SPF, DKIM and DMARC Explained
Email authentication protects your domain from spoofing, phishing and spam abuse. SPF, DKIM and DMARC work together to verify that an email message is truly sent by the domain it claims to come from.
Why Email Authentication Matters
- Prevents domain spoofing
- Improves inbox delivery
- Protects brand reputation
- Reduces phishing attacks
- Meets security requirements from major providers
What is SPF?
SPF (Sender Policy Framework) is a DNS record that tells receiving servers which IP addresses are allowed to send email for your domain.
Common SPF Problems
- Too many DNS lookups (limit = 10)
- Missing sending provider
- Using
+all(insecure) - Softfail (
~all) when strict fail (-all) is required
What is DKIM?
DKIM (DomainKeys Identified Mail) adds a digital signature to emails. The receiving server verifies the signature using a public key published in DNS.
DKIM Requires
- A selector (example:
default._domainkey.example.com) - A public key TXT record
- Outbound mail signing enabled
What is DMARC?
DMARC builds on SPF and DKIM by defining what receiving servers should do if authentication fails, and it enables reporting so you can monitor abuse.
DMARC Policies
| Policy | Meaning |
|---|---|
p=none |
Monitor only |
p=quarantine |
Send to spam/junk |
p=reject |
Reject the message |
How They Work Together
Sender → SPF check → DKIM signature → DMARC policy → Inbox / Spam / Reject
DMARC passes if either SPF or DKIM passes and aligns with the From domain.
Common Errors
- SPF fail → sending IP is not authorized
- DKIM fail → signature missing/invalid
- DMARC fail → alignment failure
- No DMARC → spoofing is possible
How to Fix Email Authentication
- Publish a correct SPF record
- Enable DKIM signing and verify the selector
- Add a DMARC policy and reporting
- Monitor reports and tighten policy over time
- Re-test regularly