SPF, DKIM, and DMARC explained in plain English
If you've ever been told "you need to set up SPF and DMARC" and nodded politely without knowing what that meant — this guide is for you.
These three acronyms are all DNS records that protect your domain from email spoofing. They work together like a three-part security system. Here's exactly what each one does.
SPF
Lists which mail servers are allowed to send email for your domain.
DKIM
Adds a cryptographic signature to every email you send, proving it's really from you.
DMARC
Tells receiving servers what to do with emails that fail SPF or DKIM checks.
SPF — the authorized senders list
Sender Policy Framework (SPF) is a DNS record that lists all the mail servers and services that are allowed to send email using your domain name.
Think of it like an approved vendor list. When an email arrives claiming to be from your domain, the receiving server checks your SPF record: "Is this mail server on the approved list?" If not, it's suspicious.
An SPF record looks like this:
v=spf1 include:_spf.google.com include:sendgrid.net ~all
The end of the record is the policy:
-all(hard fail) — Reject email from unauthorized servers~all(soft fail) — Mark as suspicious, but still deliver?all(neutral) — No opinion. Essentially useless for protection.+all— Allow everyone. Never use this.
Common mistake: Many businesses have SPF set to ~all (soft fail) thinking they're protected. Soft fail still delivers spoofed email — it just marks it as suspicious. To block spoofing, you need DMARC to enforce it. SPF alone is not enough.
DKIM — the cryptographic signature
DomainKeys Identified Mail (DKIM) adds a digital signature to every email your domain sends. It's like a wax seal on a letter — proof that the message actually came from you and wasn't tampered with in transit.
When you send an email, your mail server adds a header with a cryptographic hash of the message. The receiving server looks up your public key in DNS and verifies the signature. If it matches, the email is authentic.
DKIM lives in DNS as a TXT record at a special subdomain:
selector._domainkey.yourdomain.com
The "selector" varies by provider. Google Workspace uses google. Microsoft 365 uses selector1 and selector2. Most email providers generate this for you and just ask you to add the record.
DKIM is important because SPF only verifies the sending server — not the actual message content. DKIM verifies both that the email was authorized and that it wasn't modified after sending.
DMARC — the enforcer
Domain-based Message Authentication, Reporting, and Conformance (DMARC) is the record that ties everything together. It tells receiving mail servers what to do when an email fails SPF or DKIM.
v=DMARC1; p=reject; rua=mailto:[email protected]
The three policy options:
p=none— Do nothing. Just send reports. Zero protection.p=quarantine— Send failing emails to spam.p=reject— Block failing emails entirely. This is the goal.
DMARC also enables reporting. The rua= field tells email providers to send you daily XML reports on all email using your domain — including spoofing attempts. This is how you find out if someone is trying to impersonate you.
How they work together
Think of it this way:
- SPF says: "Only these servers can send email for my domain."
- DKIM says: "And I'll cryptographically sign every message so you know it's real."
- DMARC says: "If either check fails, here's what to do — and tell me about it."
Having SPF or DKIM alone is not enough. Without DMARC to enforce them, spoofed emails that fail SPF/DKIM still get delivered. DMARC is what connects the checks to real-world consequences.
What happens if you're missing them?
- No SPF: Anyone can send email from your domain. No warning signs for recipients.
- No DKIM: Your legitimate emails may be marked as spam. And there's no way to prove a message wasn't tampered with.
- No DMARC (or p=none): SPF/DKIM failures have no consequence. Spoofed emails land in inboxes.
In 2024, Google and Yahoo began requiring DMARC for bulk senders. Microsoft is following. The email ecosystem is moving toward enforcement — domains without these records will see increasing deliverability problems.
How to check your current status
The easiest way: run a free scan at sentryscore.com. It checks SPF, DKIM, and DMARC — and shows you exactly what's missing and what the policy is set to.
You can also check manually:
# SPF dig TXT yourdomain.com | grep spf # DMARC dig TXT _dmarc.yourdomain.com # DKIM (replace 'google' with your provider's selector) dig TXT google._domainkey.yourdomain.com
How to fix it
If you use Google Workspace or Microsoft 365, both providers have step-by-step guides to set up SPF, DKIM, and DMARC. Your registrar or IT provider can add the DNS records in under an hour.
The recommended order:
- Set up SPF first (list all your sending services)
- Enable DKIM through your email provider
- Add DMARC starting at
p=noneto collect reports - After a few weeks, verify no legitimate email is failing — then move to
p=reject
Check your domain's SPF, DKIM, and DMARC status
Free scan — see exactly what's missing and what your overall security score is. 60 seconds.
Scan my domain →Related: What is DMARC — and why does every small business need it?
Related: How email spoofing targets small businesses (and how to stop it)