SPF, DKIM i DMARC: potpuni vodič za email autentikaciju
Savladajte email autentikaciju uz vodič za SPF, DKIM i DMARC. Naučite što svaki protokol radi, kako postaviti DNS zapise i kako poboljšati isporučivost.
Savladajte email autentikaciju uz vodič za SPF, DKIM i DMARC. Naučite što svaki protokol radi, kako postaviti DNS zapise i kako poboljšati isporučivost.
Ovaj lokalizirani uvod usklađuje članak s izvornim vodičem i postavlja kontekst za hrvatske čitatelje. Tema nije samo popis alata ili definicija pojmova. Važno je razumjeti kada nešto koristiti, kako procijeniti rizik, koje podatke mjeriti i kako odluku povezati s prihodima, korisničkim iskustvom i kapacitetom tima.
U praksi je najkorisnije krenuti od poslovnog cilja. Ako je cilj više prijava, prioritet su jasna ponuda, obrazac i brza potvrda. Ako je cilj bolja isporučivost, prioritet su autentikacija domene, higijena liste i reputacija pošiljatelja. Ako je cilj brža podrška, prioritet su kanali, usmjeravanje razgovora i kvalitetna baza znanja. Isti alat može biti odličan za jedan tim, a pretežak ili preskup za drugi.
Što ovaj vodič pokriva
Ovaj vodič objašnjava kako razmišljati o temi SPF, DKIM i DMARC: potpuni vodič za email autentikaciju bez oslanjanja na površne usporedbe. Umjesto da gledate samo početnu cijenu ili najduži popis značajki, usporedite stvarne scenarije upotrebe, ograničenja plana, integracije, podatke koje alat može koristiti i vrijeme koje je potrebno da tim usvoji novi način rada.
Ključna pitanja za procjenu:
- Koji konkretan problem rješavate u sljedećih 30 do 90 dana?
- Koji kanal ili korisnički trenutak ima najveći utjecaj na rezultat?
- Koje podatke već imate i koliko su pouzdani?
- Tko će svakodnevno održavati kampanje, obrasce, automatizacije ili izvještaje?
- Kako ćete znati da je promjena uspjela?
Kako procijeniti opcije
Dobar izbor mora biti dovoljno jednostavan za svakodnevni rad, ali dovoljno snažan da podrži rast. Zato prvo dokumentirajte minimalne zahtjeve, a tek zatim dodatne mogućnosti. Minimalni zahtjevi obično uključuju pouzdano slanje ili prikupljanje podataka, jasnu analitiku, segmentaciju, integracije s CRM-om ili trgovinom, mogućnost testiranja i podršku za timove koji nisu tehnički.
Za usporedbe alata korisno je napraviti kratku tablicu s pet stupaca: primarni slučaj upotrebe, prednosti, ograničenja, cijena pri vašem stvarnom obujmu i napor implementacije. Takva tablica brzo pokaže razliku između alata koji dobro izgleda u demo prikazu i alata koji će tim stvarno koristiti svaki tjedan.
Operativni koraci
Prvo odaberite jedan scenarij s jasnim rezultatom. To može biti welcome sekvenca, obrazac za prikupljanje leadova, automatizacija nakon kupnje, provjera email liste, live chat na stranici s cijenama ili izvještaj koji povezuje kampanje s prihodom. Zatim postavite početnu verziju, provjerite poruke, mjerne oznake i pravila izuzimanja, pa tek onda širite na dodatne segmente.
Posebno pazite na kvalitetu podataka. Loše označeni kontakti, duplicirani zapisi, zastarjele liste i nejasne dozvole mogu pokvariti i najbolju strategiju. Prije većih kampanja provjerite izvore podataka, pravila privole, mapiranje polja i način na koji se rezultati vraćaju u CRM ili analitiku.
Kontrolna lista prije odluke
- Cilj je zapisan jednom rečenicom i povezan s metrikom.
- Segmenti su jasni i ne preklapaju se nepotrebno.
- Poruke su prilagođene trenutku korisnika, a ne samo internom kalendaru.
- Postoje pravila za izuzimanje korisnika koji su već kupili, odjavili se ili otvorili zahtjev za podršku.
- Testiranje je dovoljno jednostavno da se rezultat može protumačiti.
- Izvještavanje pokazuje klikove, konverzije, prihod ili uštedu vremena, a ne samo aktivnost.
