DMARC, SPF and DKIM: What and Why?

The short answer is email security delivery and spam prevention which are related in many ways. Do not ignore these seemingly boring acronyms: DKIM and SPF. They help us assess whether we can trus emails.

What is the problem?

Opening every email is a risk. You need to trust emails you open. You need recipients to trust the ones you send.

One way to reduce that risk is to know who has sent it and assess whether or not we trust them. So how do we know who the sender is? Not by the sender name, that is for sure. Something purporting to come from a large trustworthy company, perhaps? Nat West bank or “SCREWFIX” (i.e. the tools and materials retailer) might mail you about your account or a competition. It may have come from from a different email domain if you click into it. SCREWFIX<dhlkjlj@zxyildgt .ru> is an example where you can see the “friendly name” “SCREWFIX” is completely different to the email domain name (the bit after the@-sign). See if you can spot this in the email below received as I looked for examples whilst writing this.

So people send emails “spoofing” that they are someone else. Much spam is probably going out from your company name right now and causing damage to your reputation. This happens to every company after a while. So, how can we be even more sure of the sender?

How do you check a sender?

Where does this email come from?

Each server on the internet has a unique “IP” address to identify it. The IP address of the server where the mail originated provides a little more assurance. You can see the IP where an email originated (and all the servers it went through before getting to your email inbox by looking in the email “headers”. Different mail programs hide this in different places but you should be able to google where it is. It is a bit like the postmark on an envelope. If it says it was posted in Leeds, and your sender lives in Leeds, you can have a bit more confidence. If it says it comes from Santa Claus and the postmark says “North Pole” any grown up knows post marks can be forged. Regrettably, an IP can be spoofed in the same way. However, there are a couple of major problems even if the IP address of the sender is completely genuine. How do you know if it is the IP of the sender or just some other IP? The answer is SPF (Spam Protection Framework).

The SPF standard allows email domain owners to say: “Email from my domain may only come from the server with this IP address and any other IP addresses should not be trusted.” That is really helpful because even if you do not go comparing the IP address from which the email originated and the IP address(es) that the domain owner has configured, the mail relays will do so. It is relatively easy for them to compare the two and many will block mails that do not comply before you receive them. Now turn it around the other way. If you do not set this up for your email domain, more and more servers will block your emails and people will not receive them. I.e., you will have a “deliverability issue”.

To add your valid originating IPs for your company, you need to add the details to the “SPF record”. This is done in the DNS control panel for your domain. The task requires technical knowledge. Do not attempt DNS changes unless you understand how it all works. Call your ISP or hosting company to ask their advice. Also, you should make sure you (or a technical manager you trust) know the access credentials for the DNS for any domain in your business so you can make changes when required.

What, When and Who are valid for this email?

Experts soon saw that the above weaknesses in SPF needed to be addressed. A new method was needed. There had to be some way machines could trust an encrypted key mechanism to see if the email was genuinely:

  • sent at that date and time
  • from that email address (sender)
  • to that/those email addresses (recipients)
  • Subject line.

This is accomplished by DKIM (DomainKeys Identification Method) whch was designed to address the problem. You need to make sure you have this set up correctly for any servers you authorise to send your email. You need to make sure your incoming email servers check it, too.

The way it works is that the email server generates an encrypted string (2048 bit is acceptable at time of writing) which encodes the above facts as the email is sent. When any mail “relay” server receives it, it can check this against a 2048 bit DKIM key that is shown publicly on the domain. If the two “fit” together, the email is passed along. If not, some other action ranging from nothing to an alert to blocking (or even deleting) takes place. Because of the challenging rise in spam and dangerous emails, the servers and mail applications are getting increasingly strict.

Once again, to set this up, you need a DNS skilled professional. The whole process should be less than half-an-hour including checking with a tool like or It may seem expensive and complicated but “doing nothing” is will probably come with a cost! Your business emails will get blocked and become more and more undeliverable.

You may hear about another Acronym: DMARC. (Domain-based Message Authentication, Reporting and Conformance) This is a way that email management professinals configure their servers to react to the SPF and DKIM data associated with the emails. Basically, the rules as to whether it is fine, marked a spam or so dangerous it needs to e deleted. Different professinals take different views. However, the large organisations that move the most email traffic also getting stricter. So you need to be verified byut them also or your email will be rerouted or deleted if not properly configured to prove you are who you say you are.

Verification records

In addition to the above internationally accepted DMARC standards, the major email traffic players have their own additional verification checks. If you or your clients or staff or any other stakeholders or consumers have gmail addresses or other google mail services such as G-Suite, You will need Google Verification. Ask your tech person to click here and follow the process for Google Verification. There are similar processes for other mail relay providers including Apple and Microsoft.

Some further reading

You may also wish to read this article from AccountingWeb which explains it in easy-to-understand lay terms.


If you are experiencing deliverability issues sending mail from your AXLR8 system, please contact Support by email or call. We will review all of the above with you.

AXLR8 Cyber Essentials Plus 2024-2025

AXLR8 Cyber Essentials Plus 2024-2025

AXLR8 received IASME confirmation that we had achieved Cyber Essentials Plus for 2024-2025 at the Montpellier (version3.1) level today.

IASME confirm AXLR8 have passed CE+ for 2024/5
IASME confirm AXLR8 have passed CE+ for 2024/5

Once again, thanks to RightCue whose expert assistance helps us shut down cyber security threats across our networks As external auditors, they also provide the tools and advice to keep our audits and internal tests up to date and effective.

Cyber security is an essential part of AXLR8’s risk management plan. We invest heavily in the systems, processes and external testing and advice to protect both AXLR8 and our clients.

AXLR8 Cyber Essentials for 2023-4

AXLR8 Cyber Essentials for 2023-4

We have just passed the Montpellier level assessment for Cyber Essentials and we are preparing for the AXLR8 Cyber Essentials Plus audit in January. Thanks again to Right Cue and IASME. This exercise is always encourages thought about our cyber security and is a springboard for the internal trainings and audits for the rest of the year.

Between now and January we are doing our annual Penetration Testing exercise. This is involves attempted hacking by skilled consultants and many vulnerability tests and infrastructure and code reviews.

Was your data breached when Mailchimp was hacked?

You may not be aware that the AXLR8 system has a full Mailing Manager module, enabling you to send out compliant mailings and newsletters and report on viewings and clicks afterwards, just like Mailchimp (only better of course)!

Many MailChimp clients have had to move away from Mailchimp and embraced the AXLR8 Mailing Manager instead. 

On April 4th 2022, MailChimp acknowledged that their systems had been hacked, with over 300 accounts accessed. As a non-UK and non-EU company they have no requirement to inform the ICO (Information Commission’s Office) of the data breach. They have informed the public with a vague press release. You can read more on this by clicking here.

A further incident was also reported in August 2022 – read more here.

So are you hacked off? Have you had enough of Mailchimp? Are you thinking of moving your data to the UK, where the suppliers are under the GDPR legislation (If a UK supplier is hacked, they have to inform the ICO and customers within 48 hours – you don’t just happen across a vague press release online)?

AXLR8 provide a full CRM system in UK data centres, not just a Mailing Manager, for the cost of the Mailing Manager. Read more about the product here.

If you would like to talk further about the AXLR8 Mailing Manager, please call us on 01344 776500 or email We would love to demo the software to you and discuss your requirements.

Is an IRMS worth it?

AXLR8 provide special IRM systems for

  • Freedom of Information,
  • SARs (GDPR requests such as access or rectification) and
  • EIR (requests under Environmental Information Regulations)
  • Appeals
  • Complaints
  • Data Breaches
  • and many more information governance applications.

Productivity and saving public funds

All systems purchases need to be justified financially. This article and accompanying spreadsheet explain how one can measure the difference a system makes compared to manually updating spreadsheets. That means public sector buyers can calculate how much it costs their business every month that they do not have a system!

Maintenance App

Maintenance App

Check out the new version of our maintenance app for Android and Apple phones and tablets.

As you and the team walk around your facilities you can see-snap-send.

  • See: notice a fault and log a repair job
  • Snap: take a photo
  • Send: upload the details to the maintenance team

The maintenance team will have manager access and allocate the work to someone (internal or external if it requires specialist knowledge or equipment). Then you can see when it is repaired and also view and “AFTER” photo along side the “BEFORE” photo you had previously uploaded.

Watch the video.

Please see this article for more details

AI developments

AI developments

AI can help us with all sorts of work. We have been looking for about five years at how we could integrate the power of AI developments into AXLR8 product lines. Here are a few examples.

  • Sales One simple early success came from batch OCR reading of visiting cards brought back from a trade show or trip. It works really well with competing offers from MS, Amazon, Google and others. The offers are provided on a Freemium basis. Last time we checked you could use 1000 searches a month before hitting a paywall. Nowadays, however, more utility from AI Developments when entering data into your CRM comes from customer enquiry forms on your website or AXLR8 Import Admin for, e.g. your LinkedIn contacts. Specialist suppliers are creating interesting marketing applications. We are monitoring these tools. Soon we will integrate a “best of breed” partner’s offering. Most likely, this will be for lead generation and proposal writing.
  • Information Governance We researched the claims of suppliers offering AI to help with SAR redaction. Their utility did not match the claims except in the simplest examples. I would describe the results as worthy of a Khaby Lame reactions TikTok video. We will come back to that in future.
  • ATS (applicant tracking systems) seems a good area for AI developments. Applying AI to recruitment strategies could really speed up onboarding staff for rapid deployments or growth. We are also looking at spotting issues with vetting and rights to work.
  • Workforce planning Optimising staff journeys and bookings for shifts in security, field marketing, hospitality and counter cover seems achievable. Clients with large data sources to learn from is proving an interesting area of study.
  • Finance Brokers We have seen some success with selecting funders. However, none of the AXLR8 AI developments match an experienced commercial finance intermediary professional. You need the experience and client knowledge. Like the IG example of redaction, above, there is a limit to how useful the tool an be. Also, it needs material to learn from. How much insight of a client situation is an AR prepared to type into a system. Any algorithm created by banks for loans seems to miss great funding requirements. It creates the very conditions where clients work through brokers!
  • Marketing The next stage of our marketing functions would be if they autogenerated content and knew and could learn from e.g. campaign timing. Most of our clients need quality with low unsubscribe rates in their mailings. So, care would be needed. Can you spot one of our blogs that was co-written by ChatGPT?
  • Systems reliability AI is most helpful behind the scenes in predictive self-healing algorithms. These fix our systems regularly before problems arise. This has been a positive AI development.

AXLR8 will carry on investing in development trials. If you feel an area of our products could be automated, please let us know.

Web CMS market share

Why is this important? It matters because using a more popular platform can provide access to more tools, skilled exponents, experience, and integrated plugins and functions.

AXLR8 have provided may web integrations for 20 years. We have moved from HTML through Dreamweaver into Joomla, Drupal and latterly WordPress. Likewise for e-commerce platforms and many other functions we have moved with the times (but staying a little behind to trade reliability and ecosystem for new whizzy shiny things. This has given us a “hinterland” and the experience and skills to deal with any integration whilst moving to the platforms as their popularity grows and wanes

Our latest web plugins (for example in Job advertising Boards as part of our ATS) are now all built around WordPress. This CMS has a dominant market share now. We recently were asked to help with a Drupal project and have some integrations with Joomla. I always perceived these CMS platforms as very good but lost in history. So what are the market shares in CMS and who is growing and falling?

The request to help a team plug our API into a new Drupal basee public dislosure log for FOI queries for a local authority yesterday sent me off researching market footprint and also cross checked against  this table for CMS usage. Both independent sources seem to confirm the dominance of WordPress.


This link shows WordPress with about two thirds of the market. The rest range down from about 5%. There were suprises for me and I consider myself quite plugged in to this market. For example, Ithought WordPress must be 80% but is falling (65.5% to 63.3% in the last year from March 2022 to March 2023). Wix, Squarespace and Joomla are growing slightly. Drupal and Shopify are falling. The latter really shocked me as I see it everywhere nowadays.


This reference has some interesting stats. For example, they estimate 34,896,678 live websites using WordPress. The tiny fall in WordPress website marketshare mentioned above may just be a momentary slowing of the overall growth reported from 55.3%-64.2% between 2011 and 2022.

Choosing WordPress

WordPress websites will continue to be the most common platform for AXLR8 to work with this year and next. However, like all giants, it has its critics – especially for security.  I think this reputation is largely down to three things.

  1. The popularity attracts hackers like it attracts users, developers, etc. to, say Microsoft desktop products and servers.
  2. Its users are notorious for setting insecure passwords. Please use a complex three word password over 12 characters including numbers, upper and lowercase and symbols.
  3. People do not invest time or money in updating the free plugins with new security patches. As an example, you can probably get domain registration, hosting and support for £30/year or less for a WordPress site. If your support company does the security updates, you may need to budget £50/month.

Be realistic about #2 and #3 above and you will have all the benefits of WordPress and peace of mind on the security front. Do not be taken in by developers offering proprietary solutions promising they are more secure.

If you need any smart data systems behind your Website site, please call AXLR8 on 01344 776500 to speak to one of our consultants.



AXLR8 Maintenance App

Check out this video showing how it works on the mobile app and also in HQ office where jobs are managed.

The AXLR8 Maintenance App is perfect for reporting safety problems or just logging items for repair in your school, hospital, hotel, stadium factory, plant, power station, refinery or any facility.

It works on an app and the fault reporting is as easy as See Snap Send. You notice a problem (broken window, slip hazard, etc.) take a photo and hit send.

Then the central system takes over and a manager can allocate someone to fix it, deal with subcontractors or allocate it to site staff, insurance claims, prevention, risk and accident register and photo evidence of completed work alongside the pictures in the original report.