SPF, DKIM & DMARC explained

Email was never designed with sender verification built in. By default, anyone can put your domain in the “From” address of a message — which is how phishing and business email compromise work. SPF, DKIM, and DMARC are three DNS records that fix this, letting receiving mail servers verify that a message claiming to be from your domain is actually authorized. Together they are the single most effective control against domain spoofing.

Why email needs authentication

When a mail server receives a message, it needs to answer one question: should I trust that this really came from the domain it claims? Without authentication records, it cannot — so attackers spoof trusted domains to trick staff into wiring money, sharing credentials, or opening malware. SPF, DKIM, and DMARC give receivers a way to check, and a policy to follow when the check fails.

SPF — Sender Policy Framework

SPF is a DNS TXT record that lists which mail servers are allowed to send email for your domain. When a server receives a message, it checks the sending IP against your SPF record; if the sender is not listed, the message fails SPF.

• What it proves: the message came from an IP you authorized.
• What it looks like: a record such as v=spf1 include:_spf.google.com include:sendgrid.net -all, where the includes are your sending services and -all means “reject everything else.”
• Its limits: SPF checks the hidden envelope sender, not the visible From: address, and it breaks when mail is forwarded. There is also a hard limit of 10 DNS lookups, which overly complex records exceed — silently failing.

DKIM — DomainKeys Identified Mail

DKIM adds a cryptographic signature to every message. Your mail server signs outgoing email with a private key, and publishes the matching public key in DNS. The receiver uses that public key to verify the signature, confirming the message was authorized by your domain and was not altered in transit.

• What it proves: the message was signed by your domain and its content was not tampered with.
• Why it survives forwarding: because the signature travels with the message, DKIM keeps working where SPF breaks.
• Key hygiene: use a strong key (1024-bit minimum, 2048-bit preferred) and rotate it periodically.

DMARC — the policy that ties it together

SPF and DKIM each prove something, but neither protects the visible From: address users actually read, and neither tells receivers what to do on failure. DMARC fills both gaps. It is a DNS record that does three things:

• Alignment: it requires that the domain validated by SPF or DKIM matches the visible From: domain — closing the loophole attackers use to pass SPF/DKIM on a domain they control while displaying yours.
• Policy: it tells receivers what to do with mail that fails — p=none (monitor only), p=quarantine (send to spam), or p=reject (block outright).
• Reporting: it asks receivers to send you aggregate reports of who is sending mail as your domain — invaluable for finding both legitimate senders you forgot and attackers spoofing you.

How they work together

Think of it as a chain: SPF and DKIM each provide a way to authenticate a message, and DMARC requires that at least one of them passes and aligns with the visible From: domain — then enforces a policy when it does not. A message that fails this chain under p=reject never reaches the inbox, which is what stops an attacker from spoofing your exact domain.

Common mistakes

• Stopping at p=none. Monitoring is the start, not the finish. A domain left on p=none gets reports but zero protection.
• SPF too permissive. Ending in +all (or no policy) authorizes the whole internet to send as you.
• Exceeding the SPF lookup limit. More than 10 DNS lookups causes SPF to fail; consolidate or flatten includes.
• Forgetting a sender. Enforcing before you have inventoried every legitimate service (marketing, invoicing, support desk) bounces real mail.
• No subdomain policy. Attackers spoof subdomains too; set an explicit policy so they are covered.

How to check and fix your domain

• Audit what you have — look up your current SPF, DKIM, and DMARC records in DNS.
• Start DMARC at p=none and read the reports to build a complete list of who sends as your domain.
• Fix every legitimate sender so it passes SPF or DKIM with alignment.
• Tighten the policy to p=quarantine, then p=reject, once the reports are clean.

The fastest first step is to see where you stand today. The SCRYPEX Email Security Grader checks your domain’s SPF, DKIM, DMARC, and MX records and grades the configuration for free. Email authentication is also one slice of your broader external attack surface — the same outside-in exposure that includes lookalike domains and leaked credentials.