Web & DNS

SPF, DKIM, and DMARC: Email Authentication Explained

SPF, DKIM, and DMARC work together to prevent email spoofing and improve deliverability. Here is how each one works and how to check your current setup.

SPF, DKIM, and DMARC: Email Authentication Explained

Email authentication has three layers, each solving a different problem. Deploying all three SPF, DKIM, and DMARC significantly reduces spoofing risk and improves inbox placement. Check your current SPF configuration with the SPF Checker and your DMARC policy with the DMARC Checker.

SPF (Sender Policy Framework)

SPF is a TXT record that lists which IP addresses and mail servers are authorised to send email for your domain. When a receiving server gets an email from your domain, it checks the SPF record against the IP address of the sending server.

Example SPF record:

v=spf1 include:_spf.google.com include:sendgrid.net -all

The -all (hard fail) tells receivers to reject email from any server not listed. ~all (soft fail) suggests treating it as suspicious. ?all (neutral) offers no guidance avoid it.

SPF limitation: SPF only checks the envelope sender (the MAIL FROM address in the SMTP transaction), not the From header visible to recipients.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to outgoing email headers. The private key is stored on your mail server; the corresponding public key is published as a DNS TXT record. Receiving servers verify the signature to confirm the email was sent by an authorised server and has not been modified in transit.

DKIM protects against message tampering. It does not prevent a malicious party from sending from a different mail server that is SPF's job.

DMARC (Domain-based Message Authentication)

DMARC ties SPF and DKIM together and adds policy enforcement. It answers: "If SPF or DKIM fails, what should the receiver do?" DMARC also requires alignment the authenticated domain must match the domain in the visible From header.

See our detailed DMARC guide and checker for full policy setup. Also verify your MX records are correctly configured since mail routing and authentication interact.

Deployment Order

  1. Set up SPF first list all your sending services
  2. Enable DKIM in each sending service (Google Workspace, Mailchimp, SendGrid etc.)
  3. Add DMARC starting with p=none to collect reports
  4. Review reports, fix any failing senders
  5. Escalate to p=quarantine, then p=reject

Frequently Asked Questions

Can SPF fail even with a correct record?

Yes. SPF breaks when email is forwarded, because the forwarder's IP is not in your SPF record. This is one reason DKIM is essential it survives forwarding since the signature is in the header, not tied to the sending IP. The SPF specification (RFC 7208) documents this limitation.

What does a DKIM selector mean?

A selector is a label that identifies which DKIM key pair is being used. This allows multiple DKIM keys for the same domain (e.g. one per sending service). The selector is referenced in the DKIM signature and in the DNS record name: selector._domainkey.yourdomain.com.

How do I check if my emails are being rejected due to DMARC?

Enable aggregate reports in your DMARC record (rua=mailto:your@email.com). You will receive daily XML reports showing which sources sent email for your domain and whether they passed or failed. Use the Google Postmaster Tools to monitor deliverability to Gmail specifically.

Related

Keep reading

Mar 15, 2026 DNS Records Explained: A, AAAA, MX, NS, TXT, CNAME and More DNS records control everything from where your website lives to whether your emails get delivered. Here is what each record type does and when you need to change it. Mar 19, 2026 What Is a DMARC Record? How to Check and Fix Yours Without a DMARC record, anyone can send email pretending to be from your domain. Here is what DMARC does, how to check your current policy, and how to fix it. Mar 23, 2026 How to Check Your SSL Certificate Before It Expires An expired SSL certificate takes your site offline and destroys visitor trust instantly. Here is how to check expiry dates, read certificate details, and set up renewal reminders.