SPF, DKIM & DMARC Explained

Email Authentication for Domain Security

Email authentication protocols — SPF, DKIM, and DMARC — work together to prevent email spoofing, phishing, and spam. They help receiving mail servers verify that emails claiming to be from your domain are actually authorized.

SPF (Sender Policy Framework)

SPF specifies which mail servers are authorized to send email on behalf of your domain.

How SPF Works

  1. You publish an SPF record (TXT record) in your DNS
  2. When a server receives email from your domain, it checks the SPF record
  3. If the sending server's IP matches the SPF record, the email passes SPF
Example SPF Record:
v=spf1 include:_spf.google.com include:sendgrid.net -all
This allows Google Workspace and SendGrid to send email for your domain, and rejects all others.

SPF Qualifiers

  • +all: Allow all (never use this)
  • -all: Hard fail — reject unauthorized senders
  • ~all: Soft fail — accept but mark as suspicious
  • ?all: Neutral — no policy

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to outgoing emails, allowing receivers to verify the email wasn't altered in transit.

How DKIM Works

  1. Your mail server signs outgoing emails with a private key
  2. The signature is added as an email header
  3. The receiving server looks up your public key in DNS (DKIM TXT record)
  4. If the signature matches, the email passes DKIM verification
Example DKIM DNS Record:
selector._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCS..."

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC builds on SPF and DKIM, telling receivers what to do when authentication fails and providing reporting.

How DMARC Works

  1. You publish a DMARC policy in DNS
  2. Receiving servers check SPF and DKIM results
  3. If both fail, the DMARC policy determines what happens (none, quarantine, reject)
  4. Reports are sent to the domain owner about authentication results
Example DMARC Record:
_dmarc.example.com TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100"

DMARC Policies

  • p=none: Monitor only — collect reports without affecting delivery
  • p=quarantine: Send failing emails to spam
  • p=reject: Reject failing emails entirely (strongest protection)

Implementation Roadmap

  1. Start with SPF: Identify all legitimate sending sources and create your SPF record
  2. Add DKIM: Configure DKIM signing on all mail servers and publish public keys
  3. Deploy DMARC (monitor): Start with p=none to collect data
  4. Analyze Reports: Review DMARC reports to identify legitimate senders you may have missed
  5. Enforce DMARC: Gradually move to p=quarantine, then p=reject
Important: Implementing email authentication protects your domain's reputation and helps prevent your domain from being used in phishing attacks. Check your domain's email authentication with our DNS Analyzer.
← Previous: Domain Hijacking Prevention Next: Phishing & Domain Spoofing →