DKIM, SPF, and DMARC: Email Authentication Explained for Indian Businesses

In February 2024, Google and Yahoo changed the rules. Both providers began requiring bulk email senders (those sending more than 5,000 emails per day) to have SPF, DKIM, and DMARC authentication properly configured. Senders without authentication saw immediate deliverability drops, with some reporting that 30-50% of their emails were being rejected or routed to spam overnight.

For Indian businesses, where Gmail dominates the consumer inbox market with over 60% share and Google Workspace is the standard for business email, this was not a suggestion. It was an ultimatum. Yet months later, a significant number of Indian businesses still have incomplete or misconfigured authentication, silently losing deliverability with every campaign they send.

What Is Email Authentication and Why Does It Matter?

Email authentication is a set of protocols that allow receiving mail servers to verify that an email genuinely comes from the domain it claims to come from. Without authentication, anyone can send an email that appears to be from your domain, which is exactly what phishing attackers and spammers do.

Authentication serves two purposes: it protects your brand from being impersonated, and it proves to mailbox providers that your emails are legitimate, improving your chances of reaching the inbox.

Think of it as a digital passport for your emails. Just as you would not get through airport immigration without a valid passport, your emails increasingly cannot get through inbox filters without valid authentication.

SPF: Sender Policy Framework

What SPF Does

SPF allows you to declare which mail servers are authorized to send email on behalf of your domain. When a receiving server gets an email from your domain, it checks your SPF record (published as a DNS TXT record) to verify that the sending server is on the approved list.

How SPF Works

When you send an email from your domain (say, yourbrand.in), the receiving server performs a DNS lookup on your domain to find the SPF record. The SPF record contains a list of IP addresses and server domains that are authorized to send email for yourbrand.in. If the sending server's IP matches the list, the SPF check passes. If it does not match, the SPF check fails.

Setting Up SPF for Indian Businesses

Your SPF record is a single DNS TXT record on your domain. Here is the general structure:

v=spf1 include:_spf.google.com include:sendgrid.net include:mail.zoho.in -all

This record says: "Emails from my domain can legitimately come from Google (Workspace), SendGrid (ESP), and Zoho Mail. Reject emails from any other source."

Common Indian configurations:

• Google Workspace: include:_spf.google.com
• Zoho Mail: include:mail.zoho.in
• SendGrid: include:sendgrid.net
• Mailchimp: include:servers.mcsv.net
• Amazon SES: include:amazonses.com
• Netcore: include:spf.netcore.co.in

Critical rules: You can only have one SPF record per domain. Multiple SPF records cause both to fail. If you use multiple email services (which most Indian businesses do), combine all includes into a single SPF record. SPF records have a 10-DNS-lookup limit. Exceeding this limit causes SPF validation to fail. If you are using many services, you may need to optimize by replacing include statements with direct IP ranges.

SPF Limitations

SPF has a notable weakness: it only validates the envelope sender (the technical return-path address), not the visible "From" address that recipients see. This means SPF alone cannot prevent sophisticated spoofing. That is where DKIM and DMARC come in.

DKIM: DomainKeys Identified Mail

What DKIM Does

DKIM adds a cryptographic signature to every email you send. This signature is generated using a private key that only your sending server possesses, and it can be verified by receiving servers using a public key published in your DNS records. DKIM proves two things: the email genuinely originated from your domain, and the email content was not modified in transit.

How DKIM Works

When you send an email, your sending server creates a hash of the email content and encrypts it with your private key, creating a digital signature. This signature is added to the email header. When the receiving server gets the email, it retrieves your public key from DNS, decrypts the signature, and compares it to its own hash of the email content. If they match, the DKIM check passes.

Setting Up DKIM

DKIM setup varies by email service provider, but the general process involves two steps:

1. Generate DKIM keys: Your ESP generates a public-private key pair. The private key stays on their servers; the public key is given to you as a DNS record.
2. Publish the public key: Add the public key as a CNAME or TXT record in your DNS. The record name typically follows the pattern selector._domainkey.yourdomain.in.