- Tim zna tko održava sadržaj, tko prati rezultate i tko odobrava promjene.
Sljedeći koraci
Najbolji rezultat dolazi iz malih, dobro izmjerenih poboljšanja. Pokrenite osnovnu verziju, provjerite isporuku i podatke, usporedite rezultat s početnim stanjem i zatim dodajte složenije grananje, personalizaciju ili dodatne kanale. Tako zadržavate kontrolu, smanjujete rizik i gradite sustav koji se može ponavljati.
Understanding DKIM (DomainKeys Identified Mail)
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your emails, proving the message originated from your domain and was not modified in transit.
How DKIM Works
DKIM uses public-key cryptography:
- Your email provider generates a public/private key pair
- You publish the public key in DNS
- The provider signs outgoing emails with the private key
- Receiving servers retrieve your public key from DNS
- They use the public key to verify the signature
- A valid signature proves authenticity and integrity
What DKIM signs:
DKIM signatures typically cover specific headers and the message body:
- From header (required)
- Subject header
- Date header
- Message body
- Other headers as configured
This prevents attackers from modifying these elements after sending.
DKIM Record Structure
DKIM records are published as TXT records with a specific naming format:
selector._domainkey.yourdomain.comThe selector is a unique identifier that allows you to have multiple DKIM keys. Different email services use different selectors (e.g., brevo, google, s1, s2).
DKIM record content:
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC...| Tag | Description | Example |
|---|---|---|
| v= | Version (always DKIM1) | v=DKIM1 |
| k= | Key type (usually rsa) | k=rsa |
| p= | Public key (base64) | p=MIGfMA0… |
| t= | Flags (optional) | t=s (strict mode) |
| h= | Hash algorithms (optional) | h=sha256 |
Setting Up DKIM
Step 1: Generate DKIM keys
Your email service provider typically generates keys for you. In Brevo:
- Go to Settings > Senders, Domains & Dedicated IPs
- Select your domain
- Navigate to the DKIM section
- Copy the provided DNS record
For self-hosted mail servers, generate keys using OpenSSL:
openssl genrsa -out private.key 2048openssl rsa -in private.key -pubout -out public.keyStep 2: Add DKIM DNS record
In your DNS management:
- Type: TXT
- Host/Name: selector._domainkey (e.g., brevo._domainkey)
- Value: The DKIM record from your provider
- TTL: 3600
Step 3: Enable DKIM signing
In your email provider’s settings, enable DKIM signing for your domain. This tells the provider to sign outgoing messages.
Step 4: Verify the setup
Send a test email and check the headers for DKIM-Signature. Use tools like:
- mail-tester.com
- DKIM Validator
- MXToolbox DKIM Lookup
DKIM Best Practices
Use 2048-bit keys:
Older 1024-bit keys are considered weak. Modern security standards recommend 2048-bit RSA keys minimum.
Rotate keys periodically:
While not strictly required, rotating DKIM keys annually is good security practice. Add the new key before removing the old one to avoid gaps.
Monitor for key compromise:
If your private key is compromised, attackers can sign messages as you. Monitor for unusual authentication patterns.
Use different selectors for different services:
Each email provider should use a unique selector. This allows independent key management and does not conflict with other services.
Check DNS propagation:
DKIM keys can be long. Ensure your DNS provider supports TXT records of sufficient length. Some providers require splitting the key into multiple strings.
Reading DKIM Headers
When you receive an email, the DKIM-Signature header shows:
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=example.com; s=brevo; h=from:to:subject:date:message-id; bh=base64hashofbody; b=base64signature;| Tag | Meaning |
|---|---|
| v= | Version (always 1) |
| a= | Algorithm (rsa-sha256 recommended) |
| c= | Canonicalization (relaxed allows minor changes) |
| d= | Signing domain |
| s= | Selector |
| h= | Signed headers |
| bh= | Body hash |
| b= | Signature |
Understanding DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC builds on SPF and DKIM to provide policy enforcement and reporting. It tells receiving servers what to do when authentication fails and sends you reports about authentication results.
How DMARC Works
DMARC adds two critical capabilities:
- Policy enforcement: Define how receivers should handle authentication failures
- Reporting: Receive data about who is sending email using your domain
DMARC verification process:
- A receiving server gets an email claiming to be from your domain
- It checks SPF (does the sending IP match?)
- It checks DKIM (is the signature valid?)
