Sailing Byte as polish software house, that is providing quality development not only in eastern Europe, but also UK and USA.

Suggested Posts

Let's talk