SPF and DKIM Explained Red Sift

SPF and DKIM: what they are, how they work, why they matter

Without SPF and DKIM, DMARC simply wouldn’t work. But what are these email security protocols, how do they work, why do they matter, and how can you see if yours are set up correctly? In this blog, we’ve unpacked these questions to help you understand these two vital email authentication standards better.

While SPF and DKIM are key email security protocols to configure – and are vital to successful DMARC implementation – implementing these alone (without DMARC) does not protect you from email impersonation/email spoofing. Your domain is only fully protected once DMARC is implemented at p=reject.

What is SPF?

SPF stands for Sender Policy Framework. It’s an email authentication protocol that acts as a whitelist, outlining the senders authorized to send emails on your behalf. Its aim is to prevent email forgery.

Sender Policy Framework (SPF) is an email authentication protocol that acts as a whitelist, outlining the senders authorized to send emails on your behalf. Its aim is to prevent email forgery. It works by allowing domain administrators to specify which mail servers are permitted to send emails on behalf of their domain, using SPF records in DNS. The implementation of SPF enhances email security by reducing spam and improving deliverability. Although effective, SPF has limitations, such as not verifying the email’s header address, and is often used in conjunction with other technologies like DKIM and DMARC for comprehensive email security.

How does SPF work?

Your SPF record outlining all senders (IP addresses) authorized to send emails on your behalf is stored in your Domain Name System (DNS) as a TXT (text) record. When an email is sent using your domain, the receiving mail server/DNS checks this record to see if one of the IP addresses matches. If it does, then the receiving sender knows it’s from a legitimate source, and the email is authorized to land in the recipient inbox.

It’s worth noting that the receiving server only checks your SPF record if it supports the Sender Policy Framework protocol.

What is an SPF record?

Your SPF record is a TXT record that outlines which senders (IP addresses) are authorized to send emails using your domain. This is stored in your DNS. 

What is an SPF include statement? 

An SPF include statement is a statement you can add to your SPF record which points the DNS receiving your email to another SPF record, and explains that any IP addresses included in this additional record are also authorized to send on your behalf. 

What is an SPF lookup? 

An SPF lookup is when the DNS receiving your email has to ‘look up’ the IP addresses present in any of the include statements within your record, to check if they match with the IP sending your email. 

What is the SPF lookup limit?

The SPF lookup limit is the number of times a recipient DNS can carry out a lookup for a domain, this is capped at 10.

You can add as many singular IP addresses to your record as you like, as because they’re clearly visible in your record, the receiving DNS doesn’t have to do any extra work to find them, so checking them doesn’t count as a lookup. 

But this isn’t the case for include statements, and the number of IP addresses an include has equals the number of lookups the receiving DNS has to carry out. This contributes to your maximum total of 10. 

So for example, you might have 3 IP addresses listed in your SPF record as they are, an include statement for Google (which contains 4 IP addresses) and an include statement for Mimecast (which contains 6). The receiving DNS doesn’t need to carry out lookups for the visible IPs, but it does for the Google and Mimecast include statements. So in this case, you’ve reached your total of 10.

An example SPF record
An example SPF record

How can I overcome the SPF lookup limit?

In reality, 10 lookups aren’t enough, because most businesses use a number of tools that send emails on their behalf. These will all have their own include statements, which will include IP addresses, and so will require lookups. If you go over the limit, then you’ll likely fail authentication and your deliverability will suffer.

OnDMARC provides a reliable Dynamic SPF tool, which enables you to safely overcome the lookup limit, you can find out more about how it works here.

Why is SPF important?

SPF is a vital building block for both email security and deliverability. With businesses using a number of different tools to send email, receiving servers need some way of verifying that these are in fact authorized senders. While it’s not perfect, and full DMARC implementation is what’s needed to truly combat exact domain impersonation, SPF is a necessary step to enabling this.

What is DKIM?

DKIM is another essential protocol for robust email security. It stands for DomainKeys Identified Mail, and its primary purpose is to ensure that the email you’re sending hasn’t been modified.

How does DKIM work

DKIM works by signing the header and body of the email being sent. It uses cryptography, namely public and private keys. The private key is only visible to your (the sender’s) domain and is used to sign the emails. 

The public key is published in your DNS. This public key can then be retrieved by any receiving mail server, as long as it has DKIM enabled. If this matches up with the signature on the email, then this proves the email hasn’t been tampered with. 

What is a DKIM signature?

A DKIM signature is the private key attached to an email that confirms it’s come from you. 

Is DKIM necessary for secure email? 

Yes, DKIM is an essential security protocol that enhances your outbound email protection and is an essential part of the DMARC verification process. 

What do SPF and DKIM have to do with DMARC?

DMARC is an authentication protocol that protects against exact domain impersonation (spoofing), driving down phishing attacks. SPF and DKIM are vital components of the DMARC verification process because they provide the signals for DMARC to confirm whether an email is from an authorized – or fraudulent – source. 

SPF and DKIM are vital email security protocols and should always be correctly configured. However, a strong DMARC policy of p=reject is the only way businesses can secure their domain(s) against impersonation attacks. SPF and DKIM implemented alone cannot do this.

How do I check my SPF, DKIM, and DMARC setup?

So we’ve established that SPF and DKIM are essential measures for your email security posture, but what now? At Red Sift, we aim to make email security as easy and accessible as possible, which is why we created our free Investigate tool. This is a free tool that lets you check your SPF, DKIM, and DMARC setup all in one go. Why not give it a try?


Sabrina Evans

2 Sep. 2021



Recent Posts


The best tools to protect yourself from SubdoMailing

Francesca Rünger-Field

In late February 2024, ‘SubdoMailing’ became a trending search term overnight. Research by Guardio Labs uncovered a massive-scale phishing campaign that had been going on since at least 2022. At the time of reporting, the campaign had sent 5 million emails a day from more than 8,000 compromised domains and 13,000 subdomains with several…

Read more
Product Release

Red Sift’s Spring 2024 Quarterly Product Release

Francesca Rünger-Field

This early into 2024, the cybersecurity space is already buzzing with activity. Emerging standards, such as Google and Yahoo’s bulk sender requirements, mark a new era of compliance for businesses reliant on email communication. At the same time, the prevalence of sophisticated cyber threats, such as the SubdoMailing campaign, emphasizes the continual hurdles posed…

Read more

Navigating the “SubdoMailing” attack: How Red Sift proactively identified and remediated a…

Rebecca Warren

In the world of cybersecurity, a new threat has emerged. Known as “SubdoMailing,” this new attack cunningly bypasses some of the safeguards that DMARC sets up to protect email integrity.  In this blog we will focus on how the strategic investments we have made at Red Sift allowed us to discover and protect against…

Read more

Where are we now? One month of Google and Yahoo’s new requirements…

Rebecca Warren

As of March 1, 2024, we are one month into Google and Yahoo’s new requirements for bulk senders. Before these requirements went live, we used Red Sift’s BIMI Radar to understand global readiness, and the picture wasn’t pretty.  At the end of January 2024, one-third of global enterprises were bound to fail the new…

Read more