Press enter to see results or esc to cancel.

11 Myths about SPF, DKIM, DMARC and the Reality – Marketers View

It is futile to expect customers to identify phishing emails and report about the same. It is, on the contrary, up to the brand to take required measures. About 97 percent of users fail to identify a phishing message because these messages are appropriately camouflaged to look sophisticated.

As a result, now brands are turning to SPF, DKIM, DMARC records. It is better to take technology’s help in blocking such emails from reaching the users’ inboxes. DMARC (Domain-based Message Authentication Reporting and Conformance) standard helps in doing this.SPF, DKIM, DMARC 11 MYTHS

It is very easy to add proper SPF, DKIM, and DMARC records in few minutes. However, there are many misconceptions about the implementation of DMARC, which our implementation team keeps on listening. These fake concepts often act as a hindrance in your efforts to identify and lessen the impact of phishing attacks.

Adding SPF, DKIM, DMARC records will increase your email inbox placement.

Here are 11 such myths about SPF, DKIM, DMARC that must be discarded

1. DMARC “reject” policy can be deployed with the data that DMARC reporting mechanism contains

Nope! Rather you will need to provide additional data to the RUA and RUF context. Else you will have just guess works to help you out, and that can be dangerously stressful.

Related: DMARC is The Reason for your Increasing Email Delivery Failure Rate?

2. Listing all the possible header fields in DKIM signature is “secure”

But that is not your goal with DKIM. You want to validate all techniques to ensure that only you have the authority to send out the message in question. Hence, it only makes sense to pick few fields in the “h: array”.

3. “Include” Statements in your SPF records rather than individual IPs, or CIDR (Classless Inter-Domain Routing) range

But your SPF record should be clean and a flat list of IPs. Hence, “include” statements should be in minimum. This will help you in leveraging the speed and eliminate chances of having a failure.

4. 11th Include Statement should be added

You must add only 10 include statements as allowed by the SPF protocol. Adding the 11th one will cause a break in the record.

5. Emailing your DKIM private key to someone else is okay

This itself is an irony. The moment your DKIM key is sent out to another person, it ceases to be private! Your DKIM key shouldn’t be anywhere else other than the MTA which uses it.

6. All emails should be sent from the organizational/ top level domain

That is a bad idea. Some may be based on security and vendor management others may be of sound deliverability grounds. Why would you exactly want to mix all these!?! Check these resources from Google for more insights.

7. DMARC record in the top level domain is essential

It may be a good start, but having a DMARC record in the top level domain may not give the requisite control and reporting scopes.

All domains that your company owns must be protected with a DMARC policy.

8. Bad guys will follow your suit and send emails from that particular subdomain you use

The entire domain is at risk all the time. You need to lock the entire domain- the main organizational domain as well as the subdomain. Contrary to popular belief, the primary organization domain is made the target rather than the subdomain.

9. Copy the previous infrastructure decisions

That is lame! Believing that previous email infrastructure builders were right throughout, you will only go a step closer to your doom. Instead, you must use the new DMARC deployment as a chance to redesign and optimize the infrastructure and architecture.

10. All vendors can sign DKIM in 2016

There is a huge difference in “should” and “can”. Go for an expert who has the requisite knowledge on how to overcome the hurdles you will face in authenticating your infrastructure properly with DKIM; especially in regards to third party vendors.

11. The outgoing emails from your mailbox have proper SPF, DKIM, DMARC records

The emails which you are sending from your organisation mailbox may not have proper SPF, DKIM and DMRAC records implemented. You need to check and verify this with your IT team. If this is not in place, then, emails sent from your organisation mailbox may not land in the inbox of the recipient.

This blog post is the part of 11 Easy Ways to Identify Phishing Emails, which explains about the identification and impact of phishing emails on email marketers.


About EasySendy Pro-

EasySendy Pro is an email marketing platform for the digital marketing team. It integrates with multiple SMTP relay service providers and enables delivery of email campaigns to a list of opt-in emails. You can split test email deliveries across the relay servers and check reports, track email clicks, opens of each email campaign. It also has smart autoresponder and email list segmentation.

