Red Sift’s email protocol configuration guide

image
Explore our guide
In this chapter
In this chapter

All you need to know about SPF, DKIM and DMARC

In this chapter, we’ve answered some of the most common questions our Customer Success Engineers are asked about SPF, DKIM, and DMARC - the three pillars of modern email authentication. As of 2026, these protocols are required by major inbox providers for bulk email senders. Let’s dive in!

What is SPF?

SPF (Sender Policy Framework) is an email authentication standard that was developed to combat sender address forgery. By verifying the authenticity of the MAIL FROM or HELO/EHLO identities during transmission, SPF compares the sending server's IP address against a list of authorized senders specified in a TXT record within the domain owner's DNS. If the sending IP address aligns with the authorized list, SPF authentication succeeds. 

Which part of the email does the SPF protocol focus on?

SPF focuses on the "domain" found in the email header, known by various names such as Return-Path, MAIL-FROM, Bounce address, or Envelope from. If this header is missing, SPF falls back and looks at the “HELO/EHLO” hostname and checks for an SPF record there.

The Return-Path header is a technical header that is not visible to the end user - unless they know how to display the headers of an email in their mail client they won't see it. 

What is DKIM?

DKIM (DomainKeys Identified Mail) is used to sign different header fields and bodies to authenticate the sending domain and prevent message modification during transit.

It achieves this by using asymmetric cryptography which consists of a combination of public and private keys. The private key is private to the sender’s domain and is used to sign the emails. The public key is published in the sender’s DNS so it can be retrieved by anyone receiving messages from the sender.

When an email is composed, its headers and body are signed using the private key of the sender to create a digital signature, which is also sent as a header field along with the email. On the receiver’s side (if DKIM is enabled), the server retrieves the public key and verifies if the email was indeed signed by the sending domain. If the signature is successfully validated that proves that the sending domain sent the message and also that the headers and body of the message have not been modified during transmission.

Which part of the email does the DKIM protocol focus on?

DKIM focuses on the “DKIM-Signature” header.

As is the case with SPF,  this header is not visible to the end user unless they know how to display the headers of the email they have received.

Why SPF & DKIM are not enough

Why SPF & DKIM are not enough While DKIM can verify that an email isn't the exact email that was sent, and SPF can recommend that a receiving server should reject an email based on the IP, neither of these are effective at spoofing prevention. This is precisely why DMARC has become mandatory for organizations sending bulk email in 2026.

The main reason for this is the header that is checked for each protocol.

SPF checks the record found at the domain in the return-path header, and DKIM checks the key found at the d= domain (Found within the DKIM header).

Both of the above protocols can be set to check any domain.

In an email, the major domain of the sender is the domain found in the From: header, this header determines the big name at the top of emails - the address that the end-user will see if they check who sent the email.

Given the above, your email domain could be impersonated as attackers could make the From: yourdomain.com and the return-path and d= theirdomain.com. Provided the SPF and DKIM records at theirdomain.com were correctly configured, the email would pass both SPF and DKIM resulting in a successfully impersonated domain..

SPF and DKIM have their purposes, but neither alone are enough to prevent imitation.

The solution? DMARC

DMARC stands for Domain-based Message Authentication, Reporting and Conformance and builds upon SPF and DKIM, providing an additional layer of email authentication and policy enforcement. DMARC is now required by major inbox providers and represents the industry standard for email authentication in 2026.

DMARC does a few things:

  1. It takes into account the results from SPF and DKIM 
  2. For DMARC to pass, it requires SPF or DKIM to pass and for the domain used by either one to also align with the domain found in the From: address. If you’re interested in learning more about Identifier Alignment, click here.
  3. It reports SPF, DKIM, and DMARC results back to the domain found in the From: address (ie. sender).
  4. Finally, it tells receivers how to treat emails that fail DMARC validation by specifying a policy in DNS.

By setting the DMARC policy to p=reject an organization can recommend to receiving servers to drop any emails set on behalf of their domain that don't pass the alignment check. This will stop all imitation attempts where the receiving server is correctly implementing DMARC.

Which part of the email does the DMARC protocol focus on?

DMARC focuses on the domain found in the From: or Header from header which is visible to the end user. 

