Contents
📧 Understanding SPF, DKIM, and DMARC
SPF, DKIM, and DMARC are email authentication standards designed to prevent email spoofing, protect against phishing, and ensure email integrity. Together, they form a layered defence system that improves email security and trustworthiness.
🔐 What Is SPF?
SPF (Sender Policy Framework) allows domain owners to specify which mail servers are authorised to send email on behalf of their domain.
🛠️ How It Works:
- DNS record lists approved IPs and mail servers.
- Receiving server checks the SPF record to verify legitimacy.
✅ Example SPF Record:
v=spf1 ip4:192.0.2.0/24 include:_spf.google.com -all
✅ Why It Matters:
- Prevents spammers from forging your domain.
- Reduces chances of your emails landing in spam.
✍️ What Is DKIM?
DKIM (DomainKeys Identified Mail) digitally signs your emails using a private key, allowing recipients to verify the email’s integrity using your public key in DNS.
🛠️ How It Works:
- Email is signed using a private key.
- Receiving server checks the signature using the public key in DNS.
✅ Example DKIM DNS Record (TXT):
default._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSq..."
✅ Why It Matters:
- Ensures email hasn’t been tampered with.
- Adds cryptographic proof of authenticity.
📜 What Is DMARC?
DMARC (Domain-based Message Authentication, Reporting and Conformance) uses SPF and DKIM results to tell email receivers what to do if authentication fails.
🛠️ How It Works:
- Published via DNS as a policy.
- Defines how to handle failed SPF/DKIM (none, quarantine, or reject).
- Sends reports to domain owners.
✅ Example DMARC Record:
v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; aspf=s; adkim=s
✅ Why It Matters:
- Protects your domain from spoofing.
- Provides visibility into unauthorised senders via reporting.
- Improves deliverability and brand reputation.
🧪 How They Work Together
| Layer | Purpose | Depends On |
|---|---|---|
| SPF | Verifies sender IP | DNS |
| DKIM | Verifies message integrity | DNS & Keys |
| DMARC | Enforces policy & reporting | SPF + DKIM |
You need at least one of SPF or DKIM to use DMARC effectively.
🔍 Real-World Example
You own example.com. Spammers try to send emails from fakeuser@example.com.
With:
- SPF, the receiving server knows only your designated IPs can send email.
- DKIM, your mail is signed so it can’t be altered without detection.
- DMARC, any spoofed or failed email is rejected or quarantined, and you receive a report.
🧰 Tools for Testing & Monitoring
- 🔎 https://dmarcian.com/
- 📧 https://mxtoolbox.com/
- 🧪 https://mail-tester.com/
- 🛠️ https://toolbox.googleapps.com/apps/checkmx/
📌 Implementation Steps
- SPF
- Add or update TXT record in DNS:
v=spf1 include:<provider> -all
- Add or update TXT record in DNS:
- DKIM
- Enable in your email provider (e.g. Google Workspace, Microsoft 365)
- Publish public key in DNS
- DMARC
- Start with
p=noneto monitor - Move to
p=quarantineorp=rejectonce confident
- Start with