What are SPF, DKIM and DMARC Records?

Email authentication helps protect your domain from spam, phishing, and unauthorized senders. Three main systems work together to keep your emails legitimate: SPF, DKIM, and DMARC.

Together, they ensure that only approved servers can send email from your domain — and they help mail providers decide what to do when something looks suspicious.

1. What Are SPF, DKIM, and DMARC?

SPF (Sender Policy Framework)

SPF is a DNS record that lists which servers are allowed to send email from your domain.
You can think of SPF as a guest list — if a server is not on the list, it should not be sending messages as you.

Example SPF record:

v=spf1 ip4:192.0.2.0 include:examplesender.net -all

• v=spf1 → says this is an SPF record
• ip4:192.0.2.0 → an allowed sending IP
• include:examplesender.net → also trust this provider
• -all → block everything not listed

Without SPF, your emails may end up in spam, and attackers may more easily impersonate your domain.

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to your emails.
Your outgoing server signs the message with a private key, and the receiving server checks it using a public key stored in your DNS.

In simple terms:

• DKIM proves that the email really came from your domain
  
• It also confirms that the message was not modified during delivery
  
  

A DKIM record is stored as a TXT record using a selector, like this:

bigemail._domainkey.example.com

TXT

v=DKIM1; p=PUBLICKEYGOESHERE

If the signature matches, the email passes DKIM.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC tells email providers what to do when SPF or DKIM fail.

It acts as your policy:

• Should failed messages be delivered anyway?
• Should they be marked as spam?
• Should they be rejected completely?
  
  

Example DMARC record:

_dmarc.example.com

TXT

v=DMARC1; p=quarantine; rua=mailto:reports@example.com

DMARC also allows you to receive reports about who is trying to use your domain.

Domains without DMARC are easier to spoof and more likely to have email delivery issues.

2. Why These Records Matter

If SPF, DKIM, and DMARC are not configured:

• Your emails may go to spam, fail delivery, or get quarantined
  
• Attackers can impersonate your domain more easily
• Mail providers may distrust your domain
  
  

Correct configuration ensures:

• Higher deliverability
• Better protection against phishing
• More control over how your domain is used
  
  

Even domains that do not send email should still publish a DMARC record to prevent abuse.

3. Simple Example of Each Record

SPF

v=spf1 include:_spf.google.com -all

DKIM

google._domainkey.example.com

TXT

v=DKIM1; p=PUBLICKEY

DMARC

v=DMARC1; p=reject; rua=mailto:you@example.com

FAQ

1. What is SPF, and what problem does it solve?

   SPF (Sender Policy Framework) is a DNS record that specifies which mail servers are allowed to send email on behalf of your domain. It works like a permission list: if a server is not included in the SPF record, it should not be sending messages “as you.” When SPF is missing or incorrect, legitimate emails can be treated as suspicious and may end up in spam, and it becomes easier for attackers to impersonate your domain from unauthorized servers.

2. How does DKIM work, and what does it guarantee?

   DKIM (DomainKeys Identified Mail) adds a digital signature to your outgoing emails. Your sending server signs each message using a private key, and the receiving server verifies that signature using a public key that you publish in DNS as a TXT record (often under a selector like bigemail._domainkey.example.com). If the signature checks out, DKIM passes. This demonstrates two key points: the email genuinely originated from your domain’s authorized sending system, and the message content was not altered during delivery.

3. What is DMARC, and what does it tell email providers to do?

   DMARC (Domain-based Message Authentication, Reporting & Conformance) is a policy layer that instructs mail providers how to handle messages when SPF or DKIM fail. In other words, it tells providers whether suspicious messages should still be delivered, moved to spam/quarantine, or rejected completely. A DMARC record is published in DNS (commonly under _dmarc.example.com as a TXT record) and can include a policy such as p=quarantine or p=reject. This gives you more control over how your domain is used and how providers respond when something looks wrong.

4. Why do SPF, DKIM, and DMARC matter for deliverability and security?

   These three systems work together to help mail providers determine whether email claiming to be from your domain is legitimate. Without them, providers may be more likely to distrust your domain, which can cause messages to be sent to spam, quarantined, or fail delivery. From a security perspective, missing authentication makes it easier for attackers to spoof your domain for phishing attempts. Correct configuration supports higher deliverability, better protection against phishing, and clearer control over what happens to suspicious messages.

5. If my domain doesn’t send email, do I still need anything?

   Yes. Even if your domain is not used to send email, publishing a DMARC record is still recommended to reduce the risk of abuse. The article specifically notes that domains without DMARC are easier to spoof and more likely to have email delivery issues. Adding DMARC helps signal to mail providers how to treat unauthenticated mail that pretends to come from your domain, which improves protection against impersonation and misuse.