- It checks DMARC alignment (do the authenticated domains match the From header?)
- If alignment fails, it applies your DMARC policy
- It sends you aggregate and/or forensic reports
DMARC Alignment
DMARC requires alignment between the domain in the From header and the domains that pass SPF or DKIM:
SPF Alignment: The domain in the Return-Path (envelope sender) must match or be a subdomain of the From header domain.
DKIM Alignment: The domain in the DKIM signature (d= tag) must match or be a subdomain of the From header domain.
Alignment modes:
| Mode | Description |
|---|---|
| Strict (s) | Exact domain match required |
| Relaxed (r) | Subdomains allowed (default) |
With relaxed alignment, if your From header shows [email protected] and DKIM signs with brevo.example.com, alignment passes because both share the example.com organizational domain.
DMARC Record Syntax
DMARC records are published as TXT records at _dmarc.yourdomain.com:
v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100Required tags:
| Tag | Description | Values |
|---|---|---|
| v= | Version | DMARC1 (always) |
| p= | Policy | none, quarantine, reject |
Optional tags:
| Tag | Description | Default |
|---|---|---|
| rua= | Aggregate report address | none |
| ruf= | Forensic report address | none |
| pct= | Percentage to apply policy | 100 |
| sp= | Subdomain policy | same as p= |
| adkim= | DKIM alignment mode | r (relaxed) |
| aspf= | SPF alignment mode | r (relaxed) |
| fo= | Forensic report options | 0 |
| ri= | Report interval (seconds) | 86400 |
DMARC Policies Explained
p=none (Monitor only):
No action taken on failures. Emails are delivered normally. Use this while analyzing reports and fixing authentication issues.
v=DMARC1; p=none; rua=mailto:[email protected]p=quarantine (Spam folder):
Failed emails are sent to spam/junk folder. A good intermediate step before full rejection.
v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100p=reject (Block):
Failed emails are rejected entirely. Maximum protection but ensure all legitimate sources pass first.
v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100Setting Up DMARC
Step 1: Ensure SPF and DKIM are working
DMARC depends on SPF and DKIM. Verify both are correctly configured before adding DMARC.
Step 2: Start with monitoring (p=none)
Begin with the most permissive policy to collect data without affecting delivery:
v=DMARC1; p=none; rua=mailto:[email protected]Step 3: Add the DNS record
In your DNS management:
- Type: TXT
- Host/Name: _dmarc
- Value: Your DMARC record
- TTL: 3600
Step 4: Analyze reports for 2-4 weeks
DMARC aggregate reports arrive daily as XML files. They show:
- Which IPs sent email using your domain
- SPF and DKIM pass/fail rates
- DMARC alignment results
- Receiving server actions
Use DMARC report analyzers to visualize this data:
- DMARC Analyzer
- Postmark DMARC
- Valimail
- dmarcian
Step 5: Fix authentication issues
Common issues revealed by reports:
- Legitimate services missing from SPF
- DKIM not enabled for a sending service
- Third-party services sending without proper authentication
- Forwarding breaking SPF alignment
Step 6: Gradually enforce
Once legitimate sources pass consistently:
- Move to
p=quarantine; pct=10(quarantine 10% of failures) - Increase pct to 25, 50, 75, 100
- Move to
p=reject; pct=10 - Increase to full rejection
Step 7: Maintain and monitor
Continue reviewing reports. New sending sources, provider changes, or configuration drift can cause authentication failures.
Understanding DMARC Reports
Aggregate reports (rua):
Daily XML summaries showing:
- Reporting organization
- Date range
- Your published policy
- Authentication results by source IP
- Volume of emails
Example excerpt:
<record> <source_ip>203.0.113.10</source_ip> <count>1250</count> <policy_evaluated> <disposition>none</disposition> <dkim>pass</dkim> <spf>pass</spf> </policy_evaluated></record>Forensic reports (ruf):
Individual message details for failures. More detailed but privacy-sensitive. Many receivers do not send forensic reports.
DMARC Best Practices
Always start with p=none:
Jumping directly to reject can block legitimate email. Monitor first.
Use a dedicated email address for reports:
DMARC reports can be voluminous. Use a dedicated address or third-party service.
Set subdomain policy (sp=):
If you do not send email from subdomains, set sp=reject to protect them from spoofing.
Use percentage (pct=) for gradual rollout:
The pct tag lets you enforce policy on a percentage of failures while monitoring the rest.
