Why Passing and Aligning Both SPF and DKIM Is Key to Email Deliverability
For an email to pass the DMARC (Domain-based Message Authentication Reporting and Conformance), it needs to either pass and align SPF (Sender Policy Framework) or pass and align DKIM (DomainKeys Identified Mail).
Thus, many senders assume that it is perfectly acceptable to focus on passing and aligning either SPF or DKIM, rather than passing and aligning for both.
In fact, there are some instances where senders might not be able to fully implement one of these protocols, such as:
- The email platform is on an older release of hardware/software and is not yet capable of signing DKIM.
- Senders use a third party to send marketing emails and, in order for them to manage bounce messages, they use that third party domain in the MFrom field (which does not match the Header From domain of the brand, and will therefore not align for SPF).
- A sender’s email service provider signs emails with two DKIM signatures, which as we discussed in a previous blog post, can cause DKIM alignment problems.
- Bounce messages disrupt SPF alignment processes.
As we stated above, authentication and alignment of just one protocol—SPF or DKIM—is sufficient for emails to pass DMARC, and none of the scenarios above will necessarily stop a sender from implementing a DMARC “reject” policy. So, why do we recommend that you endeavour to have both SPF and DKIM passing and aligning?
Why senders should go beyond the bare minimum
In addition to contributing to the wider picture of what “good” email looks like (mailbox providers rely on senders to clean up our authentication processes), SPF and DKIM, when both are passing and aligning, back each other up.
Both protocols come with their own pitfalls and nuances that can affect their implementation and ongoing maintenance, including transient errors that can occur when packets of data are lost and transmissions fail randomly for a variety of reasons.
Senders who run into such intermittent problems with one authentication protocol and cannot fix that problem immediately could find a large proportion of their legitimate emails blocked due to DMARC failures. In addition, mailbox providers seem to favor senders who are passing and aligning with both SPF and DKIM, as our example from the field below shows.
An example from the field
One of Return Path’s clients implemented a DMARC “reject” policy across all their main sending domains, which sent a high volume of emails.
For eight domains, they sent a total of 33.2 million messages over a period of seven days.
Out of those emails, nearly six million had some sort of authentication failure (~18 percent). These failures, we discovered, were caused by DKIM authentication issues.
However, because this client was passing and aligning with SPF, the messages continued to pass DMARC at an acceptable level—they only had 1,800 DMARC failures (0.005%) and of these, only 264 (0.0008%) were blocked by the ISP.
If there had been more SPF failures, more emails would have failed DMARC, with no DKIM to provide back-up.
After we diagnosed and troubleshoot the underlying DKIM issues, and the sender’s emails were protected by both SPF and DKIM again, and we saw a drastic dip in authentication failures. When we looked at the same domains over a seven day period after the intervention, we saw:
- Total legitimate messages: 40,676,391
- Total authentication failures: 46,785 (0.12 percent)
- Total DMARC failures: 314 (0.0008 percent)
- Total blocked messages: 82 (0.0002 percent)
- A 99.2 percent reduction in authentication failures
- An 82.6 percent reduction in DMARC failures
- A 68.9 percent reduction in blocked legitimate messages
As you can see, following our best practice of having both SPF and DKIM configured to pass and align will provide your outbound emails with the greatest level of protection. Authentication using both protocols is the most resilient approach and will have a positive effect on your deliverability.
About Aaron Stevenson
Aaron Stevenson is a Strategic Project Manager at Return Path. He works closely with our clients to help them diagnose and resolve Email Authentication issues so that they can make full use of the Email Fraud Prevention capabilities of DMARC. Connect with him on Linkedin https://uk.linkedin.com/in/stevensonaaron