Email security best practices for using SPF, DKIM, and DMARC

Reading Time: 6 minutes

Whether you send transactional emails or welcome a new employee to your company, you want your messages to reach their intended audience. The internet is constantly changing, and cyberthreats evolve daily, which means that your business needs a secure email server.

To combat these active threats, companies use email security standards, such as SPF, DKIM, and DMARC, to protect their sensitive information. By using these security standards, your business can configure them to mitigate the risks that go with email communication.

However, simply configuring these email protocols isn't enough to protect your company. Fortunately, there are some best practices you can use to protect yourself from cyberattacks. Continue reading to learn the SPF, DKIM, and DMARC best practices we recommend to maintain optimal email security.

Key points

After you read this article, you will have a better understanding of the following topics:

  • Best practices for email security for your business
  • The main email authentication methods
  • Why should you use email security best practices
  • Benefits of using SPF, DKIM, and DMARC email authentication
  • Maintaining your email account with trusted email security protocols
  • Sender Policy Framework (SPF)
  • DomainKeys Identified Mail (DKIM)
  • Domain-based Message Authentication, Reporting & Conformance (DMARC)

Incorporating best practices for email security for your business

The whole point of utilizing the best email security practices is email authentication, meaning your recipients know it’s you sending messages to them. With proper email authentication practices, your messages are authenticated by at least one of these protocols. However, without them, it's likely that your message won't reach anyone.

What are the main email authentication methods?

The main email protocols you can use are SPF, DKIM, and DMARC. Together, these policies act as a safety net to protect you and your email recipients. Without them, it's easy for cybercriminals to send fake messages pretending to be you. To avoid compromising themselves and their recipients, email senders use these email authentication methods, which are described in the next sections.

Sender Policy Framework (SPF)

Sender Policy Framework (SPF) is a digital tool that identifies what IP addresses are safe to use to send your messages. Your domain's email has a list of validated IP addresses that can send emails for you. When SPF is configured properly, your messages are compared to a list of sending sources in the SPF record.

DomainKeys Identified Mail (DKIM)

DomainKeys Identified Mail (DKIM) is a protocol that acts as a digital signature, using encryption techniques, to sign your email message and confirm that it wasn't altered during transit. By using public keys that are published in your DKIM records, email receivers can verify that your message came from you.

Domain-based Message Authentication, Reporting & Conformance (DMARC)

Domain-based Message Authentication, Reporting & Conformance (DMARC) is a protocol that uses three standard policies for handling messages and deciding how to handle them. DMARC also works in sync with DKIM and SPF, acting as an additional source of security. DMARC authenticates the domain of where each message comes from and can send XML reports to a server of your choice. These reports provide insights and help server admins decide how to apply email policies.

Why should you use email security best practices?

You may believe that it's easy to tell a fake email from an authentic one, but cybercriminals are getting smarter all the time. They can use technology to get past your defenses. Around the globe, there are over 30,000 websites hacked a day. Spammers want access to your domain for a variety of reasons:

  • To use your good IP reputation to carry out successful phishing attacks on unsuspecting recipients
  • To get sensitive data of your user base in order to commit fraud or cause more harm
  • To gain control of your domain through a password reset email

The reasons could go on and on about why hackers want your personal information. If you do decide to start utilizing the best email security practices, what are the benefits? Let's review them in the following section.

The benefits of using SPF, DKIM, and DMARC email authentication

If you're a business that serves your customers with email services, do you think you would still have customers if your domain seemed spammy? Chances are that your clients will leave your business for a business with higher standards. When using SPF, DKIM, and DMARC, you maintain a positive reputation and enjoy several other benefits.

Gain customer trust

As a business, you should never underestimate the power of having your customer's trust. When people do business with you, they want to see that you're trustworthy and take reasonable precautions.

If you're running an ecommerce store, and you send your email list multiple messages, they need to be able to trust that your messages are secure and not subjecting them to fraud. Keep high standards and do all you can to maintain their trust. Once you lose it, you'll never get out of the junk folder.

Protect your brand from cyberattacks

Hackers target small and large corporate businesses alike, so no one is safe. That's why you need strong email security to protect your domain from criminals. This notion falls under the same umbrella as trust.

You don't want your brand to be tarnished by someone pretending to be you and running scams. By using these protocols, you can ensure that your messages reach the intended recipients and keep your contacts safe from online scams.

