Email Security: SPF, DKIM & DMARC
Email authentication protects your domain from spoofing, improves deliverability, and helps prevent your emails from landing in spam. Here's how SPF, DKIM, and DMARC work together.
Why Email Authentication Matters
By default, anyone can send email pretending to be from your domain. Email authentication prevents this by allowing receiving servers to verify that emails actually came from authorized senders.
Prevent Spoofing
Stop attackers from sending phishing emails that appear to come from your domain
Improve Deliverability
Authenticated emails are less likely to be marked as spam
Get Visibility
DMARC reports show who is sending email using your domain
SPF (Sender Policy Framework)
SPF is a TXT record that lists which mail servers are authorized to send email on behalf of your domain.
Example SPF Record
v=spf1 include:_spf.google.com include:sendgrid.net -all
SPF Syntax Breakdown
v=spf1 |
SPF version (always starts with this) |
include: |
Include another domain's SPF record (for services like Google, SendGrid) |
ip4: |
Allow a specific IPv4 address or range |
ip6: |
Allow a specific IPv6 address or range |
a |
Allow servers listed in your A records |
mx |
Allow servers listed in your MX records |
-all |
Fail emails from unlisted servers (strict) |
~all |
Soft fail unlisted servers (less strict, good for testing) |
Common SPF Records
Google Workspace
v=spf1 include:_spf.google.com ~all
Microsoft 365
v=spf1 include:spf.protection.outlook.com ~all
Multiple Services
v=spf1 include:_spf.google.com include:sendgrid.net include:mailchimp.com ~all
SPF Lookup Limit
SPF has a limit of 10 DNS lookups. Each include: counts as a lookup. If you exceed this, SPF will fail. Use SPF flattening tools if you hit this limit.
DKIM (DomainKeys Identified Mail)
DKIM adds a digital signature to your emails. The receiving server verifies this signature using a public key published in your DNS.
How DKIM Works
- Your mail server signs outgoing emails with a private key
- The signature is added to the email header
- Receiving server retrieves your public key from DNS
- The signature is verified using the public key
DKIM Record Format
DKIM records are TXT records with a specific selector name:
selector._domainkey.yourdomain.com
Example DKIM Record
Name: google._domainkey
Value: v=DKIM1; k=rsa; p=MIIBIjANBgkqh...
Each email service uses its own selector (like google, selector1, k1). Your email provider will give you the exact record to add.
DMARC (Domain-based Message Authentication)
DMARC tells receiving servers what to do when emails fail SPF or DKIM checks. It also enables reporting so you can monitor authentication results.
Example DMARC Record
Name: _dmarc
Value: v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com
DMARC Policy Options
p=none |
Monitor only - no action on failures (start here) |
p=quarantine |
Send failing emails to spam folder |
p=reject |
Reject failing emails entirely (most secure) |
DMARC Tags Explained
v=DMARC1 |
DMARC version (required) |
p= |
Policy for your domain (required) |
sp= |
Policy for subdomains (optional) |
rua= |
Email address for aggregate reports |
ruf= |
Email address for forensic reports |
pct= |
Percentage of emails to apply policy to (default 100) |
Recommended DMARC Rollout
- Start with monitoring:
v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com - Review reports to ensure legitimate senders pass
- Move to quarantine:
p=quarantine; pct=25(start with 25%) - Increase percentage gradually to 100%
- Finally enforce reject:
p=reject
How They Work Together
SPF, DKIM, and DMARC form a complete email authentication system:
SPF
Checks if the sending server is authorized
DKIM
Verifies the email hasn't been tampered with
DMARC
Decides what to do based on SPF/DKIM results
For an email to pass DMARC, it must pass either SPF or DKIM (with alignment to the From domain).
Implementation Checklist
Check Your Email Security
Use DNSLens to view SPF, DKIM, and DMARC records for any domain and see if email authentication is properly configured.
Check Email Security