Sign In
Cold Outreach

Avoid the Spam Filter Made Simple

By Article Monster
October 5, 2025
28 min read

Avoid the Spam Filter: Mastering Authentication for Email Deliverability

hubspot-email-marketing-tactics-to-boost-roi/" class="internal-link" title="3 Hubspot Email Marketing Tactics to Boost ROI">Email marketing is a crucial tool for businesses, but its effectiveness hinges on deliverability. Landing in the spam folder is a death sentence for your message. This article provides a deep dive into a critical aspect of avoiding spam filters: email authentication. We’ll explore the technical details of SPF, DKIM, and DMARC, and how to configure them correctly to ensure your emails reach the intended recipients’ inboxes. By implementing these authentication methods effectively, you can significantly improve your email deliverability and protect your domain’s reputation.

SPF Demystified: Authorizing Sending Servers

Avoid the spam filter - Illustration showing the SPF process: an email being sent from a server, the recipient server checking the sender's SPF record, and the email being delivered to the inbox.

Sender Policy Framework (SPF) is an email authentication method used to prevent spammers from sending messages on behalf of your domain. It works by creating a DNS record that lists all the mail servers authorized to send email from your domain. When a receiving mail server receives an email claiming to be from your domain, it checks the SPF record to verify that the sending server is authorized. If the sending server is not listed in the SPF record, the receiving server may reject the email or mark it as spam.

The core principle of SPF revolves around explicitly defining which servers are permitted to send emails using your domain. This prevents unauthorized sources from spoofing your email address, a common tactic employed in phishing and spam campaigns. By carefully crafting your SPF record, you can drastically reduce the chances of your legitimate emails being flagged as suspicious.

Understanding the SPF Record Syntax

An SPF record is a TXT record in your domain’s DNS settings. It consists of a version number (“v=spf1”) followed by a series of mechanisms and qualifiers that define the authorized sending servers. Let’s break down some common mechanisms:

  • a: Specifies that the IP address of the sending server must match the IP address of the domain name specified. For example, a:example.com.
  • mx: Specifies that the sending server must be listed as a mail exchanger (MX record) for the domain name specified. For example, mx:example.com.
  • ip4: Specifies an IPv4 address or range that is authorized to send email. For example, ip4:192.168.1.1 or ip4:192.168.1.0/24.
  • ip6: Specifies an IPv6 address or range that is authorized to send email. For example, ip6:2001:db8::1 or ip6:2001:db8::/32.
  • include: Includes the SPF record of another domain. This is useful if you use a third-party email service provider. For example, include:servers.mcsv.net (Mailchimp) or include:_spf.google.com (Google Workspace).
  • all: Specifies how to handle emails that do not match any of the previous mechanisms. Common qualifiers are:
    • +all: Accept all emails (not recommended, defeats the purpose of SPF).
    • -all: Fail all emails that don’t match any other mechanism (hard fail).
    • ~all: Soft fail – mark emails that don’t match as suspicious, but accept them (more lenient).
    • ?all: Neutral – indicates no opinion, which is essentially ignoring SPF (not recommended).

Important: Only one SPF record is allowed per domain. Multiple SPF records can cause unpredictable behavior and are generally ignored by receiving mail servers.

Practical Examples of SPF Records

Here are a few examples of SPF records and explanations of what they do:

v=spf1 a mx -all

This SPF record allows email to be sent from the servers listed in the ‘A’ record and ‘MX’ record for the domain. Any email originating from other servers will fail the SPF check (hard fail).

v=spf1 ip4:192.0.2.0/24 include:servers.mcsv.net ~all

This SPF record allows email to be sent from any IP address within the 192.0.2.0/24 range and from any server authorized by Mailchimp (using the `include` mechanism). Emails from other sources will be marked as suspicious (soft fail).

v=spf1 ip4:203.0.113.10 ip6:2001:db8:1::1 include:_spf.google.com -all

This record allows email to be sent from the IPv4 address 203.0.113.10, the IPv6 address 2001:db8:1::1, and any server authorized by Google Workspace. Emails failing these checks will be hard failed.

Testing Your SPF Record

After creating or modifying your SPF record, it’s crucial to test it to ensure it’s configured correctly. You can use online SPF record checkers to validate your record’s syntax and functionality. Tools like “MXToolbox SPF Record Check” or “Dmarcian’s SPF Surveyor” are excellent resources.

