in Resources

Hey There! Let‘s Set Up SPF, DKIM, DMARC and BIMI to Keep Your Emails Out of The Spam Box

Email is the lifeblood of business communication. But with all the spam and spoofing attacks out there, your messages can sometimes end up in the dreaded spam folder!

Not cool at all.

As a fellow tech geek, I totally get your frustration. You‘ve worked hard to build your brand and don‘t want important emails flagged as untrusted.

The good news is there are tried and tested protocols that can help. Implementing SPF, DKIM, DMARC, and BIMI improves deliverability and establishes trust.

In this comprehensive guide, I‘ll equip you with everything needed to get these set up right.

Here‘s what we‘ll cover:

  • How each protocol works to authenticate your emails
  • Checking your current email authentication status
  • Steps to configure SPF, DKIM, DMARC, and BIMI records
  • Tools to analyze reports and monitor success
  • Fixes for common issues that crop up

Let‘s get you sendin‘ those emails, shall we?

Understanding Email Authentication Protocols

First things first, a quick overview of what each protocol does behind the scenes:

SPF: "Yup, We Know and Trust This Sender"

SPF verifies that the servers sending emails are authorized to do so by the domain owner (which is you!).

It works by checking the source IP against a list of your approved servers. This prevents spoofing.

DKIM: "This Email is Legit & Untampered"

DKIM digitally signs your outbound emails to prove the messages are authentic and unmodified during transit.

It does this by adding a hashed signature to the email‘s header. The signature gets verified by recipients.

DMARC: "Let‘s Double Check SPF & DKIM"

DMARC provides an overall domain-level authentication check by combining SPF and DKIM results.

It also gives you useful reports to improve configurations and enforcement options like sending failed emails to spam or rejecting them entirely.

BIMI: "We See Their Logo, Let‘s Trust This Email"

BIMI displays your company logo prominently in the inbox when an email is verified.

This visual indicator builds trust so your emails are more likely to be opened and read.

While SPF and DKIM work at the server level, DMARC and BIMI operate at the domain level to improve visibility and control.

Implementing all four provides layered protection against spoofing, tampering, and impersonation – resulting in higher inbox placement rates.

Checking Your Email Authentication Status

Before we start changing any settings, let‘s check whether SPF, DKIM, DMARC and BIMI are already configured for your domain:

I recommend using the Google Admin Toolbox for this test. Just pop your domain name in there and hit the big blue button!

It‘ll spin for a few seconds and then give you a nice overview:

Google Admin Toolbox Example

Alternatively, you can also use MailTester‘s Authentication Check tool.

If your results show warnings like:

✘ No SPF record
✘ No DKIM record
✘ No DMARC record

Or errors such as:

✘ SPF record not configured correctly
✘ DKIM record not configured correctly

Then you‘ll need to fix up the related protocols.

If you don‘t see any issues, you likely already have the basics covered. But it doesn‘t hurt to validate the configurations are optimal – and add BIMI – to take your email security to the next level.

Alright, let‘s get into the implementation details. We‘ll go through how to set up each protocol one-by-one.

Setting Up SPF to Prevent Email Spoofing

SPF is all about confirming that emails are coming from your authorized sending servers.

This protects against spammers trying to spoof your domain in their sketchy emails.

Here are the steps to configure SPF:

1. Identify Your Authorized Sending Servers

First, you need to determine the servers and their IP addresses that are allowed to send emails from your domain.

If you use an email provider or email marketing service, they will give you server details to use in your SPF record.

For your own servers, log into the admin console or talk to your IT team to get the list of outbound mail server IPs.

2. Create an SPF TXT Record

Now you need to create a special TXT record that specifies your authorized sending servers in the SPF format.

It follows this basic structure:

v=spf1 ip4:192.168.1.1 ip4:192.168.1.2 -all

Let‘s break down what each piece means:

  • v=spf1 – States that this is a SPF record using version 1 format

  • ip4: – Specifies allowed IPv4 addresses

  • -all – Fails the check for any unknown hosts

So in my example above, 192.168.1.1 and 192.168.1.2 are my sanctioned mail servers.

Anything outside of those will be flagged by SPF validation checks when recipients receive my emails.

Common mechanisms you can use in SPF records include:

  • ip4: – Allowed IPv4 addresses

  • ip6: – Allowed IPv6 addresses

  • include: – Another domain‘s SPF record

  • a: – DNS A record lookup

  • -all – Fail check for unknown hosts (recommended)

  • ~all – Soft fail check for unknown hosts

  • +all – Allow all hosts (not recommended)

3. Add the SPF Record in Your DNS

Now that you‘ve created the TXT record value with your approved sending servers, it‘s time to add this into your DNS configuration.

This is done by creating a new TXT record named @ or leaving the host blank:

@ IN TXT "v=spf1 ip4:192.168.1.1 ip4:192.168.1.2 -all"

Your domain registrar provides the option to add new DNS records directly.

But if you use a DNS management service like Cloudflare, you would create it there to have them manage and propagate the records across their DNS servers.

Once saved, it may take some time to propagate fully across major ISPs and recipient servers.

Key SPF Optimization Tips

Here are a few best practices when setting up your SPF record:

  • Only have one SPF record per domain – Multiple records can cause conflicts.

  • Keep 10 or fewer DNS lookups – Too many can cause performance issues, so consolidate when possible.

  • Use the -all mechanism – This explicitly fails the check for unknown hosts, giving you better protection against spoofing.

And that‘s it! SPF is now configured for your domain. Time to tackle DKIM next.

Adding DKIM to Cryptographically Sign Your Emails

Now that we‘ve validated the source of your emails with SPF, DKIM ensures the contents are legit and unaltered.

It does this by cryptographically signing your emails using public key cryptography.

Here‘s how to add DKIM signatures to your outbound email:

1. Generate a Public/Private Key Pair

First, you need to create a public/private key pair.

Most email service providers give you the option to generate keys within your account‘s configuration panel or their DKIM settings directly.

For self-managed email servers, you can use OpenSSL or online DKIM key generation tools.

This gives you two long strings:

  • A private key – This is used to create the DKIM signature and stays on your server.

  • A public key – This is shared publicly in the DNS so recipients can verify the signatures.

2. Extract Just the Public Key

For the next step, you‘ll need to extract just the public key portion from the public/private key pair.

It will look something like this:

MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALnfFW1FffeKPs5PLUhFOSkNrr9TDwWtYD7nxvii3QppyQXypC/Mc7DAiZ+DW4OvXx8MTTITeYx6q3/UVKvM4LECAwEAAQ==

You‘ll add this long public key into your DKIM TXT record in the next step.

3. Create a DKIM TXT Record

Now it‘s time to create a TXT record containing your DKIM public key, formatted like this:

v=DKIM1; k=rsa; p=public_key_goes_here

Breaking this down:

  • v=DKIM1 states the DKIM version used

  • k=rsa specifies the RSA algorithm

  • p= contains your public key

4. Add a Selector as the Hostname

To complete your DKIM TXT record, you need to add a selector hostname before your domain:

selector._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=public_key_here"

The selector can be any identifier you want, such as dkim, email, or zimbra.

This gives the finalized DNS entry used to publish your public key.

Now your emails have an added DKIM-Signature header that recipients can use to validate the content is legit. Sweet!

Enabling DMARC to Bring It All Together

SPF and DKIM are great, but DMARC takes your email authentication to the next level.

It coordinates your SPF and DKIM configurations at a domain-wide level.

DMARC also provides visibility through reports, and enforcement options to handle failed emails.

Here are the key steps involved:

1. Create a DMARC Record

First, you need to create a TXT record to announce your DMARC policy. It follows this format:

v=DMARC1; p=none; pct=100; rua=mailto:[email protected]

Let‘s break this down:

  • v=DMARC1 specifies version 1 of DMARC

  • p=none means no enforcement, only monitoring

  • pct=100 requests reports on 100% of failed messages rather than just a sample

  • rua= is the email address to send aggregate reports to

2. Receive and Analyze DMARC Reports

Once enabled, you‘ll start receiving daily or weekly aggregate reports via email.