Consider dedicated DMARC services:
For large organizations, services like Valimail, dmarcian, or Postmark DMARC provide better report analysis than raw XML files.
DNS Record Setup: Complete Walkthrough
Setting up email authentication requires adding specific DNS records. This section provides a complete walkthrough for major DNS providers.
Gathering Your Required Values
Before starting, collect these values from your email providers:
For SPF:
- All include statements (e.g., include:spf.brevo.com)
- Any specific IP addresses you need to authorize
For DKIM:
- The selector name (e.g., brevo, google, s1)
- The full DKIM key value
For DMARC:
- Your reporting email address
Adding Records in Common DNS Providers
Cloudflare:
- Log in to Cloudflare Dashboard
- Select your domain
- Go to DNS > Records
- Click Add Record
- For SPF: Type=TXT, Name=@, Content=your SPF record
- For DKIM: Type=TXT, Name=selector._domainkey, Content=DKIM key
- For DMARC: Type=TXT, Name=_dmarc, Content=DMARC record
- Click Save
Google Domains/Squarespace:
- Go to DNS settings for your domain
- Scroll to Custom Records
- Click Manage Custom Records
- Add each record with appropriate type, host, and data
- For SPF: Host=@, Type=TXT, Data=SPF record
- For DKIM: Host=selector._domainkey, Type=TXT, Data=DKIM key
- For DMARC: Host=_dmarc, Type=TXT, Data=DMARC record
GoDaddy:
- Go to My Products > Domains
- Click DNS next to your domain
- Scroll to Records section
- Click Add for each new record
- Select TXT for Type
- Enter the Name (@ for SPF, selector._domainkey for DKIM, _dmarc for DMARC)
- Enter the Value
- Save
Namecheap:
- Go to Domain List > Manage
- Click Advanced DNS
- Add New Record for each
- Select TXT Record
- Host: @ for SPF, selector._domainkey for DKIM, _dmarc for DMARC
- Value: Your record content
- Save All Changes
DNS Propagation
After adding records, changes take time to propagate globally. This typically takes:
- 5-30 minutes for initial visibility
- Up to 48 hours for full global propagation
Use dig or nslookup to verify:
dig TXT yourdomain.comdig TXT selector._domainkey.yourdomain.comdig TXT _dmarc.yourdomain.comOr use online tools like whatsmydns.net to check propagation worldwide.
Example Complete Setup
For a domain using Brevo and Google Workspace:
SPF record (TXT at @):
v=spf1 include:spf.brevo.com include:_spf.google.com -allDKIM record for Brevo (TXT at brevo._domainkey):
v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA... [key from Brevo dashboard]DKIM record for Google (TXT at google._domainkey):
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BA... [key from Google Admin]DMARC record (TXT at _dmarc):
v=DMARC1; p=none; rua=mailto:[email protected]Troubleshooting Common Issues
Even with careful setup, email authentication can fail. Here are common issues and how to resolve them.
SPF Troubleshooting
SPF record not found:
Symptoms: SPF checks show “none” or “no record”
Causes:
- Record not added to DNS
- Record added to wrong location (subdomain instead of root)
- DNS propagation not complete
Solutions:
- Verify record exists with
dig TXT yourdomain.com - Check the Name/Host field (should be @ or blank for root domain)
- Wait for DNS propagation (up to 48 hours)
SPF PermError (too many lookups):
Symptoms: SPF results show “permerror”
Causes:
- More than 10 DNS lookups in your SPF record
- Includes containing excessive nested includes
Solutions:
- Audit your includes and remove unused ones
- Replace includes with ip4: entries where possible
- Use SPF flattening services
- Consolidate services on fewer providers
SPF SoftFail or Fail for legitimate mail:
Symptoms: Legitimate emails failing SPF
Causes:
- Sending service not included in SPF
- Sending from an IP not authorized
- Using a relay that changes the envelope sender
Solutions:
- Add the missing include for your sending service
- Check which IP actually sent the email (from headers)
- Contact your email provider for correct SPF settings
Multiple SPF records:
Symptoms: SPF shows permerror or random failures
Causes:
- Two or more TXT records containing v=spf1
Solutions:
- Combine all mechanisms into a single SPF record
- Delete duplicate SPF records
DKIM Troubleshooting
DKIM signature missing:
Symptoms: No DKIM-Signature header in emails
Causes:
- DKIM signing not enabled in email provider
- Domain verification not completed
- Sending through non-DKIM path
Solutions:
- Enable DKIM in your provider’s settings
- Complete domain verification steps
- Check provider documentation for DKIM setup
DKIM verification failed:
Symptoms: DKIM shows “fail” in authentication results
