All Collections
How Emails Are Delivered And How To Set Up DMARC, DKIM And SPF
How Emails Are Delivered And How To Set Up DMARC, DKIM And SPF

How to add DMARC, SPF and DKIM settings and improve your email delivery

Lari Lehtonen avatar
Written by Lari Lehtonen
Updated over a week ago


Nosto uses AWS(Amazon Web Services) SES (Simple Email Service) for sending behavioral emails. To make sure your email sending is working as effectively as possible and to improve your email delivery rates you can incorporate SPF (Sender Policy Framework), DKIM (Domain-Keys Identified Mail) and DMARC (Domain-based Message Authentication, Reporting and Conformance) into your DNS settings.

DMARC is a policy that describes what to do with emails that don't pass verification. Verification technology may be DKIM or SPF, or both.


Sender Policy Framework is an email authentication standard developed by AOL that compares the email sender’s actual IP address to a list of IP addresses authorized to send mail from that domain. The IP list is published in the domain’s DNS record.


DKIM stands for DomainKeys Identified Mail which was designed to help ISPs prevent malicious email senders by validating email from specific domains.

Spoofers and phishers can be sending email to unwitting recipients by purporting to be from a trusted brand or sender. By “signing” email with DKIM, legitimate senders can label which domains belong to them, and by doing so, empower ISPs to block email streams that have not been properly authenticated using DKIM.


To be able to be DMARC compliant one needs to conform to both SPF and DKIM. 

“Domain-based Message Authentication, Reporting and Conformance (DMARC) is an email-validation system designed to detect and prevent email spoofing. It is intended to combat certain techniques often used in phishing and email spam, such as emails with forged sender addresses that appear to originate from legitimate organizations. DMARC counters the illegitimate usage of the exact domain name in the From: field of email message headers.” - 


Why is DMARC important?

With the rise of the social internet and the ubiquity of e-commerce, spammers and phishers have a tremendous financial incentive to compromise user accounts, enabling theft of passwords, bank accounts, credit cards, and more. Email is easy to spoof and criminals have found spoofing to be a proven way to exploit user trust of well-known brands. Simply inserting the logo of a well known brand into an email gives it instant legitimacy with many users.

Users can’t tell a real message from a fake one, and large mailbox providers have to make very difficult (and frequently incorrect) choices about which messages to deliver and which ones might harm users. Senders remain largely unaware of problems with their authentication practices because there’s no scalable way for them to indicate they want feedback and where it should be sent. Those attempting new SPF and DKIM deployment proceed very slowly and cautiously because the lack of feedback also means they have no good way to monitor progress and debug problems.

DMARC addresses these issues, helping email senders and receivers work together to better secure emails, protecting users and brands from painfully costly abuse.

How does DMARC work, briefly, and in non-technical terms?

“A DMARC policy allows a sender to indicate that their messages are protected by SPF and/or DKIM, and tells a receiver what to do if neither of those authentication methods passes – such as junk or reject the message. DMARC removes guesswork from the receiver’s handling of these failed messages, limiting or eliminating the user’s exposure to potentially fraudulent & harmful messages. DMARC also provides a way for the email receiver to report back to the sender about messages that pass and/or fail DMARC evaluation.”

Configuring Records

Verification settings are domain-wide. Once done for a single email address, it’s working for all addresses of its domain, e.g. when SPF is verified for, it also covers, etc.

The process

Most of the setup guidelines described is out of Nosto's reach since our personnel don’t have access to the settings in Nosto, and neither can we update your DNS records. Consult your network administrator for further advise. In order to use the verification, take the following setps

In Nosto: Set up the verification, which basically means to generate related DNS records. This step is the same for all settings and consists of just clicking the button

In your DNS infra: Publish the DNS records provided by Nosto. This step is specific to DNS/Hosting provider, the instructions for most popular services are listed in next section: Creating DNS records.

After a DNS records update, the corresponding section should have “Success“ or “Enabled” status (except for DMARC records, which are not checked for verification, we just generate it for publishing):

Note that it may take up to 72 hours for the update to take effect since DNS is a worldwide-distributed system and records take time to propagate all over the Internet.

Creating DNS records

The table below includes links to the documentation for several common providers. This list isn't exhaustive, and inclusion in this list isn't an endorsement or recommendation of any company's products or services. If your provider isn't listed in the table, you can probably still publish an SPF record.

DNS/Hosting provider

Documentation link

Amazon Route 53


Add an SPF record (external link)




SPF Records (external link)



Further reading


Did this answer your question?