Email explained from first principles is an incredible overview to how email works. It's the only resource that I've found that may be too comprehensive while still being readable. It's truly a feat.

Here are my notes on how SPF, DKIM, and DMARC work together for email authentication and deliverability as a summary and note to my future self:

SPF — Sender Policy Framework

Your SPF record tells other mail servers which email servers are allowed to send emails from your domain. So if I own luma-mail.com, only certain IP addresses are allowed to send from @luma-mail.com addresses.

You can publish your SPF record as a TXT record on your DNS. This often looks something like this:

dig luma-mail.com txt
luma-mail.com.		300	IN	TXT	"v=spf1 include:_spf.google.com ~all"

This is a little tricky since when you use email providers like Postmark or SES, while they send FROM your domain, the MAIL FROM is from one of their domains.

The MAIL FROM is the envelope of the message which is a complex technical topic, but the envelope from can be different than the information that shows up in your email client.

This means you need to set up SPF records when sending from a mail client, but not when using a transactional email providers.

DKIM — DomainKeys Identified Mail

With DKIM, your emails will be signed by a public key that you publish at a DNS record.

When an email server receives an email, it will check the DKIM signature and the email message against the published public keys at your DNS provider.

If you are using a service like Postmark or SES, you will need to add a DNS record with your public key and Postmark/SES will automatically sign outgoing messages and append the DKIM header.

DMARC — Domain-based Message Authentication, Reporting, and Conformance

This is not a specific technology but an idea that includes SPF and DKIM. You can publish a DNS record at _dmark.example.com which says what you have done for email security.

This record can tell other email clients to mark emails as spam if they don't pass SPF or DKIM checks for example. You can also publish a reporting email address where other email servers can let you know about emails that aren't passing the SPF / DKIM checks.

I think that if you have a more strict DMARC policy and tell other email clients to mark everything as spam that doesn't match SPF / DKIM, you will end up having higher deliverability over time.