To test your SPF configuration thoroughly, send test emails from each of your authorized sending servers to an external email address (e.g., Gmail, Yahoo Mail) and examine the email headers. The headers will contain information about the SPF check result. Look for “Received-SPF: pass” to confirm that SPF is working correctly. If you see “Received-SPF: fail” or “Received-SPF: neutral”, you need to review and correct your SPF record.

DKIM Signatures: Proving Email Authenticity

Avoid the spam filter - Illustration showing the DKIM process: an email being signed by the sender's server using a private key, the email being sent, and the recipient server verifying the signature using the public key from the DNS record.

DomainKeys Identified Mail (DKIM) is another essential email authentication method that adds a digital signature to your outgoing emails. This signature allows receiving mail servers to verify that the email was indeed sent from your domain and that the content hasn’t been tampered with during transit. Unlike SPF, which focuses on authorizing sending servers, DKIM focuses on verifying the integrity and authenticity of the email content itself.

DKIM works by using cryptographic keys: a private key that resides on your sending server and a public key that is published in your DNS records. When an email is sent, the sending server uses the private key to generate a digital signature based on the email’s headers and body. This signature is then added to the email header. The receiving server retrieves the public key from your DNS records and uses it to verify the signature. If the signature is valid, the receiving server can be confident that the email is authentic and hasn’t been altered.

Understanding the DKIM Record and Signature

The DKIM process involves two key components: the DKIM DNS record and the DKIM signature in the email header.

DKIM DNS Record: This is a TXT record in your DNS settings that contains the public key. The record has the following structure:

selector._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD...AQAB"

Let’s break down the components:

  • selector: A name you choose to identify the key pair. This allows you to have multiple DKIM keys for different purposes or servers. A common selector is “default”.
  • _domainkey.example.com: This is the subdomain where the DKIM record is located. Replace “example.com” with your actual domain.
  • v=DKIM1: Specifies the DKIM version.
  • k=rsa: Specifies the key type (RSA is the most common).
  • p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD…AQAB: This is the public key itself, encoded in base64. This will be a very long string of characters.

DKIM Signature in Email Header: The DKIM signature is added to the email header and contains information about how the email was signed. It looks something like this:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com;
  s=default; t=1678886400;
  bh=jE0U/9yU0sPq7/g7k0vS20pP38c=;
  h=From:To:Subject;
  b=dzdVcj2zNr5e22Vt13r629486409228464864...

Key fields in the DKIM signature include:

  • v: The DKIM version.
  • a: The signing algorithm (e.g., rsa-sha256).
  • c: The canonicalization algorithm used for headers and body (e.g., relaxed/relaxed).
  • d: The signing domain.
  • s: The selector used to find the public key in DNS.
  • t: The signature timestamp.
  • bh: The body hash (a cryptographic hash of the email body).
  • h: The list of headers included in the signature.
  • b: The actual digital signature.

Practical Examples of DKIM Configuration

The specific steps for configuring DKIM vary depending on your mail server or email service provider. Here are examples for common scenarios:

Example 1: Using Google Workspace (Gmail for Business)

  • Sign in to your Google Admin console.
  • Go to Apps > Google Workspace > Gmail > Authenticate email.
  • Select the domain you want to configure DKIM for.
  • Click “Generate new record”.
  • Google will provide you with a TXT record value (including the public key).
  • Add this TXT record to your domain’s DNS settings, using “google._domainkey” as the hostname (selector). Allow up to 48 hours for DNS propagation.
  • In the Google Admin console, click “Start authentication” to enable DKIM.

Example 2: Using Postfix on Linux

  • Install OpenDKIM: sudo apt-get install opendkim opendkim-tools (Debian/Ubuntu) or sudo yum install opendkim opendkim-tools (CentOS/RHEL).
  • Generate a DKIM key pair: opendkim-genkey -t -d example.com -s default. This will create two files: `default.private` (the private key) and `default.txt` (the public key).
  • Move the private key to `/etc/opendkim/keys/`: sudo mv default.private /etc/opendkim/keys/default.
  • Set the correct ownership and permissions: sudo chown opendkim:opendkim /etc/opendkim/keys/default; sudo chmod 600 /etc/opendkim/keys/default.
  • Edit `/etc/opendkim.conf` and configure the following:
    • `Domain example.com`
    • `KeyFile /etc/opendkim/keys/default`
    • `Selector default`
    • `Socket inet:8891@localhost`
  • Edit `/etc/default/opendkim` and set `SOCKET=”inet:8891@localhost”`.
  • Edit `/etc/postfix/main.cf` and add the following lines:
    • `milter_default_action = accept`
    • `milter_protocol = 2`
    • `smtpd_milters = inet:localhost:8891`
    • `non_smtpd_milters = inet:localhost:8891`
  • Restart OpenDKIM and Postfix: sudo systemctl restart opendkim; sudo systemctl restart postfix.
  • Add the contents of `default.txt` (the public key) as a TXT record to your domain’s DNS settings, using “default._domainkey” as the hostname.