Now that we know what headers each protocol looks at, what is contained in those headers, and what is checked?

Sender Policy Framework (SPF)

SPF verifies if an email was sent by an authorized sender by checking a list of authorized IP addresses you publish in your DNS. The receiving server will take the domain found in the Return-Path header and check for an existing SPF record. It checks the SPF record to see if the sending IP address of the email is contained in the SPF record. If the IP address is contained in the SPF record that means that it is authorized to send emails. This means that SPF PASSED. If the IP address is not in the SPF record then SPF FAILS.

The overall logic is:

  • If the sending IP address is contained in the SPF record = SPF PASS
  • If the sending IP address is not contained in the SPF record = SPF FAIL

DKIM (DomainKeys Identified Mail)

The receiving server will check the DKIM-Signature header which contains the selector (s=) and signing domain (d=) which are tags used to look up the public key. Once retrieved, the public key is used to validate the email message. If validation is successful then DKIM PASSES and if the validation process is unsuccessful then DKIM FAILS.

The overall logic is:

  • If validation is successful = DKIM PASS
  • If validation is unsuccessful = DKIM FAIL

DMARC (Domain-based Message Authentication, Reporting & Conformance) 

The receiving server will check if either SPF or DKIM PASSED, then it will check if the Return-Path domain used by SPF and/or the d= domain used by DKIM aligns with From: domain, and finally, it will extract the DMARC policy published by the domain found in the “From” address and comply with the policy.

The overall logic is:

  • If SPF PASSED and ALIGNED with the “From” domain = DMARC PASS, or
  • If DKIM PASSED and ALIGNED with the “From” domain = DMARC PASS
  • If both SPF and DKIM FAILED = DMARC FAIL

DMARC not only requires that SPF or DKIM PASS, but it also requires the domains used by either one of those two protocols to ALIGN with the domain found in the 

“From” address. Only then will DMARC PASS.

What’s the difference between Strict vs Relaxed alignment?

Strict alignment means that the Return-Path domain or the signing domain “d=” must be an exact match with the domain in the “From” address.

Relaxed alignment means that the Return-Path domain or the signing domain “d=” can be a subdomain of the “From” address and vice versa.

If you’re interested in learning more about Identifier Alignment, click here.

What happens if DMARC fails?

If DMARC fails, the receiving server would typically comply with the policy that you have specified in your DMARC record.

  • If you are in report-only mode (p=none) the email will be accepted by the receiving server and scanned by other filtering criteria.
  • If you are in quarantine mode (p=quarantine) the email will be quarantined and typically sent to the spam folder of the recipient.
  • If you are in reject mode (p=reject) the receiving server will abort the connection with the sending mail server and the email will never reach the end user.

Irrespective of the policy, the metadata for the email will be logged along with the status of the authentication results and forwarded to your DMARC report processor. Learn more about DMARC reports here.

SPF troubleshooting and top tips

  1. Make sure that you have an SPF record in your Return-Path domain.
  2. Make sure that you have an SPF record in your HELO/EHLO domain in case of bounces where the Return-Path domain is empty.
  3. Make sure there is a single SPF record per domain.
  4. Make sure that the SPF record syntax is correct.
  5. Make sure that your Return-Path domain aligns with the From domain.
  6. Make sure that your authorized senders are part of the SPF record.
  7. Make sure that unauthorized senders are not in your SPF record.
  8. Make sure that you do not go over the 10 DNS lookup limit imposed by SPF. If you have gone over the 10 DNS lookup limit you will have to consider using a feature such as Red Sift’s OnDMARC’s Dynamic SPF.
  9. Make sure that deprecated SPF record mechanisms such as the “ptr” mechanism are not used in your SPF record.

DKIM troubleshooting and top tips

  1. Make sure that the sending systems you use support DKIM.
  2. Make sure that the emails are DKIM signed.
  3. Make sure that the signing domain aligns with the “From” domain.
  4. Make sure that you use a DKIM key size over 1024 bits (a 2048-bit key is advisable)
  5. Make sure, where possible, that the DKIM selectors you choose closely identify the sending service so you can distinguish between them.
  6. Make sure to revoke any keys that have been compromised.
  7. Make sure that the DKIM keys you manage are rotated regularly.
  8. Make sure that the DKIM key syntax is correct.
  9. Make sure that there exists a public key for each corresponding private key that signs your emails.

