Why Passing and Aligning Both SPF and DKIM Is Key to Email Deliverability

For an email to pass the DMARC (Domain-based Message Authentication Reporting and Conformance), it needs to either pass and align SPF (Sender Policy Framework) or pass and align DKIM (DomainKeys Identified Mail).

Thus, many senders assume that it is perfectly acceptable to focus on passing and aligning either SPF or DKIM, rather than passing and aligning for both.

In fact, there are some instances where senders might not be able to fully implement one of these protocols, such as:

• The email platform is on an older release of hardware/software and is not yet capable of signing DKIM.  
• Senders use a third party to send marketing emails and, in order for them to manage bounce messages, they use that third party domain in the MFrom field (which does not match the Header From domain of the brand, and will therefore not align for SPF).
• A sender’s email service provider signs emails with two DKIM signatures, which as we discussed in a previous blog post, can cause DKIM alignment problems.
• Bounce messages disrupt SPF alignment processes.

As we stated above, authentication and alignment of just one protocol—SPF or DKIM—is sufficient for emails to pass DMARC, and none of the scenarios above will necessarily stop a sender from implementing a DMARC “reject” policy. So, why do we recommend that you endeavour to have both SPF alignment and DKIM alignment?

Why senders should go beyond the bare minimum

In addition to contributing to the wider picture of what “good” email looks like (mailbox providers rely on senders to clean up our authentication processes), SPF and DKIM, when both are passing and aligning, back each other up.

Both protocols come with their own pitfalls and nuances that can affect their implementation and ongoing maintenance, including transient errors that can occur when packets of data are lost and transmissions fail randomly for a variety of reasons.

Senders who run into such intermittent problems with one authentication protocol and cannot fix that problem immediately could find a large proportion of their legitimate emails blocked due to DMARC failures. In addition, mailbox providers seem to favor senders who are passing and aligning with both SPF and DKIM, as our example from the field below shows.

An example from the field

One of Return Path’s clients implemented a DMARC “reject” policy across all their main sending domains, which sent a high volume of emails.

For eight domains, they sent a total of 33.2 million messages over a period of seven days.

Out of those emails, nearly six million had some sort of authentication failure (~18 percent). These failures, we discovered, were caused by DKIM authentication issues.

However, because this client was passing and aligning with SPF, the messages continued to pass DMARC at an acceptable level—they only had 1,800 DMARC failures (0.005%) and of these, only 264 (0.0008%) were blocked by the ISP.

If there had been more SPF failures, more emails would have failed DMARC, with no DKIM to provide back-up.

After we diagnosed and troubleshoot the underlying DKIM issues, and the sender’s emails were protected by both SPF and DKIM again, and we saw a drastic dip in authentication failures. When we looked at the same domains over a seven day period after the intervention, we saw:

• Total legitimate messages: 40,676,391      
• Total authentication failures: 46,785 (0.12 percent)
• Total DMARC failures: 314 (0.0008 percent)
• Total blocked messages: 82 (0.0002 percent)

This represents;

• A 99.2 percent reduction in authentication failures
• An 82.6 percent reduction in DMARC failures
• A 68.9 percent reduction in blocked legitimate messages

As you can see, following our best practice of having both SPF and DKIM configured to pass and align will provide your outbound emails with the greatest level of protection. SPF and DKIM authentication is the most resilient approach and will have a positive effect on your email deliverability.