What is DKIM & SPF? And How to Set It Up?


This is serious. This is about your email deliverability. I know from my own experience that these acronyms may sound unfamiliar, scary and may seem totally uninteresting. Or maybe they sound familiar, but you never cared enough to check what they really are.

Either way, it’s time to learn a bit about what is SPF & DKIM and how to set them up in your DNS records for your mail server, if you want to have better control over your email deliverability. I’ll also show you where in Woodpecker you can check if they are set up properly.

I’ll do my best to explain that in simple words, which will be understood not only by programmers.

What is SPF? How does SPF work?

Simply speaking, Sender Policy Framework (SPF) is a security mechanism created to prevent the bad guys from sending emails on your behalf. The mechanism is all about communication between DNS servers… and this is the point when it all starts to sound scary! But don’t panic. I’ll try to keep it as simple as possible.

Let’s say you’ve sent an email to Bob. But how does Bob’s DNS server know that the email was in fact sent by you? The problem is, it doesn’t really. Unless you have SPF set on your DNS server.

SPF defines which IP addresses can be used to send emails from your domain. So let’s imagine two possible server “conversations”. To make it all easier, let’s assume your name is Mike.

Scenario 1 – You don’t have SPF set up.

Mike’s server: Hey, Bob’s server. I’ve got a new message from Mike.
Bob’s server: Hi Mike’s server. What’s your SPF?
Mike’s server: Yeah, about the SPF… Who cares, really. I don’t have one. Trust me, it’s from Mike.
Bob’s server: If you don’t have SPF, I can’t be sure it was Mike who sent this. Give me Mike’s allowed IPs, so I can compare it with yours.
Mike’s server: I don’t have the list of Mike’s allowed IPs.
Bob’s server: Then I don’t want your message. Delivery denied. Sorry, buddy…

Scenario 2 – You do have SPF set up.

Mike’s server: Hey, Bob’s server. I’ve got a new message from Mike.
Bob’s server: Hi Mike’s server. What’s your SPF?
Mike’s server: There you go, here’s my SPF. There’s a whole list of IPs that Mike himself declared as the ones which can be used on his behalf.
Bob’s server: Ok, let me see… And the message you have for me is sent from IP Ok, it’s on the list. Everything looks fine. Gimme the message, I’ll show it to Bob. Thanks!

My apologies to all tech-savvy readers of this blog for this ignorant oversimplification. Please forgive us dummies, and keep in mind that we do envy you your super-analytical minds.

Anyway, the moral of those two short dialogues is: set your SPF. If you don’t, you risk having your email hacked or spoofed or you may look like a bad guy, and not all your emails will be delivered.

What apps should you include in your SPF?

The general idea is to make sure all applications that send emails on your behalf (and are using their own SMTP, not yours) are included in your SPF. For instance, if you’re using Google Apps to send emails from your domain, you should put Google in your SPF. Here’s Google’s instruction on how to do this.

But it’s important to make sure, if Google is the only app that you should “allow” in your SPF. For instance, we’re using HelpScout customer service software to manage our support emails and MailChimp to send our newsletters. We include both of them in our SPF.

Should you include Woodpecker in my SPF as well?

No. Like I mentioned, you should remember to put into your SPF record the apps that send emails on your behalf, but are using their own SMTP. Woodpecker uses your SMTP to send your emails, so it’s more of an online email client with super powers than a mass email sending app.

That said, the deliverability of the emails sent from Woodpecker depends on the reputation of your domain. Setting SPF and DKIM will help you protect the good reputation of your domain, and thus improve the deliverability of your emails.

How to set up SPF record on your server step by step?

The first step is to check what is your current SPF record. You can do that using tools like:

When you type in your domain there (for instance I would type in woodpecker.co), the tools will run some tests and show you your current SPF, or a notification that it hasn’t been set yet.

What are the next steps?

Depending on your domain host, the steps will differ. Basically, it’s about pasting a properly structured line of text in the right place in the console.

For instance, if you are using Google Apps to send all emails from your domain, the line would look like this:

“v=spf1 include:_spf.google.com ~all”

The “v=spf1” part of the record is called the version, and the ones that come after that are called mechanisms.

Now let’s see what each part means exactly.