They provide stats on authentication failures, letting you identify and fix issues with your SPF/DKIM setup.

DMARC Aggregate Report Sample

Tools like GlockApps and DMARC Analyzer help visualize and monitor reports.

3. Change the Policy to Quarantine or Reject

After your SPF and DKIM records check out, it‘s time to enforce policies for failed emails:

  • p=quarantine – Send emails failing DMARC to the spam folder

  • p=reject – Reject emails failing DMARC entirely

Starting in monitor-only mode and slowly tightening is recommended.

4. Monitor and Tweak Based on Results

It takes time for reports to stabilize and enforcement to be effective. Closely track ROI and adjust policies as needed.

With DMARC properly configured, you‘ve completed the email authentication trifecta!

Adding BIMI to Display Your Logo (& Build Trust!)

Your spiffy new SPF, DKIM, and DMARC setup is working wonders behind the scenes to authenticate your emails.

But did you know you can also display your logo prominently in the inbox with BIMI?

This visual trust indicator says "We know and trust emails from this sender!"

Here‘s how to get your logo in there:

1. Have DMARC Setup & Enforced

BIMI requires DMARC record with p=quarantine or p=reject policy enabled.

This ensures only verified emails will get to show off your beautiful logo.

2. Host Your Logo Publicly as an SVG

Upload your logo on your site and get the direct image link. It needs to be a sharp SVG vector image.

Something like https://www.example.com/logo.svg.

3. Create a BIMI TXT Record

Then add a TXT record as follows:

v=BIMI1; l=https://www.example.com/logo.svg; a=;

Here, l= is your logo‘s URL.

And…that‘s all! Email services like Gmail that support BIMI will start proudly displaying your brand icon.

Give yourself a high five, you‘ve earned it!

Handy Tools to Analyze, Debug & Monitor Your Setup

Phew, that was quite the journey! Let‘s recap the key tools you can use along the way:

Rigorous ongoing monitoring and tuning is key to success with these protocols. The tools above can provide invaluable insights.

And if you ever get stuck, don‘t hesitate to reach out to me! I got your back.

Fixing Common Email Authentication Issues

Of course, getting all this configured can surface some kinks along the way. Here are handy tips to fix the most common hiccups:

SPF failures – Review authorized servers, check for formatting issues, remove old SPF records

DKIM failures – Confirm selector naming, ensure public key is copied correctly

DMARC failures – Fix SPF and DKIM first, then slowly tighten DMARC policy

Emails land in spam – Check authentication status, improve IP reputation, update email content

BIMI not displaying logo – Verify DMARC policy, double check BIMI TXT and logo URL

Reaching out to your email service provider or an implementation specialist can help unravel these faster.

The key is taking it slow and checking results at each step. Consistent monitoring provides the data needed to optimize over time.

Let‘s Recap – You Got This!

Phew, we covered a lot of ground here!

Here are the key takeaways:

  • SPF, DKIM, DMARC, and BIMI each play an important role in email authentication and security.

  • Always check current records before making any changes.

  • Add SPF to confirm authorized sending servers.

  • Implement DKIM to cryptographically sign your emails.

  • Enable DMARC for domain-level security and reporting.

  • Configure BIMI to display your logo and build trust.

  • Use reporting tools to monitor setup and fine-tune over time.

  • Take it slowly, start with monitoring, and tighten policies gradually.

Email authentication takes diligence and care. But the impact on inbox placement and security is well worth the effort.

You got this! I‘m confident you now have all the pieces needed to get your emails delivering securely.

Let me know if any part of the process gets tricky. I‘m always happy to help out a fellow geek!

Onwards and upwards,

[Your Name]
AlexisKestler

Written by Alexis Kestler

A female web designer and programmer - Now is a 36-year IT professional with over 15 years of experience living in NorCal. I enjoy keeping my feet wet in the world of technology through reading, working, and researching topics that pique my interest.