Skip to main content

SPF (Sender Policy Framework)

SPF is an email authentication standard that allows domain owners to specify which mail servers are authorized to send emails on their behalf. An SPF record is a DNS TXT record that lists the IP addresses and/or hostnames that may send mail for a domain. How it works: When a receiving mail server gets a message, it looks up the SPF record published in the DNS of the sender’s MAIL FROM domain. Then, the connecting IP address is compared against the authorized senders listed in that record. If the IP matches, SPF passes; if it doesn’t, SPF fails. Why it matters: SPF makes it harder for attackers to spoof your domain by sending mail from unauthorized servers. If your domain has no SPF record: Create a DNS TXT record with the following value, replacing example.com with your domain: 
v=spf1 include:relay.mailchannels.net ~all
If your domain has an SPF record: Add include:relay.mailchannels.net to the existing record. For example, if your current record is v=spf1 include:example.com ~all, update it to: 
v=spf1 include:example.com include:relay.mailchannels.net ~all

DKIM (DomainKeys Identified Mail)

DKIM is an email authentication standard that uses public key cryptography to sign emails from your domain. How it works: The sending mail server adds a DKIM-Signature header to each outgoing message, containing a cryptographic signature generated from selected headers and the message body using a private key. The receiving server fetches the matching public key from a DNS TXT record at <selector>._domainkey.<domain> and uses it to verify the signature. A valid signature proves that the message was authorized by the domain owner and that the signed content has not been altered in transit. Why it matters: It verifies that the email came from the specified domain, and prevents tampering with certain headers and the message body.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC is an authentication standard that tells recipients what to do in the case of an email that fails SPF and DKIM checks. It provides senders with a way to publish policies in their DNS records that specify how to handle unauthenticated emails. How it works: DMARC specifies two things: alignment and policy. Alignment requires that the domain validated by SPF or DKIM matches the domain in the From: header. This prevents a nefarious actor from passing SPF/DKIM for one domain, and displaying another in the recipient’s inbox. Policy, published as a DNS TXT record, tells receivers what to do with messages that fail alignment. Why it matters: SPF and DKIM on their own don’t protect the From: address the recipient sees. DMARC closes that gap.

Consequences of not configuring SPF, DKIM, and DMARC

Without SPF, DKIM, and DMARC, your emails will be marked as spam, or rejected entirely by receiving servers. This means poor deliverability and a poor sender reputation. Gmail requires DKIM for domains sending more than 5,000 messages per day. Yahoo and Microsoft have similar requirements.

MailChannels’ requirements

SPF, DKIM, and DMARC are not explicitly checked as part of the sending process. We will attempt to deliver your mail regardless of your adherence to these standards. If you want your message to be received, you must have SPF, DKIM, and DMARC configured correctly.