DMARC troubleshooting and top tips

  1. As DMARC is based on both SPF and DKIM and the domains used by those two protocols, you will have to make sure that the Return-Path domain for SPF is either an exact match or a subdomain of the “From” domain. The same applies to the signing domain used by DKIM. Proper alignment configuration is critical for email deliverability in 2026.
  2. Make sure that the DMARC record syntax is correct.
  3. Make sure that you have configured all of your systems correctly with SPF and DKIM before moving to a reject policy as your emails will be lost.
  4. Make sure that you use a system or third-party provider such as Red Sift OnDMARC to receive DMARC reports so that you can make sense of those reports and discover any systems that are misconfigured. Modern DMARC platforms in 2026, like OnDMARC enable organizations to reach enforcement in 6-8 weeks through automated troubleshooting and real-time testing.
  5. Monitor the status of each of your sending sources and make sure that any changes to SPF and DKIM are identified. Red Sift OnDMARC has this feature as a core part of its product.
email set up imageemail set up image
Email set up correctly? Find out free in under a minute

Frequently asked questions: Email protocol configuration guide

What is the difference between SPF hard fail (-all) and soft fail (~all), and which should I use in 2026?

In a pre-DMARC era, SPF records commonly used the "-all" mechanism to strictly enforce sender policies. However, current industry guidance in 2026 favours "~all" to balance security and deliverability, avoiding unnecessary rejection of valid emails that might fail SPF but pass DKIM and DMARC.

This is because "~all" when implemented in combination with DMARC (at p=reject) will still reject unauthenticated mail if SPF and DKIM fail, but does not block legitimate mail, thus enhancing overall email deliverability.

The DMARC specification (RFC 7489) states that a "-" prefix on a sender's SPF mechanism, such as "-all", could cause rejection to go into effect early in handling, causing message rejection before any DMARC processing takes place. Use "-all" for inactive, non-email sending domains only (domains that send no emails at all). DMARC ignores the nuances of soft fail and hard fail in SPF configuration, treating them as SPF failures.

How does DMARC alignment work and what is the difference between strict and relaxed alignment?

DMARC does not only require SPF or DKIM to PASS but it also requires at least one of the domains used by SPF or DKIM to align with the domain found in the From header. Proper alignment is critical for email deliverability in 2026, as major inbox providers enforce these requirements.

In the case of SPF, identifier alignment means that the MAIL FROM/Return-PATH check has to PASS and also the domain portion of the MAIL FROM/Return-PATH has to align with the domain found in the From address. In strict alignment, the domains have to match exactly, whereas in relaxed alignment subdomains are also allowed as long as they come from the same organisational domain.

For example, if MAIL-FROM/RETURN-PATH is @ondmarc.com and From header is @knowledge.ondmarc.com, in strict alignment they are not aligned. However, in relaxed alignment mode, DMARC would pass.

What are DMARC aggregate reports and forensic reports, and how do they differ?

A DMARC aggregate report contains information about the authentication status of messages sent on behalf of a domain. It is an XML feedback report designed to provide visibility into emails that passed or failed SPF and DKIM. The report provides domain owners with precise insight into which sources are sending on your behalf and the disposition of those emails (the policy that was applied by the receiver).

Recipients will look at the 'rua' tag of your DMARC record and send reports there. You can specify the aggregate reporting interval by using the ri tag in your DMARC record (by default, this is set to 86400 seconds which equates to 24 hours). Forensic reports contain more detailed information about individual authentication failures. Any personally identifiable information (PII) is removed, but information that will help in troubleshooting the DMARC failure is included, such as SPF and DKIM header failure information, the entire From address, and the Subject of the email.

The address to receive Forensic DMARC reports is specified by the 'ruf' tag in your DMARC record. Not all receiving systems support sending forensic reports. Red Sift OnDMARC is one of the only DMARC applications on the market that receives forensic reports thanks to its partnership with Yahoo.

What are SPF macros and why might they cause deliverability issues?