To support Micro-Deliverability in Emails; currently, EasySendy Pro allows integration with SMTP relay gateways like Amazon SES, Mandrill, SendGrid, SparkPost, Leadersend, Dyn, Elasticemail, MailGun, SendinBlue, MailJet, TipiMail, and MailerQ. If you are sending an email to a list of above 25,000 email subscribers, then, Micro-deliverability of the email through multiple SMTP gateways provide better email open rate.




Thanks Ankit for sharing the blog. It looks like you have done a thorough research on phishing emails and everything related to it. I was totally unaware of these these authenticated protocols. A great help!

Rebecca thomas

Hi Ankit, this is a great write up. All the facts are pretty new to me. Your blog really cajoles me and all the points are top notch. I am hoping for more blogs from your side. Thank you for sharing this piece of work.



While doing research for a paper, I came across your article. Over all, not bad. I mean I get it that in the end you are trying to sell your product and what better way than both educating people about the dilemma you are trying to solve then highlighting how your product addresses these concerns.. Typical viral-marketing-techniques.. That being said, I was actually impressed with what you shared regarding some of these rather technical concepts in such an easy-to-understand manner.

Thanks for the info! 🙂


Thanks Ankit for sharing the blog. It seems like you have done a thorough research on phishing emails and everything related to it. This information was not known to me regarding these authenticated protocols. A great help!


This is a great write up. All the facts are new to me. I am actually cajoled by your blog, and all the points are top notch. I am hoping for more blogs from your side. Thank you for sharing this piece of work.


Thanks for sharing this blog. This article is thoroughly researched and informative. I agree with you on the fact that phishing messages are so hard to identify these days because of their sophisticated look. So, implementing DMARC will indeed help us to block such messages. Also, a lot of people do this mistake of sending their DKIM private key to someone else. Your posts will definitely help them to clear their misconception of DMARC.


Thanks Ruben!

Nastya Iglesias

It is good to know that there are a number of ways (SPF, DKIM, DMARC) through which we can block phishing emails. I am sorry I did not understand when you say “Adding SPF, DKIM, DMARC records will increase your email inbox placement.” What do you mean by email inbox placements? And how does one frame a DMARC policy?

Alice Reed

Yes, of course, the revolutionary SPF, DMARC are the saviours to block spam emails from reaching the individual’s inbox. The advancement of tech is truly revolutionising the ways of e-mail communication. Reject policy of DMARC is a fantastic one.

Jean Torres

I was totally unaware of these things, it looks like this article is thoroughly researched and written. I had thought all these myths are true. Definitely a good read!

Ruby Cox

Every myth is addressed and explained very well. Thanks for posting such an educative article. After all, it isn’t about stopping spam, it is more about controlling and stopping attempted sender forgeries. Thanks to Email security standards for saving us from annoying emails.

Chris Russell

Hi Ankith, your way of conveying the facts is very persuasive. You have demystified the way we see SPF, DKIM, DMARC, thanks for sharing.

Matthew Jenkins

SPF does not secure against spoofing or spam directly, nevertheless, this protocol is effectively and successfully used to deploy spam filtering systems, and additionally to protect against counterfeit emails, since it allows us to check each message against a particular domain and its reputation.

Jeffrey Young

These myths have helped to some extent and thanks for bringing out the reality. Unfortunately I think that even though we have a perfectly functional mail system with all the necessary tools, we are not 100% safe from the bad guys out there.

Helen Rodriguez

Thanks for taking us away from myths and enlightening us about the reality. It was indeed a much-needed post.

Leave a Comment

Get Started with Hybrid Emails
Signup an EasySendy Pro Account Now!
Your Information will never be shared with any third party.
Get Started with Hybrid Emails
Signup an EasySendy Pro Account Now!
Thanks! Please check your email inbox for the verification email.