Example DKIM DNS record:

google._domainkey.yourdomain.in  CNAME  google._domainkey.googlemail.com

Most Indian DNS providers, including GoDaddy India, Hostinger, BigRock, and Cloudflare, support the record types needed for DKIM. If you are using a less common Indian hosting provider, verify that they support CNAME records of sufficient length, as DKIM public keys can be lengthy.

DKIM Best Practices

• Use 2048-bit keys instead of 1024-bit for stronger security.
• Set up DKIM for every service that sends email on your behalf: your ESP, your transactional email provider, your CRM, and any other system that sends email from your domain.
• Rotate DKIM keys annually as a security practice.

DMARC: Domain-Based Message Authentication, Reporting, and Conformance

What DMARC Does

DMARC is the policy layer that sits on top of SPF and DKIM. It tells receiving servers what to do when an email fails SPF and DKIM checks, and it provides reporting that shows you who is sending email using your domain.

How DMARC Works

DMARC adds two critical capabilities: a policy that instructs receiving servers how to handle authentication failures (none, quarantine, or reject), and a reporting mechanism that sends you daily reports about every email sent using your domain, including legitimate emails and fraudulent attempts.

DMARC Policies

• p=none: Monitor mode. Emails that fail authentication are still delivered, but you receive reports. Use this when first implementing DMARC to identify legitimate sending sources you may have missed.
• p=quarantine: Emails that fail authentication are sent to spam. This provides protection while giving you a safety net in case legitimate emails are misconfigured.
• p=reject: Emails that fail authentication are blocked entirely. This is the strongest protection and the eventual goal, but implement it only after confirming all legitimate sources pass authentication.

DMARC Implementation Roadmap for Indian Businesses

Week 1-2: Deploy p=none

v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.in; ruf=mailto:dmarc-forensic@yourdomain.in; pct=100

Monitor reports for 2-4 weeks. Identify all legitimate sending sources and ensure they pass SPF and DKIM.

Week 3-6: Move to p=quarantine

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.in; pct=25

Start with pct=25 (apply quarantine to 25% of failing emails) and gradually increase to pct=100 as you confirm no legitimate emails are being affected.

Week 7+: Move to p=reject

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.in; pct=100

Full protection. All emails failing authentication are rejected.

Reading DMARC Reports

DMARC aggregate reports (rua) are XML files sent daily by receiving mail servers. They are not human-readable in raw form. Use a DMARC reporting tool like Valimail, DMARCian, Postmark's free DMARC tool, or the Indian service PowerDMARC to parse and visualize these reports. These tools show you which IPs are sending email using your domain, whether they pass or fail authentication, and the volume of emails from each source.

Verification: Confirming Your Setup

After configuring all three protocols, verify your setup using these free tools:

• MXToolbox: Check SPF, DKIM, and DMARC records individually.
• Google Admin Toolbox Check MX: Specifically validates Google Workspace authentication.
• Mail Tester (mail-tester.com): Send a test email and get a comprehensive deliverability score including authentication checks.
• DMARC Analyzer: Monitor ongoing authentication performance.

Common Mistakes Indian Businesses Make

1. Multiple SPF records: Having two SPF TXT records on the same domain. Only one is allowed.
2. Missing includes: Configuring SPF for Google Workspace but forgetting to add your ESP, leading to ESP-sent emails failing SPF.
3. Skipping DKIM on third-party services: Setting up DKIM for your main email but not for your marketing automation tool or CRM.
4. Jumping to p=reject too quickly: Moving to reject policy without monitoring reports first, accidentally blocking legitimate emails.
5. Ignoring DMARC reports: Setting up DMARC but never reading the reports, missing unauthorized use of your domain.

At AnantaSutra, we handle email authentication setup and monitoring for Indian businesses so you can focus on creating great content and campaigns. Proper authentication is the foundation of everything else in email marketing. Without it, you are building on sand. With it, you have a solid platform for deliverability, trust, and growth.