An SPF macro refers to a mechanism used in SPF records to define reusable sets of IP addresses. SPF macros enhance the flexibility and maintainability of SPF records by allowing you to define complex sets of IP addresses in a single mechanism, which can then be referenced within multiple SPF records. For example, instead of listing individual IP addresses for each authorised email server, you can define a macro like "%{i}" which calls the sender IP of the email. Managing SPF this way allows you to control a large list of IPs without hitting the SPF lookup limit, and also obscures which IPs you approve for public querying.

However, depending on how the SPF record with macros is structured, the lack of macro expansion could result in SPF failures or 'Neutral' results (denoted by the ?all mechanism). If SPF macros play a critical role in authorising legitimate sending servers, emails might be more likely to fail SPF checks or be marked as suspicious by email receivers that rely on SPF for authentication.

What is MTA-STS and how should it be deployed to avoid blocking email delivery?

Mail Transfer Agent Strict Transport Security (MTA-STS) is a standard that enables the encryption of messages being sent between two mail servers. It specifies to sending servers that emails can only be sent over a Transport Layer Security (TLS) encrypted connection which prevents emails from being intercepted by cybercriminals.

MTA-STS adoption has grown significantly, with organisations in 2026 recognising transport layer security as essential for protecting email in transit. For receiving domains to enable MTA-STS, they must announce that they support MTA-STS in their DNS and publish a policy configuration file on their website.

Activating MTA-STS must be done carefully to mitigate blocking emails from being delivered. MTA-STS should first be deployed in testing mode, allowing time for TLS reports to provide insight into any errors that need fixing before progressing to the final enforce stage. This phased approach will likely become standard practice in 2026 for organisations implementing transport security.

What is TLS-RPT and how does it work with MTA-STS?

SMTP TLS Reporting (or TLS-RPT for short) enables reporting of TLS connectivity problems experienced by the sending MTAs and is defined in RFC8460. Much like DMARC, TLS-RPT relies on emailed reports to notify domain owners when delivery fails due to TLS issues. These reports include detected MTA-STS policies, traffic statistics, unsuccessful connections, and failure reasons.

With Red Sift OnDMARC's MTA-STS feature, you don't need to worry about complex deployment. Simply add the MTA-STS Smart Records OnDMARC provides to your DNS and Red Sift does all the hard work such as hosting the MTA-STS policy file, maintaining the SSL certificate, and flagging any policy violation through the TLS report. Modern DMARC platforms in 2026 increasingly include hosted MTA-STS as a standard feature, simplifying transport security deployment.

What is DANE and how does it differ from MTA-STS?

Published under RFC 7671, DANE (DNS-based Authentication of Named Entities) introduces a new Internet standard for setting up TLS communication between a client and a server, without having to rely on trusted Certificate Authorities (CAs).

The traditional CA model TLS has depended on allows any CA to issue a certificate for any domain. DANE does things differently by relying on the DNSSEC infrastructure (Domain Name System Security Extensions) to bind a domain name to a certificate. DANE makes use of the already existing DNSSEC protocol to make sure the data it receives is authentic and has not been tampered with.

DANE also introduces a new DNS RR type called TLSA which helps to signal to the client that a server supports TLS. The recommendation is to implement both MTA-STS and DANE. DANE is a requirement from many governments, so public agencies in the EU are often required to implement it.

DANE and MTA-STS help only if the sender supports it, however, many senders only support one or the other so implementing both improves security overall. Organisations in 2026 often deploy MTA-STS first for broader compatibility, then add DANE for enhanced security where required.

What is the purpose of the DMARC subdomain policy (sp tag) and how should it be used?

The subdomain policy allows domain administrators to protect different domains and subdomains based on how far they are along the DMARC journey. For example, if all your email-sending services sending emails on behalf of your top-level domain are fully configured with SPF and DKIM, that means that you can protect your top-level domain with a DMARC policy of p=reject whilst keeping the subdomains in p=none, and vice versa.

Also, if you have an email-sending service that is non-DMARC compliant (does not support SPF or DKIM), you may decide to assign a subdomain to it and have that subdomain in a different DMARC policy, without preventing you from protecting your other domains. This allows you to split the traffic across different subdomains and protect each one separately.