Example 3: Using SendGrid

  • Log in to your SendGrid account.
  • Go to Settings > Sender Authentication > Domain Authentication.
  • Click “Get Started” and follow the instructions to add the necessary DNS records (including the DKIM record) to your domain. SendGrid will provide the exact record values and hostnames to use.

Verifying DKIM Configuration

After configuring DKIM, send a test email from your sending server to an external email address (e.g., Gmail, Yahoo Mail). Examine the email headers. Look for the “DKIM-Signature” header and check the “Authentication-Results” header for a “dkim=pass” result. This confirms that DKIM is working correctly. If you see “dkim=fail” or the DKIM-Signature is missing, review your configuration and DNS records.

Online DKIM checkers can also help you verify your DKIM configuration. These tools typically ask for your domain and selector, and then query your DNS records to check if the public key is published correctly.

DMARC Policy: Enforcing Authentication and Reporting

Domain-based Message Authentication, Reporting & Conformance (DMARC) builds upon SPF and DKIM to provide a comprehensive email authentication framework. DMARC allows you to specify how receiving mail servers should handle emails that fail SPF and/or DKIM checks. More importantly, it provides a reporting mechanism that allows you to monitor email activity originating from your domain, helping you identify and address potential spoofing or unauthorized sending sources.

Think of DMARC as the policy enforcer. It tells receiving mail servers what to do when SPF and DKIM checks don’t align. Should they reject the message outright? Quarantine it? Or simply do nothing? The beauty of DMARC lies in its reporting capabilities. You can receive regular reports detailing email activity associated with your domain, giving you valuable insights into potential abuse and authentication issues. These reports allow you to fine-tune your SPF and DKIM configurations and strengthen your overall email security posture.

Understanding the DMARC Record

The DMARC record is a TXT record published in your DNS settings under the `_dmarc` subdomain. It defines your DMARC policy and specifies where to send aggregate reports.

_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com; ruf=mailto:forensic-reports@example.com; adkim=r; aspf=r; fo=1"

Let’s break down the components of the DMARC record:

  • v=DMARC1: Specifies the DMARC version.
  • p: The policy to apply to emails that fail SPF and/or DKIM checks. Possible values are:
    • none: Take no action (monitoring mode). Receiving servers should deliver the email as usual. This is the safest option to start with.
    • quarantine: Mark the email as spam or move it to the junk folder.
    • reject: Reject the email outright. The receiving server should not deliver the email.
  • rua: The email address(es) to which aggregate reports should be sent. These reports contain summarized information about email activity originating from your domain.
  • ruf: The email address(es) to which forensic reports (also known as failure reports) should be sent. These reports provide more detailed information about individual emails that failed authentication. However, many mail providers do not send forensic reports due to privacy concerns.
  • adkim: Alignment mode for DKIM. Possible values are:
    • r: Relaxed alignment. DKIM passes if the domain in the ‘d=’ tag of the DKIM signature matches the organizational domain of the ‘From:’ address.
    • s: Strict alignment. DKIM passes only if the domain in the ‘d=’ tag of the DKIM signature exactly matches the ‘From:’ address.
  • aspf: Alignment mode for SPF. Possible values are:
    • r: Relaxed alignment. SPF passes if the domain used for the SPF check matches the organizational domain of the ‘From:’ address.
    • s: Strict alignment. SPF passes only if the domain used for the SPF check exactly matches the ‘From:’ address.
  • fo: Failure reporting options. This tag specifies when forensic reports should be generated. A value of “1” means that forensic reports should be generated if both SPF and DKIM fail to authenticate the message.

