Email deliverability is a crucial part of effective cold email campaigns — if you know your emails are landing in your prospect’s primary inbox, you’ll start more conversations and have more opportunities to close new deals,
SPF and DKIM are two of the most important parts of ensuring good email deliverability, as they protect both email senders and recipients from the dangers of phishing, email spoofing, and spam.
But how do they work, and how exactly are they related to deliverability? Let's find out:
In the early days of email, a lot of viruses, spam, and scams were sent via email using fake sender information. This does still happen today, but there are more mechanisms in place to help verify information about email senders.
Two of these mechanisms are SPF and DKIM.
SPF and DKIM are methods of email authentication. As such, they allow email servers to identify who is sending emails and verify if they’re trustworthy or not.
Setting these records up is crucial to email deliverability and ensures that your messages reach their intended recipients safely and securely.
Sender Policy Framework, or SPF, is a form of email authentication. SPF defines a validation process for a specific email that has been sent from a mail server.
The goal of SPF is to detect forgery and prevent spam. Through the help of SPF protocols, a domain’s owner can pinpoint the exact mail servers the email senders are able to send the message from.
Through this, SPF gives the email recipient information about the email sender’s legitimacy. When the recipient gets the email, their email provider (Ex. Gmail) verifies the SPF credentials through a domain lookup in the DNS records. If something is amiss, the receiving server will flag the message as spam, as it has effectively failed the SPF authentication check.
If you cold email without your SPF records in place, your recipient’s inboxes won’t let your email through, as it doesn’t trust you as a legitimate sender. Most spammers won’t take the time to add their SPF records, so it’s an effective filtering mechanism.
DomainKeys Identified Mail, or DKIM, is an email authentication protocol used to detect fake sender email addresses or spoofed ones.
It works by linking an email back to its domain. An email sender can attach DKIM signatures, which are encryption-secured headers added to the message, which can help the receiving inbox verify the source of the message.
This is important because a lot of phishing campaigns spoof emails from trusted domains. Think of the emails you’ve received posing as a bank, Google, or some other trusted domain. It still happens today, but DKIM acts as a potent safeguard against ill-intentioned scammers.
When it comes to cold emailing, your DKIM essentially tells your prospect’s inbox that you are who you say you are, and gives the email service provider (ESP) a good reason to let your email through.
DKIM and SPF seem similar if you’re new to them. So, what’s the difference?
Put simply, SPF allows senders to define exactly which IP addresses may send emails for that particular domain. Meanwhile, DKIM verifies the authenticity of an email by providing a digital signature and encryption key.
They work hand-in-hand to prevent spam and detect forgery while sending and receiving emails.
SPF works by specifying the mail servers authorized to send emails from your domain. If you have it in place, the receiving mail servers can verify that the incoming messages did come from you.
Without SPF records, the messages sent by your organization may be marked as spam, because your prospects’ and customers’ inboxes won’t be able to verify that it’s really you sending the email. Your emails will land in the spam folder or be completely blocked from landing in their inbox.
Once your SPF records are in place, you won’t need to do any ongoing management. You’ll need to make sure they’re in place for every domain you use for your email activity.
Here’s a basic overview of how SPF records work:
Publishing an SPF record: Your domain’s administrator publishes an SPF record, which is the policy that defines which mail servers are allowed to send emails. The SPF record is stored under the domain’s overall DNS records.
Checking IP against the list of authorized IPs: Each time an inbound server gets an incoming message, it searches DNS for the rules for the bounce or Return-Path domain. The inbound mail server checks the IP of the message sender against the list of authorized IPs defined in the SPF record.
Taking action: The receiving server uses the rules indicated in the sender domain’s SPF record to determine what to do: Accept, reject, or flag the email as spam.
Setting up your SPF takes a few minutes and will ensure that your messages land in your prospects’ inboxes. It’s a vital step before sending any cold outreach.
