Why Passing and Aligning Both SPF and DKIM Is Key to Email Deliverability

Posted by Aaron Stevenson on

For an email to pass the DMARC (Domain-based Message Authentication Reporting and Conformance), it needs to either pass and align SPF (Sender Policy Framework) or pass and align DKIM (DomainKeys Identified Mail).

Thus, many senders assume that it is perfectly acceptable to focus on passing and aligning either SPF or DKIM, rather than passing and aligning for both.

In fact, there are some instances where senders might not be able to fully implement one of these protocols, such as:

  • The email platform is on an older release of hardware/software and is not yet capable of signing DKIM.  
  • Senders use a third party to send marketing emails and, in order for them to manage bounce messages, they use that third party domain in the MFrom field (which does not match the Header From domain of the brand, and will therefore not align for SPF).
  • A sender’s email service provider signs emails with two DKIM signatures, which as we discussed in a previous blog post, can cause DKIM alignment problems.
  • Bounce messages disrupt SPF alignment processes.

As we stated above, authentication and alignment of just one protocol—SPF or DKIM—is sufficient for emails to pass DMARC, and none of the scenarios above will necessarily stop a sender from implementing a DMARC “reject” policy. So, why do we recommend that you endeavour to have both SPF and DKIM passing and aligning?

Why senders should go beyond the bare minimum
In addition to contributing to the wider picture of what “good” email looks like (mailbox providers rely on senders to clean up our authentication processes), SPF and DKIM, when both are passing and aligning, back each other up.

Both protocols come with their own pitfalls and nuances that can affect their implementation and ongoing maintenance, including transient errors that can occur when packets of data are lost and transmissions fail randomly for a variety of reasons.

Senders who run into such intermittent problems with one authentication protocol and cannot fix that problem immediately could find a large proportion of their legitimate emails blocked due to DMARC failures. In addition, mailbox providers seem to favor senders who are passing and aligning with both SPF and DKIM, as our example from the field below shows.

An example from the field
One of Return Path’s clients implemented a DMARC “reject” policy across all their main sending domains, which sent a high volume of emails.

For eight domains, they sent a total of 33.2 million messages over a period of seven days.

Out of those emails, nearly six million had some sort of authentication failure (~18 percent). These failures, we discovered, were caused by DKIM authentication issues.

However, because this client was passing and aligning with SPF, the messages continued to pass DMARC at an acceptable level—they only had 1,800 DMARC failures (0.005%) and of these, only 264 (0.0008%) were blocked by the ISP.

If there had been more SPF failures, more emails would have failed DMARC, with no DKIM to provide back-up.

After we diagnosed and troubleshoot the underlying DKIM issues, and the sender’s emails were protected by both SPF and DKIM again, and we saw a drastic dip in authentication failures. When we looked at the same domains over a seven day period after the intervention, we saw:

  • Total legitimate messages: 40,676,391      
  • Total authentication failures: 46,785 (0.12 percent)
  • Total DMARC failures: 314 (0.0008 percent)
  • Total blocked messages: 82 (0.0002 percent)

This represents;

  • A 99.2 percent reduction in authentication failures
  • An 82.6 percent reduction in DMARC failures
  • A 68.9 percent reduction in blocked legitimate messages

pasted image 0 (12)

As you can see, following our best practice of having both SPF and DKIM configured to pass and align will provide your outbound emails with the greatest level of protection. Authentication using both protocols is the most resilient approach and will have a positive effect on your deliverability.

Want help implementing SPF and DKIM? The templates in our Email Authentication Kit will provide you with step-by-step instructions. Get the kit here.


Popular this Month

 Video in Email: Is It Right For Your Business? (Part 1)

Video in Email: Is It Right For Your Business? (Part 1)

Video in email is nothing new. Marketers have been using some form of video...

Read More

 The Intelligent Email Gathering

The Intelligent Email Gathering

The best day in email in 2017 is coming up this month. You don’t want to...

Read More

 Ask the Experts Gmail Webinar Q&A Continued

Ask the Experts Gmail Webinar Q&A Continued

We are really happy with the turnout for the Ask the Experts: All About...

Read More

Author Image

About Aaron Stevenson

Aaron Stevenson is a Strategic Project Manager at Return Path. He works closely with our clients to help them diagnose and resolve Email Authentication issues so that they can make full use of the Email Fraud Prevention capabilities of DMARC. Connect with him on Linkedin https://uk.linkedin.com/in/stevensonaaron

Author Archive

Stay up to date

Enter your name and email address below to subscribe to our mailing list.

Your browser is out of date.
For a better Return Path experience, click a link below to get the latest version.