SPF & DKIM Email Authentication

If you don’t want to have your emails rejected or sent to the SPAM folder, then you need to set up SPF and preferably DKIM as well for your email domains.

Starting November 2022, new senders who send email to personal Gmail accounts must set up either SPF or DKIM. Google performs random checks on new sender messages to personal Gmail accounts to verify they’re authenticated. Messages without at least one of these authentication methods will be rejected or marked as spam.

We recently became aware of this issue when we started getting the following email error when sending messages to Gmail accounts.

Other mail system problem 550 - This mail is unauthenticated, 
which poses a security risk to the sender and Gmail users, and has 
been blocked. The sender must authenticate with at least one of SPF 
or DKIM. For this message, DKIM checks did not pass and SPF check 
for [kintarla.com.au] did not pass with ip: [???.??.?.???].

What is SPF (Sender Policy Framework)?

SPF, is an email authentication protocol that allows a domain owner to list all the IP addresses authorized to send messages on their behalf. When an email is sent, the receiving server checks whether the associated domain has an SPF record and acts accordingly.

Figure 1. How SPF Works [credit]

If the sender’s IP address isn’t listed in the SPF record, the email fails SPF authentication and is either rejected or sent to the spam folder. This means scammers, spammers, and fraudsters can’t spoof your company’s domain. So even if you aren’t seeing your email being rejected, it is a good idea to have this in place.

One of the shortcomings of SPF is that emails forwarded by someone else will fail authentication, since the forwarders IP address is not listed in the SPF record. SPF also doesn’t protect a domain from hackers that can spoof the visible “from:” address or display name.

What is DKIM (Domain Keys Identified Mail)?

DKIM is an email authentication protocol that uses public cryptography to digitally sign every message so that the receiving mail server can verify the sender and the authenticity of the email.