Email Safety for Real Humans, Part 2
In Part 1, we learned that sneaky scammers can fake your email address and trick people into thinking messages came from you. Not good.
But the good news? There are tools to stop them. And today we’re meeting two of them:
🛡️ SPF and DKIM — your email’s behind-the-scenes security guards.
They sound complicated, but they do one simple job:
They prove your email is real and hasn’t been messed with.
What’s SPF?
No, not sunscreen (though that protects you too). In email terms:
☀️ SPF = Sender Policy Framework
Think of it like a guest list for your email domain.
Let’s say your email is coming from info@yogastudio.com. SPF is a list — published publicly — that says:
🗒️ “Only emails sent through [these platforms] are allowed to use this address.”
So if you send newsletters through Mailchimp or Mariana Tek, those platforms need to be on the list. If someone else (like a scammer) tries to send from your domain but they’re not on the list? SPF says “Not allowed!”
What’s DKIM?
✍️ DKIM = DomainKeys Identified Mail
This one adds a secret signature to every email your system sends.
It’s like a wax seal on an envelope in old-timey days — it tells the receiving inbox,
📫 “Hey, this message really came from me, and no one changed it on the way here.”
Even if someone tries to fake your email, without your DKIM “seal,” the receiving inbox can see it doesn’t match and treat it as suspicious.
So Why Do I Need Both?
SPF and DKIM do different jobs:
- ✅ SPF = proves the sender is allowed
- ✅ DKIM = proves the message is clean and legit
They don’t block emails on their own — they’re like your bouncers checking IDs and hand stamps. They verify who’s coming through the door.
But here’s the key:
Without someone in charge (that’s where DMARC comes in), no one tells the bouncers what to do if someone fails the check.
And that’s what we’ll talk about next.
Coming Up in Part 3…
Now that your email has bouncers, you need a manager at the door to give the rules:
➡️ Let this person in,
➡️ Put this one in spam,
➡️ Or bounce them altogether.
That’s what DMARC does — and we’ll show you how in Part 3.
✅ You’re one step closer to a spoof-proof inbox.