  1. v=spf1 this element identifies the record as an SPF
  2. include:_spf.google.com this mechanism includes mail servers that are authorized servers
  3. ~all this one indicates that if an email is received from an unauthorized (not listed in the “include:” mechanism) server, it gets tagged as soft fail, which means it can be let through, but could be flagged as spam or suspicious.

But if you’re using more apps than that (for instance something to send your newsletter, something to send your support messages, etc.), the line will be a bit longer, because you will have to include all the other apps in it. Or if you don’t use Google Apps but a server from another host, for instance, GoDaddy, the line will look different.

Here’s how to set up SPF for the most common domain hosts:

Or you can watch this step-by-step guide in which our Head of Support, Julia, explains how to do it:

If you’re currently using or testing Woodpecker and you’re not sure if your SPF is properly set, you may check it directly in the app: go to SETTINGS > EMAIL ACCOUNTS > click the gear next to your email > DOMAIN CHECK-UP (on the left-hand side) or contact us at [email protected] to get some individual help.

What is DKIM?

DomainKeys Identified Mail (DKIM) standard has been created for the same reason as SPF: to prevent the bad guys from impersonating you as an email sender. It’s a way to additionally sign your emails in a way that will allow the recipient’s server check if the sender was really you or not.

By setting DKIM on your DNS server, you’re adding additional way to tell your receivers “yes, it’s really me who’s sending this message”.

how to set up dkim and spf


The whole idea is based on encrypting and decrypting the additional signature, put in the header of your message. To make that possible, you need to have two keys:

  • the private key (which is unique to your domain and available exclusively to you. It allows you to encrypt your signature in the header of your messages.)
  • the public key (which you add to your DNS records using DKIM standard, in order to allow your recipient’s server retrieve it and decrypt your hidden signature from the header of your message).

Take Game of Thrones to get the bigger picture of DKIM. Ned Stark is sending a raven with a message to king Robert. Everyone could take a piece of paper, write a message and sign it Ned Stark. But there’s a way to authenticate the message the seal. Now, everyone knows that Ned’s seal is a direwolf (that’s the public key). But only Ned has the original seal and can set it on his messages (that’s the private key).

Image result for direwolf seal

Setting DKIM is just putting the information about the public key into your server’s records. It is also a txt record that needs to be put in the right place.

Once you have set that up, each time someone gets an email from you, the receiver’s server will try to decrypt your hidden signature using the public key. If it succeeds, this will additionally authenticate your message and in result increase the deliverability of all your emails.

How to set up DKIM record on your server step by step?

First, you need to generate the public key. To do that, you need to log in to your email’s provider admin console. The next steps may differ depending on your email provider.

If you’re using Google Apps to send your emails, here’s a step-by-step instruction. Google Apps email users, you should know that on default the DKIM signatures are turned off, so you need to turn them on manually in your Google Admin console.

When you have the public key, you take the generated txt record and paste it in the right place into your DNS records.

how to add dkim to a domain

Finally, you need to turn on email signing to start sending emails including your signature encrypted with your private key. Here’s how to do it, if you’re using Google Apps to send your emails.

Here’s how to set DKIM in some of the other domain hosts:

For more details, watch a video guide that explains how to do it:

If you’re currently using Woodpecker and don’t have an IT person to ask for help with SPF and DKIM settings, you may contact us at [email protected] for some individual help.

If you’d like to check if your SPF and DKIM are set up properly, you may do so in the app. After logging in to Woodpecker, go to SETTINGS > EMAIL ACCOUNTS > click the gear next to your email > DOMAIN CHECK-UP (on the left-hand side).

Set up SPF & DKIM and improve your deliverability

If you’re sending lots of emails, whether it’s for marketing or for inbound or outbound sales, the reputation of your domain is crucial and you should take really good care of it. You don’t want your domain to get on a blacklist and your emails to end up in spam. Setting SPF and DKIM records properly on your DNS server is a necessary step towards the security of your domain and high deliverability of your messages.

Setting it up may seem complicated, but it’s undoubtedly worth the effort. If I were you, I’d go to my Woodpecker account and check if my SPF and DKIM are properly set right now or ask my IT guys to do it (if you’re not a Woodpecker user). And if it turned out that the answer is “no”, I’d ask them to help me out. And I wouldn’t let them to fob me off. Not with this one.

Check also these four posts on email deliverability: