The Recruiter’s Guide to Email Authentication

Recruiters need to learn about SPF, DKIM and DMARC

SPF, DKIM, and DMARC: F*cking Learn It!

Recruiters rely on email to connect with candidates and clients. But if your emails aren’t properly authenticated, they might never reach the inbox. Worse—without the right setup, cybercriminals could spoof your domain and send fraudulent emails pretending to be you.

This is why SPF, DKIM, and DMARC matter. They’re not just technical jargon—they’re your best defence against email bounces, spam folders, and security threats. Let’s break them down in a way that actually makes sense.

Why Recruiters Need Email Authentication

Think of email authentication like a passport check at the airport. If you don’t have the right documents, you’re either turned away (bounced email) or heavily scrutinised (spam folder).

Without SPF, DKIM, and DMARC, email providers can’t verify that your emails are legit. This means:

🚨 Your emails might be blocked or marked as spam
🚨 Scammers can spoof your email address and send fake job offers
🚨 Your company’s reputation could suffer if spam is sent from your domain

Recruitment agencies send a lot of emails. If you’re not authenticating properly, your deliverability will take a serious hit.

SPF: The Bouncer at the Door

SPF (Sender Policy Framework) is like a bouncer checking ID at a club. It decides who’s allowed to send emails on behalf of your domain.

How SPF Works:

  1. You create an SPF record in your domain’s DNS settings.
  2. The record lists which mail servers can send emails for you (e.g., Gmail, Outlook, your CRM).
  3. When you send an email, the receiving mail server checks your SPF record.
  4. If the email is sent from an approved server, it’s allowed in. If not, it’s flagged as suspicious.

Common SPF Mistakes (And How to Fix Them):

Not having an SPF record → Your emails might get rejected.
✅ Fix: Add an SPF record to your domain.

Too many email services listed → SPF has a limit on lookups (10 max).
✅ Fix: Use a flattened SPF record to stay within the limit.

Forgetting to update SPF when adding new tools (e.g., Mailchimp, HubSpot).
✅ Fix: Always update your SPF record when you start using a new email service.

👉 Check your SPF record with a tool like MXToolbox or Quinset’s own assessment tool at the bottom of this page.

DKIM: The Tamper-Proof Seal

DKIM (DomainKeys Identified Mail) is like a wax seal on a letter—it proves the email hasn’t been tampered with in transit.

How DKIM Works:

  1. Your email server adds a digital signature to outgoing emails.
  2. The receiving email provider checks the signature against your DKIM record (stored in DNS).
  3. If the signature matches, the email is trusted. If not, it could be modified or forged.

Common DKIM Mistakes (And How to Fix Them):

Not setting up DKIM → Email providers will trust you less.
✅ Fix: Enable DKIM in your email provider (Google Workspace, Microsoft 365, etc.).

Wrong DKIM record in DNS → Emails fail authentication.
✅ Fix: Copy-paste the exact DKIM record provided by your email service.

👉 Check your DKIM setup with a tool like Mail-Tester or or Quinset’s own assessment tool.

DMARC: The Rulebook That Protects You

DMARC (Domain-based Message Authentication, Reporting & Conformance) tells email providers what to do with unauthenticated emails.

Without DMARC, a scammer can spoof your email address and send fake job offers, phishing attempts, or spam from your domain—without you even knowing.

How DMARC Works:

  1. You publish a DMARC policy in your DNS records.
  2. The policy tells email providers:
    • p=none → Monitor but take no action (good for testing).
    • p=quarantine → Send suspicious emails to spam.
    • p=reject → Block unauthenticated emails entirely.
  3. You receive reports showing who is sending emails using your domain.

Common DMARC Mistakes (And How to Fix Them):

No DMARC policy → Anyone can spoof your domain.
✅ Fix: Start with p=none and monitor reports.

Too strict too soon → Blocking legitimate emails by accident.
✅ Fix: Use p=quarantine before moving to p=reject.

Ignoring DMARC reports → You won’t see spoofing attempts.
✅ Fix: Set up a tool like DMARCian or Postmark DMARC to read reports.

👉 Check your DMARC policy with a tool like DMARC Analyzer or Quinset’s own assessment tool at the bottom of this page.

How to Set Up SPF, DKIM, and DMARC

1️⃣ Log in to your domain provider (GoDaddy, Cloudflare, etc.)
2️⃣ Find the DNS settings (usually under “DNS Management”)
3️⃣ Add the required records:

  • SPF: TXT record with v=spf1 include:_spf.google.com ~all (for Google Workspace)
  • DKIM: TXT record with the key provided by your email service
  • DMARC: TXT record with v=DMARC1; p=none; rua=mailto:reports@yourdomain.com
    4️⃣ Test your setup using MXToolbox, Google’s Check MX Tool or Quinset’s own assessment tool.

Final Thoughts

SPF, DKIM, and DMARC are essential for recruiters. Without them, your emails might not get delivered, and your domain could be at risk of spoofing.

SPF: Tells email providers who’s allowed to send emails for you.
DKIM: Proves your emails haven’t been altered.
DMARC: Protects your domain from being used in scams.

Get these right, and your emails will reach inboxes, not spam folders. Ignore them, and you might as well be emailing into the void.

Need help setting up authentication for your recruitment agency? Let’s talk. 😉

Quinset’s Analysis Tool: DKIM, SPF and DMARC