Email Basics for Mission-Driven Companies: A Simple Guide to SPF, DKIM, DMARC, and BIMI

If you run a fast-growing startup or lead a nonprofit, you know how critical email is for your mission. Whether you’re reaching out to customers, investors, donors, or grant makers, your emails must land in inboxes—not spam folders. Yet, many mission-driven organizations struggle with email security and deliverability. That’s where SPF, DKIM, DMARC, and BIMI come in. These email authentication protocols protect your reputation and boost trust, but how do you manage them?

Why Email Authentication Matters for Your Mission

Your email reputation affects how often your messages reach the right people. For fast-growing startups, this means keeping customers engaged and investors confident. For nonprofits, especially during giving season, it means donors and grant makers trust your communications and respond.

Without proper email authentication:

• Your emails might be marked as spam or rejected.

• Phishing attacks can impersonate your organization.

• Your nonprofit email reputation and deliverability suffer.

• You risk losing critical support and funding.

  
  

By securing your email with SPF, DKIM, DMARC, and BIMI, you protect your brand and improve communication success.

Understanding SPF, DKIM, DMARC, and BIMI

Here’s a quick, non-technical overview of each protocol:

• SPF (Sender Policy Framework)

SPF tells email servers which IP addresses are allowed to send emails on your behalf. It’s like a guest list for your email.

• DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to your emails. This signature proves the message wasn’t altered and really came from you.

• DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC builds on SPF and DKIM. It tells receiving servers what to do if an email fails SPF or DKIM checks and sends you reports about suspicious activity.

• BIMI (Brand Indicators for Message Identification)

BIMI displays your verified logo next to your emails in the inbox. It boosts brand recognition and trust.

How to Fix SPF

1. Check your current SPF record

   Use free online tools to see if your domain has an SPF record and what it includes.

   
   

2. List all your email senders

   Include your email service providers, marketing platforms, and any third parties sending emails for you.

   
   

3. Create or update your SPF record

   Add all authorized IP addresses and domains to your SPF record in your DNS settings.

   1. Google Workspace users: Define your SPF record

   2. Microsoft 365 users: Set up SPF to help prevent spoofing

      
      

4. Test your SPF record

   Use SPF validation tools to confirm it’s set up correctly.

   
   

Why a one-time fix isn’t enough:

Your email senders may change over time. New services or platforms might send emails for you. Regularly updating your SPF record keeps your email secure and deliverable.

How to Fix DKIM

1. Generate DKIM keys

   Your email provider usually offers tools to create a public/private key pair.

   
   

2. Publish the public key in DNS

   Add the public key to your domain’s DNS records.

   
   

3. Enable DKIM signing on your email server

   This adds the digital signature to outgoing emails.

   1. Google Workspace users: Help prevent spoofing with DKIM

   2. Microsoft 365 users: Use DKIM to validate outbound email

      
      

4. Verify DKIM setup

   Send test emails and check headers to confirm DKIM is working.

   
   

Why a one-time fix isn’t enough:

If you switch email providers or add new sending services, you need to update DKIM keys and DNS records. Regular checks prevent failures that hurt your nonprofit email security.

How to Fix DMARC

1. Create a DMARC record

   Start with a policy that monitors email traffic without rejecting messages (p=none).

   
   

2. Publish the DMARC record in DNS

   This tells receiving servers how to handle emails that fail SPF or DKIM.

   1. Google Workspace users: Add your DMARC record

   2. Microsoft 365 users: Use DMARC to validate email

      
      

3. Review DMARC reports

   Reports show who is sending emails on your behalf and if any fail authentication.

   
   

4. Adjust your DMARC policy over time

   Move from monitoring to quarantine or reject policies to block fraudulent emails.

   
   

Why a one-time fix isn’t enough:

DMARC requires ongoing monitoring. Attackers constantly change tactics. Without continuous review, you risk missing phishing attempts or blocking legitimate emails.

How to Use BIMI to Boost Trust

1. Ensure your domain has strong DMARC enforcement To display your logo, both standards require a DMARC policy of quarantine or reject as mentioned above.
   

2. Create a verified logo in SVG format Your logo must be a square image in the specific SVG format to display correctly across devices.
   

3. Publish a BIMI DNS record This links your logo to your domain so providers like Gmail can find it.

   
   

   Google Workspace users: Add a BIMI record to your domain provider

   
   

   Register with Apple Business Connect (The "iPhone Shortcut") While Gmail often requires an expensive certificate to display logos, Apple offers a free path. Registering here ensures your logo appears in Apple Mail on iPhones and Macs.

   
   

   Get Started: Register for Apple Business Connect

   
   

   BIMI and Apple Business Connect help your emails stand out in the inbox, instantly building confidence with donors and partners.
   

BIMI helps your emails stand out and builds confidence with recipients, whether customers or donors.

Let Us Do The Heavy Lifting

Don't want to spend the time figuring it out? We'll get you setup completely free.

Setting up SPF, DKIM, and DMARC is just the start. Email threats evolve, and your sending sources change. An IT partner can:

• Monitor DMARC reports daily to spot suspicious activity.

• Update SPF and DKIM records as your email services change.

• Adjust DMARC policies to balance security and deliverability.

• Help you maintain strong nonprofit email reputation and nonprofit email deliverability.

  
  

For startups or social enterprises, this means protecting customer trust and investor confidence. For nonprofits, it means safeguarding donor relationships and donation communications, especially during critical fundraising periods.

Final Thoughts

Fixing SPF, DKIM, DMARC, and BIMI is essential for mission-driven organizations that rely on email to connect with supporters and stakeholders. These protocols protect your email reputation, improve deliverability, and build trust. Remember, a one-time fix won’t keep you safe. Regular updates and monitoring are key.