Causes:
- DNS record not published or incorrect
- Wrong selector used
- Key mismatch between DNS and signing
- Message modified in transit
Solutions:
- Verify DNS record exists at selector._domainkey.domain
- Compare selector in DKIM-Signature header with DNS
- Regenerate keys if mismatch suspected
- Check for mail filters or relays modifying messages
DKIM key too long for DNS:
Symptoms: Cannot save DKIM record, truncation errors
Causes:
- 2048-bit keys exceed single TXT record length
- DNS provider has character limits
Solutions:
- Split the key into multiple quoted strings (most providers handle this automatically)
- Check if your DNS provider supports long TXT records
- Use 1024-bit keys temporarily (less secure)
Example of split DKIM record:
"v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...""...continuation of key..."DMARC Troubleshooting
DMARC alignment failures:
Symptoms: SPF and DKIM pass but DMARC fails
Causes:
- The authenticated domain does not match the From header domain
- Third-party sending service using their own domain
- Misconfigured envelope sender
Solutions:
- Ensure your email provider signs with your domain (custom DKIM)
- Configure custom Return-Path/envelope sender
- Use relaxed alignment mode (adkim=r; aspf=r)
Not receiving DMARC reports:
Symptoms: No aggregate reports arriving
Causes:
- rua address incorrect
- Email address cannot receive external email
- Reports going to spam
- Receiving servers not sending reports
Solutions:
- Verify rua syntax:
rua=mailto:[email protected] - Test that the reporting address can receive external mail
- Check spam folder for reports
- Note: Not all receivers send DMARC reports
DMARC record not found:
Symptoms: DMARC checks show “no record”
Causes:
- Record published at wrong location
- Using wrong format (must be TXT at _dmarc subdomain)
Solutions:
- Record must be at _dmarc.yourdomain.com
- Verify with
dig TXT _dmarc.yourdomain.com
General Troubleshooting Tools
Online validators:
- MXToolbox (mxtoolbox.com) - SPF, DKIM, DMARC lookups
- Mail Tester (mail-tester.com) - Send test email for full analysis
- DMARC Analyzer - Report visualization
- Google Admin Toolbox - Check MX, SPF, DKIM
Command line tools:
# Check SPFdig TXT yourdomain.com
# Check DKIMdig TXT selector._domainkey.yourdomain.com
# Check DMARCdig TXT _dmarc.yourdomain.com
# Check from specific DNS serverdig @8.8.8.8 TXT yourdomain.comEmail header analysis:
Check the Authentication-Results header in received emails:
Authentication-Results: mx.google.com; dkim=pass header.d=example.com header.s=brevo; spf=pass smtp.mailfrom=example.com; dmarc=pass action=none header.from=example.comEmail Authentication and Brevo
Brevo provides comprehensive email authentication support, making it straightforward to configure SPF, DKIM, and DMARC for your sending domains.
Setting Up Authentication in Brevo
Step 1: Add your domain
- Log in to your Brevo account
- Navigate to Settings > Senders, Domains & Dedicated IPs
- Click Add a Domain
- Enter your domain name
Step 2: Configure SPF
Brevo provides the SPF include to add to your DNS:
include:spf.brevo.comAdd this to your existing SPF record or create a new one:
v=spf1 include:spf.brevo.com -allStep 3: Configure DKIM
Brevo generates DKIM keys automatically. Copy the provided record:
- Go to your domain settings in Brevo
- Find the DKIM section
- Copy the DNS record name and value
- Add the TXT record to your DNS
Step 4: Verify configuration
Brevo automatically checks your DNS records. Green checkmarks indicate successful configuration.
Prednosti of Proper Brevo Authentication
When you properly configure authentication with Brevo:
- Higher inbox placement: Gmail, Microsoft, and other providers trust authenticated messages
- Brand protection: DMARC prevents spoofing of your domain
- Better analytics: Accurate tracking of opens and clicks
- Reputation building: Consistent authentication builds sender reputation
Tajo Integration Benefits
Using Tajo to connect your Shopify store with Brevo provides additional advantages:
- Automatic customer sync: Customer data flows seamlessly for personalized emails
- Event tracking: Purchase, browse, and cart events trigger authenticated transactional emails
- Multi-channel coordination: Maintain consistent authentication across email, SMS, and WhatsApp
- Unified analytics: Track email performance alongside other marketing metrics
The combination of proper email authentication and real-time customer data synchronization ensures your emails not only reach the inbox but resonate with each recipient.