If you’re using a custom inbox, make sure to check with your email provider. They’ll be able to show you the best way to set up your SPF record.
If you’re using G Suite or Outlook, follow these steps:
How to Set up SPF for G Suite
Here are Google’s instructions for Setting up your SPF records in G Suite.
It’s relatively easy to do.
From your domain’s admin panel (this could be in Google Domains, Namecheap, GoDaddy, or whichever service you use to manage your domain), you'll need to add a TXT record with the following text: ` v=spf1 include:_spf.google.com ~all`
Once that’s in place, it can take up to 48 hours to validate, but in most situations, it will be verified within a few minutes.
How to Set up SPF for Outlook
Setting up your SPF for Outlook or Microsoft 365 accounts follows the same process as it does for G Suite.
You’ll need to head over to your domain’s admin panel and add a new TXT record that defines your SPF.
If all of your mail is being sent with Microsoft 365/Outlook, use the following SPF record: “v=spf1 include:spf.protection.outlook.com -all”.
Like with G Suite, this won’t immediately go live, but it will be ready to use within 48 hours.
If you’re unsure if your domain is ready to start using for your email activity, you can use tools like spamtester.ai to verify (more on this later in the guide).
To troubleshoot SPF issues, check out this guide from Microsoft.
DKIM was created for similar purposes as SPF: to prevent spammers from impersonating your domains and pose as a legitimate email sender from your brand.
DKIM is a kind of signature that you can add to your emails to allow receiving mail servers to check the email sender’s authenticity. The signature isn’t a typical email signature. It works with encrypted keys, your private and public key:
Private key: This is available only to you and is unique to your domain. The private key will allow you to encrypt your signature.
Public key: This is something you have to add to your DNS (using DKIM) so that the receiving mail server can retrieve it and decrypt your signature.
Setting up DKIM on your DNS allows you to add a layer of security. For example, it’s like presenting an ID card (your public key) to get into your office, even if the security guard already knows that you work at the building. It’s a way to prove that it’s really you at the door. If you forgot your key, you may still get let in, but security won’t be certain.
The first step is to generate a public key. To do this, you’ll have to log into your email provider’s admin console. The steps vary depending on your email provider.
Setting Up DKIM for G Suite
For example, if you're using G Suite to send emails, here’s a detailed guide.
DKIM signatures need to be manually turned on in your Google Admin console as they turn these off on default.
Once you have your public key, you can then take the generated TXT record to place into your DNS records.
Here’s a simple overview of how DKIM is set up and tested:
Step 1: Publishing your cryptographic key
The key is published by the domain owner and is formatted as a TXT record in the domain’s DNS record.
Step 2: Attaching the unique DKIM
Every time a message is sent by an outgoing mail server (i.e., your outbound emails), this server attaches the DKIM signature to the message’s header.
Step 3: Detecting and decrypting the signature
Inbound mail servers (i.e., your prospects’ email server) uses the DKIM key to decrypt the signature of the message. If it matches with the expected values, then the message is considered authentic and can get through.
Setting up DKIM for Outlook
In Outlook, the process works in a similar way.
You’ll need to create your DKIM keys in your Microsoft account. Then, once those are ready, you’ll be shown new CNAME records that you need to copy and paste into a new CNAME entry in your domain’s admin panel.
Once your DKIM signature is enabled, you’ll be ready to start sending your emails with the confidence that they’ll land in your prospect’s inbox.
Click here to read detailed, step-by-step instructions on Microsoft’s website.
In any business scenario where you’re sending a lot of emails — whether it’s cold outreach to new potential clients, or nurturing campaigns to welcome customers and email subscribers to your list — you need to set up SPF and DKIM.
If you don’t set up these records, over time, most of your emails will be flagged as spam, potentially even resulting in your domain getting completely blocked by email service providers.
Needless to say, your emails won’t have the business impact you expected them to.
How to Check if Your SPF and DKIM Records are Set Up?
