In the fast-paced digital world, your inbox is both a critical communication channel and a major point of vulnerability. Every day, millions of legitimate emails are sent — but alongside them, malicious actors attempt to impersonate legitimate companies and domains. That’s where email authentication steps in.
Today, we’ll walk you through how to configure SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) for Mailigen — a popular email marketing platform — to ensure your messages are trusted, delivered, and safe from spoofing or spam filters. This guide goes beyond a simple checklist. We explain why these things matter and how they work under the hood so you can confidently secure your mail streams.
Why Email Authentication Matters
Before diving into setup, let’s talk about the big picture.
Modern email systems don’t just trust a “From” address anymore — that address can be easily spoofed. Instead, mail receivers apply a set of authentication protocols to determine whether a message actually came from who it claims to. Two of the core building blocks of authentication are SPF and DKIM.
Together with DMARC (Domain-based Message Authentication, Reporting & Conformance), SPF and DKIM help:
- Prove that emails came from authorized servers
- Protect your domain from abuse and impersonation
- Improve inbox deliverability
- Reduce the chance of ending up in spam folders
Understanding the function and purpose of each is an investment in your brand’s reputation and email security.
Understanding SPF — The First Line of Defense
Sender Policy Framework (SPF) is a DNS-based security protocol that lets domain owners specify which mail servers are permitted to send email on their behalf.
Think of SPF like a whitelist of valid senders. When a mail server (like Gmail, Outlook, Yahoo, etc.) receives an email, it:
- Looks up your SPF record in DNS
- Checks if the sending server’s IP matches an approved source
- Determines whether to accept, flag, or reject the email
If an email is not sent from an authorized source, SPF fails — and that email may be marked as spam, deferred, or blocked entirely.
Setting SPF correctly is essential, but it’s also something that can be misconfigured if not carefully managed — especially when multiple services send mail on your behalf.
Understanding DKIM — Securing Email Integrity
DomainKeys Identified Mail (DKIM) adds a cryptographic signature to your emails.
When you send mail, your server (or your ESP, like Mailigen) signs the outgoing message with a private key. The recipient’s email server fetches the corresponding public key from your DNS and verifies the signature.
If the signature matches:
- The message truly came from the source it claims
- The message has not been altered in transit
This is crucial in preventing tampering and proving authenticity.
DKIM doesn’t check which servers are authorized to send mail — it checks whether the message was signed using your domain’s key. That’s why it works so well alongside SPF and DMARC.
So What About Mailigen?
Mailigen is an email marketing platform that businesses use to design, schedule, and send campaigns. But like all third-party senders, it needs a way to prove that it is legitimately sending emails on behalf of your domain.
Without proper SPF or DKIM configuration, mail receivers don’t have enough verification data — which can lead to:
- Emails getting lost in spam folders
- Messages being marked as suspicious
- DMARC failures due to lack of alignment between headers and authentication
Let’s look at how to configure both SPF and DKIM correctly.
Step-by-Step: Configuring SPF for Mailigen
1. Review Existing SPF Records
Before you add anything new, check whether your domain already has an SPF record. A domain can only have one SPF record, and having more than one can cause a “PermError,” meaning SPF checks break entirely.
In DNS, SPF records look like this:
v=spf1 include:spf.service1.com include:spf.service2.com ~allEvery service that sends mail on your domain’s behalf must be included here, either by IP or include statement.
2. Why Mailigen’s Default SPF Isn’t Enough
Mailigen provides an SPF source — typically something like:
include:spf.mailigen.com
However, at the time of writing, that SPF source is essentially an empty entry and doesn’t actually help your mail pass SPF checks if it’s the only thing in your SPF record.
AutoSPF recommends against relying solely on this record because it doesn’t increase deliverability or authentication trust on its own.
3. Building a Strong SPF Record
Here’s what a good, combined SPF record might look like if you use multiple services:
v=spf1 include:spf.google.com include:_spf.mailchimp.com ip4:203.0.113.5 ~all
Key points:
- Only one SPF record per domain
- Include every trusted sending source
- Use ~all for soft fail during testing, and consider switching to -all (hard fail) once everything is validated
Step-by-Step: Configuring DKIM for Mailigen
1. Log into Mailigen
Start by signing in to your Mailigen dashboard.
- Go to the Email Authentication section – this may be under settings or domain manager depending on UI updates.
- Choose Add a Domain.
- Enter the domain you want to authenticate.
Once that’s done, Mailigen will provide your DKIM DNS records.
2. Publish the DKIM Record in Your DNS
Mailigen will generate a selector and a key value — these come in a format like:
Name/Host: selector._domainkey.yourdomain.com
Value: (long DKIM public key string)
In your DNS provider’s panel:
- Create a TXT record
- Set the Host/Name to the selector provided
- Paste the DKIM key into the Value field
- Save and publish the record
3. Validate DKIM Publication
Propagation can take anywhere from a few minutes up to 48 hours (depending on TTL settings), but once the DNS change takes effect, you should see DKIM signatures pass on outgoing mail. Many DNS providers and mail tools offer built-in validation — you can also use third-party DMARC/Email authentication checkers to confirm things are working.
4. DKIM + SPF = Better DMARC Alignment
Remember: DMARC looks at alignment — not just authentication.
- SPF alignment means the return-path domain matches your “From” domain
- DKIM alignment means the signed domain matches your “From” domain
If either SPF or DKIM passes alignment, DMARC will consider the message legitimate — so having both provides redundancy and better security.
Beyond SPF & DKIM: Best Practices
1. Use DMARC for Enforcement Too
Even after SPF and DKIM are set, you’ll want to configure a DMARC record so you can:
- Monitor authentication results
- Receive reports about who is sending mail for your domain
- Enforce quarantine or reject for suspicious messages
A simple DMARC record might look like:
v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.comThis lets you collect reports without affecting flow. Once you’re confident everything is valid, consider switching to quarantine or reject to enforce policy.
2. Don’t Use “+all” in SPF
The +all mechanism tells receivers to trust any sending source — effectively disabling SPF. It’s a dangerous configuration that should never be used. Instead, stick with ~all (soft fail) or -all (hard fail) once you’re confident your SPF is correct.
3. Rotate DKIM Keys Periodically
Using stronger, rotated keys (2048-bit or more) and updating them regularly improves security. Many mail providers help automate this — if not, you can generate new keys and update the DNS as needed.