Frequently Asked Questions
Što je the difference between SPF, DKIM, and DMARC?
SPF specifies which servers can send email for your domain. DKIM adds a cryptographic signature proving message authenticity. DMARC sets policy for how receivers should handle authentication failures and provides reporting. All three work together for complete email authentication.
Do I need all three (SPF, DKIM, and DMARC)?
For optimal deliverability and security, yes. SPF alone is vulnerable to spoofing. DKIM alone does not specify policy. DMARC requires SPF or DKIM to function. Together, they provide comprehensive protection and the best inbox placement rates.
How long does it take for email authentication to work?
DNS changes typically propagate within 30 minutes to 48 hours. Once propagated, authentication applies immediately. However, building sender reputation based on consistent authentication takes weeks to months.
Will setting up DMARC with p=reject block my legitimate emails?
It can if configured incorrectly. This is why you should always start with p=none (monitoring), analyze reports for 2-4 weeks, fix any issues, then gradually move to quarantine and reject. Never skip the monitoring phase.
Što je SPF alignment vs DKIM alignment?
Alignment means the authenticated domain matches the visible From header domain. SPF alignment compares the Return-Path domain. DKIM alignment compares the signing domain (d= tag). DMARC requires at least one to align.
Can I have multiple DKIM keys for one domain?
Yes. Each email service can use a different selector (e.g., brevo._domainkey, google._domainkey). This allows multiple services to sign with DKIM independently. There is no limit on the number of DKIM selectors.
Zašto do my emails still go to spam after setting up authentication?
Authentication is necessary but not sufficient for inbox placement. Other factors include sender reputation, content quality, engagement rates, and list hygiene. Authentication gets you past the first filter; good practices determine final placement.
How do I read DMARC aggregate reports?
DMARC aggregate reports are XML files. Use tools like dmarcian, Postmark DMARC, or DMARC Analyzer to parse and visualize them. These tools show which IPs send email as your domain and their authentication pass/fail rates.
What happens if I exceed the SPF 10 lookup limit?
SPF returns a permanent error (permerror), and all SPF checks fail. To fix this, remove unused includes, replace includes with IP addresses where possible, or use SPF flattening services.
Should I use -all or ~all in my SPF record?
Use ~all (softfail) while testing and building confidence. Once you confirm all legitimate sources pass, switch to -all (hard fail) for stronger protection. Softfail marks failures but does not reject; hard fail authorizes rejection.
How often should I rotate DKIM keys?
There is no strict requirement, but annual rotation is a good security practice. When rotating, add the new key first, wait for DNS propagation, enable signing with the new key, then remove the old key after a transition period.
Do subdomains need separate authentication?
SPF: Yes, each subdomain needs its own SPF record if sending email from it. DKIM: Keys can be shared or separate per subdomain. DMARC: Subdomains inherit the parent policy unless sp= is set or the subdomain has its own DMARC record.
Zaključak
Email authentication through SPF, DKIM, and DMARC is no longer optional for businesses that rely on email communication. These protocols protect your brand from spoofing, improve deliverability, and build the trust necessary for effective email marketing.
Key takeaways:
- SPF authorizes sending servers through DNS
- DKIM proves message authenticity with cryptographic signatures
- DMARC enforces policy and provides visibility through reports
- Start with monitoring (p=none) before enforcing rejection
- All legitimate sending sources must be properly configured
- Regular monitoring prevents configuration drift
For e-commerce businesses using Shopify, combining proper email authentication with customer data integration through Tajo and Brevo creates a powerful foundation. Your transactional emails reach customers reliably, your marketing campaigns achieve better inbox placement, and your brand remains protected from spoofing attacks.
Ready to improve your email deliverability? Start by auditing your current authentication setup with the tools mentioned in this guide, then systematically configure SPF, DKIM, and DMARC following the step-by-step instructions provided.
Learn how Tajo integrates with Brevo to provide seamless email authentication alongside real-time customer data synchronization for your Shopify store.