Knowledge Base/Delivery and Authentication/SPF and DKIM

What are SPF and DKIM and do I need to set them up?

posted this on July 25, 2012, 10:31 PM

Authentication is a way to prove an email isn't forged. Mandrill automatically authenticates all emails sent through our servers. By adding DNS records to your domain, you can explicitly allow Mandrill to send on your behalf and digitally 'sign' messages sent through Mandrill.


If you've ever gotten an email that says it's from your bank, PayPal or a company you do business with, but it's really from someone else, then you've seen first-hand how email makes it easy to communicate, but is also very easy to forge. Authentication helps legitimate senders prove that their email isn't forged, and can help receiving servers like ISPs and corporate email servers control inbound spam.

There are a variety of authentication methods, and there's no best method. SPF and SenderID allow a domain owner to add a file or record on the server that the recipient server cross-checks. These are easy to implement, but some suggest they aren't as secure. DKIM and DomainKeys embed information within the email, making it harder to forge (but they can also be harder to implement for senders and receivers).

Since there are pros and cons to the various methods, Mandrill automatically adds authentication for all of the above methods.

Do you need to add SPF or DKIM records?

If you own your domain or have access to the domain's DNS settings, we recommend adding the DNS records. It can help improve deliverability and establish (or maintain) a reputation for your sending domain. You aren't required to add anything to your sending domain since Mandrill handles it all automatically, but adding the DNS records allows Mandrill to remove the Sender header so that SenderID and DKIM are handled by your domain.

When you add the SPF record to your domain, that allows receiving email servers like Hotmail, Gmail, Yahoo, and others, to verify the identity of your emails for the SenderID authentication. Add Mandrill's server information to explicitly give Mandrill servers permission to send on your behalf.

The DKIM record allows Mandrill to digitally 'sign' your emails for your domain. Without this record, Mandrill still adds this to your emails, but it's signed for the Mandrill sending server instead of your domain.

Authentication and sending reputation

When you add authentication information to your domain, an added benefit is that many ISPs use authentication to track sending reputation. With authentication handled by your domain, reputation with the receiving ISPs is influenced by your domain and the emails sent on behalf of your domain. This means you maintain control over the emails that affect deliverability for your domain. A positive reputation for your domain builds trust and improves deliverability, affecting whether your emails are caught by spam filters and how quickly the receiving servers will accept mail from your domain.

Here are additional instructions to set up sending domains for Mandrill.

Topic is closed for comments