Once you’ve followed your inbox provider’s instructions to add your SPF and DKIM records, you’ll need to verify that they’re working.
Reviewing using QuickMail’s Deliverability Report
On QuickMail’s pro plan you’ll have access to advanced deliverability reports.
First, head to your inbox and make sure your deliverability testing is active.
Every week, QuickMail will automatically test to see how your inbox deliverability is performing.
If your SPF and DKIM pass the checks, you’re ready to start sending your emails.
If your SPF or DKIM records have issues, you’ll see it in the deliverability report so you can take action to update them.
If your emails are being sent to spam, you’ll be notified.
Using Free Tools to Check Your Email Setup
There are also free tools like spamtester.ai and Check MX that will review your domain setup and let you know if any issues are present.
spamtester.ai will ask you to send a test email to their inboxes, and the service will scan your email for issues.
Then, it will generate a report analyzing all of your domain’s potential areas for improvement. If everything is set up correctly, you should see a green check and the “You’re properly authenticated” message, and two sections mentioning your SPF and DKIM.
If you’re missing any essential records, spamtester.ai will tell you which ones are missing so it’ll be easy for you to add them.
Check MX is a free tool from Google that offers a similar service. Run your domain through it, and wait for the results.
Here’s what your results will look like if your SPF and DKIM records are correctly set up in Check MX:
These tools make it fast and straightforward to review your email setup. If there’s an issue, you’ll be told exactly what it is and given instructions on how to fix it.
You may have also seen DMARC being referenced on your email account.
It’s another email authentication system that helps you protect your domain against spoofing.
It requires you have your DKIM and SPF records set up before implementing it.
DMARC works by telling email servers what to do if they receive an email from your domain, either: do nothing, quarantine the email, or reject it completely.
If your SPF and DKIM records on outgoing messages don’t match the records you defined in your admin console, DMARC will tell the receiving server to do what you’ve indicated.
For example, if your DMARC policy is set to ‘none’, then the receiving inbox will receive them normally (even if there’s a risk the email isn’t really from you). Quarantine tells the inbox to send emails to the spam folder. Reject tells the inbox to reject them.
You don’t need to set up DMARC, but it’s worth doing because it’s another measure to prove to ESPs that you care about the health of your email account and want to ensure good deliverability.
Once your DKIM and SPF records are set up, you can begin sending emails and have a strong degree of confidence that they won’t land in spam filters.
But, if your domain is new, there’s still a risk that your recipients’ inboxes don’t completely trust you.
To help prove to ESPs that you’re a trustworthy sender, you should warm up your domain before launching any high-volume email campaigns using MailFlow, which has a native integration with QuickMail.
MailFlow is an email warmup tool that is ideal for anyone who wants to improve their deliverability.
To start with the Auto-Warmer, sign up for MailFlow and connect the inbox you’re going to use to send emails.
Then, head to the settings tab, and go to the Auto Warmer. Add the number of daily emails you want to send. A best practice for this is to start with a low volume on a new domain, and slowly work up from there. If you buy a new domain and immediately start sending hundreds of emails per day, ESPs will know something isn’t right.
Once you’ve set that up, the Auto Warmer will start automatically sending and replying to your emails for you, generating real positive engagement on them.
You’ll know exactly where your emails are landing — in the main inbox, spam, or other folders — thanks to the MailFlow Auto Warmer Report.
If you notice your emails are being sent to spam too often, you can review your DKIM and SPF records, and review your email campaigns for problems that could be causing the deliverability issues.
Setting up both SPF and DKIM records is a crucial step in ensuring your domain’s email deliverability stays high.
It may seem complicated at first if you’re not a technical person, but the steps are easy to follow, and all email service providers will have detailed instructions on how to implement them.
The process won’t take long, and it’ll have a huge payoff as you’ll be sure that your email campaigns are landing in your recipient’s inboxes. Click here to start your free trial.