Back to Basics: SPF & DKIM

Some of the most effective tools in an email marketer’s arsenal are the “set it and forget it” type. Account settings, preferences, subscription handling.

Ensuring you’ve set up an authenticated (or delegated) domain as part of your email marketing system is another item on that list.

I was reminded of this after seeing a post at about forging better relationships with IT; these are definitely a couple setup pieces where you will need help from IT if you (like many marketers) don’t have administrative access to the back-end of your web domain.

And I was reminded again, when our docs manager sent out a note this morning that, after a spike in client requests, our support documentation on authenticated domains has been updated (existing MessageFocus clients can view that here).

What’s an authenticated domain, and why should you care?


Anti-spam algorithms have become so good over the years, it’s easy to forget there are some very basic actions we can take to give the robots a very clear signal that, content aside, we are who we say we are, and we are sending legitimate messages.

In its simplest terms, setting up SPF and DKIM for your domain means you are establishing clear links between your domain, your email service provider and your email messages.

If you’ve recently changed ESPs, or have set up a new domain associated with your campaigns, it’s worth checking that you’ve got SPF and DKIM set up for your emails.

Sender Policy Framework (SPF)

The first step is to add an SPF (and/or, more recently, Sender_ID) record to your domain.

It allows your emails to come from, rather than from (for example, non-authenticated MessageFocus clients will have their from address appear as ‘’).

This is where your IT team comes in. They will need to add an exception for your ESP in your DNS record (a 1-line-of-code, 5-minute task; bring your web admin a coffee, and it’ll be updated before they’re half done their cup), which the spam-checking robots then reference to see if an email’s ‘From’ address is genuine, or has been forged.

Your ESP should then have instructions on how to add that domain to your sending list in your campaign interface.

DomainKeys Identified Mail (DKIM)

This takes authentication to the next step, and attaches a ‘signature’ to the message in your emails (not what we usually think of as a signature, this one is in the message code itself) associating the message with the sending domain. It does this through a private/public encryption, where your message is appended with a private key, and decoded with a public one that gives the authentication the “all-clear.”

It all comes down to reputation

Both under the banner of delegated or authenticated domains, SPF is how you indicate that your From Address is indeed associated with your company, and DKIM takes it to another level, showing your email message itself is truly associated with that From Address.

Of course, sending relevant, anticpated messages to a clean, opted-in list is the best way to keep your sender reputation clean. But it’s also important to remember the back-end fundamentals of showing the robots, as well as your readers, that you belong in the inbox.

View All Resources »