DMARC Policy Options: None, Quarantine, and Reject

Choosing the right DMARC policy is crucial. It’s generally recommended to start with `p=none` and gradually move to more restrictive policies as you gain confidence in your SPF and DKIM configurations. Here’s a breakdown of each policy:

  • p=none: This policy is for monitoring only. Receiving mail servers will deliver all emails, regardless of whether they pass or fail SPF and DKIM checks. You’ll receive DMARC reports that provide valuable insights into your email traffic. Use this policy to identify legitimate sending sources that may not be properly authenticated.
  • p=quarantine: This policy instructs receiving mail servers to mark emails that fail SPF and/or DKIM checks as spam or move them to the junk folder. This is a good intermediate step after `p=none`.
  • p=reject: This is the most restrictive policy. Receiving mail servers will reject emails that fail SPF and/or DKIM checks. This policy provides the strongest protection against email spoofing but should only be implemented after you’ve thoroughly tested your SPF and DKIM configurations and are confident that all legitimate email is properly authenticated. Implementing `p=reject` prematurely can result in legitimate emails being blocked.

Practical Examples of DMARC Records and Implementation

Here are some example DMARC records and how to implement them:

_dmarc.example.com. IN TXT "v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com"

This is a basic DMARC record for monitoring. It tells receiving servers to deliver all emails as usual and send aggregate reports to `dmarc-reports@example.com`. This is the recommended starting point.

_dmarc.example.com. IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@example.com; ruf=mailto:forensic-reports@example.com; pct=50"

This DMARC record instructs receiving servers to quarantine emails that fail SPF and/or DKIM checks and send aggregate and forensic reports to the specified email addresses. The `pct=50` tag specifies that only 50% of failing emails should be quarantined. This allows you to gradually roll out the quarantine policy and monitor the impact.

_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; adkim=s; aspf=s"

This DMARC record instructs receiving servers to reject emails that fail SPF and/or DKIM checks. It also specifies strict alignment for both DKIM and SPF. This is the most restrictive policy and should only be implemented after thorough testing.

Implementing DMARC: A Step-by-Step Approach

  • Step 1: Implement SPF and DKIM. Ensure that your SPF and DKIM records are correctly configured and that all legitimate email is properly authenticated.
  • Step 2: Deploy a DMARC record with `p=none`. Monitor your DMARC reports to identify any issues with your SPF and DKIM configurations and to identify any unauthorized sending sources.
  • Step 3: Analyze DMARC reports. Use a DMARC reporting tool or manually analyze the aggregate reports to understand your email traffic and identify any authentication failures.
  • Step 4: Address authentication failures. Correct any issues with your SPF and DKIM configurations and authorize any legitimate sending sources that are not currently authenticated.
  • Step 5: Gradually move to a more restrictive policy. Once you’re confident that all legitimate email is properly authenticated, gradually move to `p=quarantine` and then `p=reject`. Use the `pct` tag to gradually roll out the policy.
  • Step 6: Continuously monitor DMARC reports. Even after implementing `p=reject`, continue to monitor your DMARC reports to ensure that your email authentication is working correctly and to identify any potential issues.

Implementation Best Practices: DNS Records and Testing

Implementing SPF, DKIM, and DMARC correctly is crucial for maximizing their effectiveness. Incorrectly configured records can lead to legitimate emails being blocked or marked as spam. This section outlines best practices for creating and managing your DNS records, as well as strategies for thorough testing and verification.

Best Practices for DNS Record Configuration

  • Use a DNS record checker: Before publishing your DNS records, use a DNS record checker to validate their syntax and ensure they are correctly formatted. Tools like MXToolbox or Google Admin Toolbox Dig can help you identify errors.
  • Check for DNS propagation: After publishing your DNS records, allow sufficient time for them to propagate across the internet. This can take up to 48 hours, although it’s often much faster. Use a DNS propagation checker to verify that your records are visible from different locations around the world.
  • Avoid exceeding the DNS lookup limit: SPF records have a limit of 10 DNS lookups. Exceeding this limit can cause SPF checks to fail. Use the `include` mechanism sparingly and avoid nested `include` statements. Consider using the `ip4` and `ip6` mechanisms to directly list authorized IP addresses where possible.
  • Keep your records up to date: Regularly review your SPF, DKIM, and DMARC records to ensure they are accurate and up to date. Update them whenever you change your sending infrastructure or email service providers. This is especially important if you use cloud-based services that may change their IP addresses.
  • Use a descriptive selector for DKIM: Choose a descriptive selector for your DKIM keys that makes it easy to identify the key pair. For example, you could use the name of the sending server or application.
  • Use a strong key length for DKIM: Use a key length of at least 2048 bits for your DKIM keys. Shorter key lengths are considered less secure and may be rejected by some receiving mail servers.
  • Monitor your DMARC reports: Regularly monitor your DMARC reports to identify any issues with your email authentication and to identify any unauthorized sending sources.
  • Use a DMARC record generator: Use a DMARC record generator to create your DMARC record. These tools can help you avoid syntax errors and ensure that your record is correctly formatted.

