Which should you choose? DKIM, or SPF. We will cover these terms as well as how and when to use them.

Do they have to be?

Is it necessary to use both DKIM AND SPF? While not mandatory, it is strongly recommended to use SPF and DKIM to protect your email domains from fraud and spoofing attacks.
Email is becoming more important than ever. This is especially true in an era where millions of corporate workers work remotely due to COVID-19 measures. As a result, email crime networks have become more lucrative than ever. Today, fraudsters of all stripes spoof corporate email domains in phishing attacks, and business email compromise (BEC) scams fuel nearly $9 billion in business losses each year.
These attacks can cause your company to lose customers and reputational damage. Even if your company doesn’t face any regulatory fines or legal action, legitimate email marketing programs and communications programs could suffer low delivery rates if they’re not blocked.
What is SPF (Sender Policy Framework?)? What is DKIM? These are important security standards for email that prevent hackers from spoofing domains to attack customers, partners, and the general public. Let’s take a look at both the standards and discuss why it is better to use both. How to do it right.
How Domain Spoofing Works
A fraudster must compromise or set up an SMTP server to spoof email. To make their phishing messages look legitimate, they can manipulate the email addresses “From”, “Reply to”, and “Return-Path” to make them appear to be representing a company or person.
This identity fraud is possible because SMTP (the Simple Message Transfer Protocol used to send, receive or relay outgoing email) lacks a mechanism to authenticate email addresses.
S/MIME, an early email authentication standard, failed to gain enough traction to be effective against this threat. Then, in the middle of 2000, DKIM (or SPF) emerged as new email security standards that were successful where others failed.
How SPF works
The most important aspect of email sending is SPF. It allows email senders to limit which IP addresses are allowed to send email from a specific domain. For example, a domain owner can stipulate that only IP 5.6.7.8.9 can send email from @YourCompanyURLHere.com by publishing that policy as a TXT record in the specified domain’s DNS. A tool that looks up SPF records can help you determine which servers have permission to send emails to your domains.
Recipient email servers will query your DNS records for your send domain to verify that the IP address used to send the email was in the SPF file. If it isn’t, the email will fail authentication — helping to weed out malicious emails attempting to exploit the associated domain.
How DKIM works
DKIM uses asymmetric encryption for email senders to digitally sign outgoing emails from a domain and publish the public keys necessary to validate these digital signatures. This allows recipients to confirm that an email was not altered in transit. Find out more about DKIM setup. Once you have done this, you can use a tool that searches DKIM Records to make sure email servers can find your public key.
This signature is included in the header of emails sent to SMTP servers. The DNS sends them a request to locate the public key TXT records. This public key is used by the receiving server to verify that an email was sent from the domain.
An email may be marked as spam by the receiving email service provider, blocked from the sender’s email address, or failed to verify the signature. This method is not used by fraudsters to create emails that appear to have been sent from your domain.
Which is better?
This is not an “either/or” situation. It’s actually a “better combination” situation because SPF/DKIM address two distinct but interdependent issues that are central to email security.
SPF lets you confirm that email purporting to be from your company was sent via one of your IP addresses. DKIM confirms that the email was sent from your company’s IP address and has not been altered or falsified on its way to its intended recipients.
Remember that DKIM and SPF are not the only options for email authentication. We will therefore need to add a second acronym: DMARC.
Why DMARC is so important
Domain-based Message Authentication Reporting & Conformance was first introduced in 2012.
Companies can use DMARC for policies to tell email providers when to rely on DKIM and SPF for a domain, and what to do if they fail one of these tests. The most severe DMARC enforcement policy option can be rejected. Email messages that fail to pass DMARC authentication testing may be rejected by the recipient’s email server and will not be delivered to the intended recipients. Learn more about DMARC setup.
It is relatively simple to create a DMARC records and assign it to a domain. Large organizations may find it difficult to implement DMARC across multiple domains. Email ecosystem management solutions can be used to simplify the process. This will allow fraudsters to impersonate businesses to send phishing emails to almost zero within weeks.
These strategies and solutions are proven to be very successful for companies. Forrester Research found that EmailAuth Brand Protection helped increase email conversion rates by 10% on average. The average revenue increase has been 4 million. Forrester Research also reports that organizations can get a 326% return on investment when you consider the cost of brand impersonation such as shutting down phishing websites.
Also, organizations can use DMARC-enabled standards such as Brand Indicators For Message Identification (BIMI) to display their logos alongside the subject line of emails in the recipient’s inbox. This increases brand awareness and ensures that the email is trustworthy.

Source:https://medium.com/@rawatnimisha/dkim-vs-spf-do-i-need-them-both-6a...