Establish a rapport with your leads

Every online business needs new business leads. Without new leads, it's difficult to grow your business, or at the very least, keep it running smoothly. In email marketing, there are countless variables that may keep your messages from reaching potential clients; don't let improper email protocols be one of them.

How to maintain your email account with email security protocols

Whether you're sending marketing emails or communicating with business partners about important topics, you can check your server's records. Once you've detected each protocol, you can edit or change the settings to reflect best practices. Start with SPF.

Best practices for SPF

Remember, SPF protocol confirms the sending IP and compares it to a list of approved sources. Proper SPF protocol prevents domain spoofing, but here's how you can manage it successfully.

Don't crowd the SPF record

If you load too many sending sources onto your SPF record, there could be issues. Having too many sending sources can cause servers to reject your messages. If your messages are consistently flagged, this could result in a lower reputation and negatively affect deliverability rates.

Forget the +all component of your SPF record

While the convenience of the +all option may be undeniable, it can cause an issue with SPF. Instead of validating the necessary IP addresses for security concerns, the option selects all domains, even the ones that are fraudulent. With any domain authorized to send messages on your server, malicious actors can take advantage of you.

If you're not practical with your SPF protocol, your domain may be blocked altogether, which means your customers won't get your messages anymore. Earning that trust back is nearly impossible.

Best practices for DKIM

While you could enable the default settings for DKIM protocol, it's not advised. You know how when setting up a password for an account, the system rates your password from weak to strong? You could use a weak password, but it's easy to set a strong one, too. Here's how you can use DKIM to strengthen your domain.

Make DKIM keys longer

When validating your message, your recipient's server validates your credentials using a public key from the DKIM record. As a rule of thumb, your DKIM keys should be at least 1,024 bits long. Use this as a standard, or your DKIM keys can be ignored, which would render DKIM useless altogether. It may be best to make them longer or double the length to 2,048 bits.

Change your keys regularly

Sure, your DKIM keys may be strong right now, but there's no telling how many hackers have tried to break the cryptographic code. In any case, if a hacker tries hard enough, they can discover your DKIM key eventually and exploit your domain. You can prevent this by rotating your DKIM keys regularly.

If you have sensitive data, you should rotate your keys more often. The same goes for the key length. The more sensitive the data, the longer you should make the key. Also, give each customer a unique key; don't use the same ones.

Best practices for DMARC

What good is an extra layer of security if it has holes in it? If you haven't deployed DMARC yet, or are running a default policy, it's best to check your DMARC record and improve your protection.

Don't dismiss parked domains

Many view parked domains as inactive and unimportant, but a hacker can easily spoof these domains too. Don't be complacent. Configure a DMARC policy for your parked domains as well.

Try a gradual approach

When you're starting up your DMARC protocol, jumping straight to a reject policy could be a mistake. It's best to start with the p=none policy first so that you can monitor your DMARC reports as they come in to learn more about your status. After passing the monitoring phase, you can enable p=quarantine and then p=reject.

Even after you reach DMARC compliance, you should never call it quits. Hackers never quit; they just find new ways to poke holes in your defenses. The best course of action is to keep monitoring your domain for configuration issues or any other signs of a problem.


Using the best practices for proper email authentication will protect your domain and your recipients from spoofing, phishing, and other debilitating scams that could ruin your reputation. Only some of the best practices you could use were mentioned. Stay on top of these protocols and you'll have a trustworthy domain for your customers.

If you're running an ecommerce business, or trying to get your cloud-based SaaS company off the ground, maintaining a safe and trustworthy domain is paramount for your success.

At Liquid Web, we strive to be more than a reliable hosting service; we want to be your hosting partner. We understand that not every project is the same, but we specialize in developing a customized hosting solution that helps you meet your goals.

If you want to establish better email authentication protocols, you couldn't pick a better advocate. If you're interested in Liquid Web's Premium Business Email products, or want to discuss other options, contact us after reviewing all our product offerings.

Latest Articles

Controlling PHP settings with a custom php.ini file

Read Article

How to install Puppet Server on Linux (AlmaLinux)

Read Article

Email security best practices for using SPF, DKIM, and DMARC

Read Article

Linux dos2unix command syntax — removing hidden Windows characters from files

Read Article

Change cPanel password from WebHost Manager (WHM)

Read Article