Testing and Verification Strategies

Thorough testing is essential to ensure that your SPF, DKIM, and DMARC configurations are working correctly. Here are some testing strategies:

  • Send test emails: Send test emails from each of your authorized sending servers to an external email address (e.g., Gmail, Yahoo Mail). Examine the email headers to verify that SPF and DKIM are passing. Look for the “Authentication-Results” header to see the results of the authentication checks.
  • Use online testing tools: Use online testing tools to verify your SPF, DKIM, and DMARC configurations. These tools can help you identify errors and ensure that your records are correctly formatted. Examples include MXToolbox, Dmarcian’s SPF Surveyor, and Agari’s DMARC Validator.
  • Simulate authentication failures: Intentionally create authentication failures to test how receiving mail servers handle them. For example, send an email from an unauthorized IP address to see if it’s marked as spam or rejected. You can also modify the email content after it’s been signed with DKIM to see if the signature verification fails.
  • Analyze DMARC reports: Analyze your DMARC reports to identify any authentication failures and to understand how receiving mail servers are handling your emails. Pay attention to the “Disposition” field in the reports, which indicates whether emails were delivered, quarantined, or rejected.
  • Use a DMARC monitoring service: Consider using a DMARC monitoring service to automate the analysis of your DMARC reports and to provide alerts when there are any issues with your email authentication. These services can help you identify and address problems more quickly and efficiently.

Specific Testing Examples

Here are a couple of specific testing examples:

Example 1: Testing SPF with `dig` command

dig txt example.com

This command will query the DNS records for `example.com` and return the TXT records, including the SPF record. Verify that the SPF record is present and correctly formatted. If the output doesn’t show the `v=spf1` record, then SPF is not correctly set up. The output will show a string starting with `v=spf1` followed by the SPF mechanisms.

Example 2: Checking DKIM with `openssl` and email headers

  • First, send an email from your server to a Gmail address and view the original message in Gmail. Copy the DKIM-Signature header.
  • Then, copy the entire content of the email and save it to a file, for example, `email.txt`.
  • Get the public key from the DNS record (using `dig` as shown above) for your domain and selector.
  • Use `openssl` to verify the signature. This is a complex process involving decoding the base64 signature and hashing the message, but automated online tools can simplify this process. There are numerous online DKIM validators that you can paste the email headers and body into.

By implementing these best practices and testing strategies, you can ensure that your SPF, DKIM, and DMARC configurations are working correctly and that your emails are more likely to reach the intended recipients’ inboxes.

Monitoring and Maintenance: Staying Ahead of Spam Filters

Implementing SPF, DKIM, and DMARC is not a one-time task. Continuous monitoring and maintenance are essential to ensure that your email authentication remains effective and that your emails continue to reach the intended recipients’ inboxes. Spam filters are constantly evolving, and new threats are emerging all the time. Regular monitoring and maintenance will help you stay ahead of the curve and protect your domain’s reputation.

The Importance of DMARC Report Analysis

DMARC reports are a valuable source of information about your email traffic. They provide insights into the authentication status of your emails and help you identify any potential issues. Regularly analyzing your DMARC reports is crucial for maintaining your email deliverability.

DMARC reports are typically sent as XML files attached to emails. These reports can be difficult to read and analyze manually. Fortunately, there are many DMARC reporting tools available that can automate the analysis of your reports and provide you with a user-friendly dashboard.

Key metrics to monitor in your DMARC reports include:

  • SPF pass rate: The percentage of emails that pass the SPF check. A low SPF pass rate may indicate that you have unauthorized sending sources or that your SPF record is not correctly configured.
  • DKIM pass rate: The percentage of emails that pass the DKIM check. A low DKIM pass rate may indicate that you have issues with your DKIM configuration or that your emails are being tampered with during transit.
  • DMARC pass rate: The percentage of emails that pass the DMARC check. This is the most important metric to monitor, as it reflects the overall effectiveness of your email authentication.
  • Disposition: The action taken by receiving mail servers on emails that fail SPF and/or DKIM checks. This indicates whether emails were delivered, quarantined, or rejected.
  • Sending sources: The IP addresses and domains from which your emails are being sent. This helps you identify legitimate sending sources that may not be properly authenticated, as
email deliverabilityemail marketingemail tipsinbox deliveryspam filter

Share this article