Domain Security: SPF, DKIM & DMARC Explained
Email spoofing is one of the most common attack vectors on the internet. Anyone can send an email claiming to be from your domain β unless you've configured SPF, DKIM, and DMARC. These three protocols work together to authenticate email and protect your domain's reputation.
Check Your Email Security βWhy Email Authentication Matters
Without email authentication, attackers can send emails that appear to come from your domain. This is called email spoofing, and it's used in phishing attacks, business email compromise (BEC), and spam campaigns. The consequences include:
- Your domain gets blacklisted by email providers
- Legitimate emails from your domain land in spam folders
- Customers and partners lose trust in your communications
- Your organization becomes liable for fraud carried out using your domain
The good news: SPF, DKIM, and DMARC are all implemented through DNS records, so you can set them up without installing any software.
π SPF (Sender Policy Framework)
SPF tells receiving mail servers which IP addresses and servers are authorized to send email on behalf of your domain. It's implemented as a TXT record on your domain.
example.com. IN TXT "v=spf1 include:_spf.google.com include:sendgrid.net -all"
Breaking this down:
v=spf1β identifies this as an SPF recordinclude:_spf.google.comβ allows Google Workspace servers to send mailinclude:sendgrid.netβ allows SendGrid (transactional email service) to send mail-allβ reject all other senders (strict). Use~allfor soft fail during testing
include: counts as a lookup, and nested includes count too. Exceeding this limit causes SPF to fail silently.π DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to every outgoing email. The receiving server verifies this signature using a public key published in your DNS. This proves the email hasn't been tampered with in transit.
selector._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBg..."
Key concepts:
- Selector β identifies which key to use (e.g.,
google,s1). Allows key rotation without downtime. - Private key β used by your mail server to sign outgoing messages. Never shared.
- Public key β published in DNS. Used by recipients to verify signatures.
DKIM is usually configured by your email provider (Google Workspace, Microsoft 365, etc.) and you just need to add the DNS record they provide.
π‘οΈ DMARC (Domain-based Message Authentication, Reporting & Conformance)
DMARC ties SPF and DKIM together and tells receiving servers what to do when authentication fails. It also provides reporting so you can monitor who's sending email as your domain.
_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100"
DMARC policies:
p=noneβ monitor only. No action on failures. Use this to start and analyze reports.p=quarantineβ send failing messages to spam. A good intermediate step.p=rejectβ block failing messages entirely. The strongest protection.
The rua tag specifies where to send aggregate reports. These XML reports show you all servers sending email as your domain β invaluable for identifying unauthorized senders.
Implementation Roadmap
Here's the recommended order for implementing email authentication:
- Start with SPF β list all services that send email for your domain. Deploy with
~all(soft fail) first. - Configure DKIM β enable in your email provider and add the DNS record. Most providers have one-click setup.
- Deploy DMARC with p=none β start monitoring. Set up a
ruaaddress to receive reports. - Analyze DMARC reports β review for 2-4 weeks. Identify any legitimate senders you missed in SPF.
- Tighten SPF to
-allβ switch from soft fail to hard fail. - Move DMARC to p=quarantine β start quarantining spoofed emails.
- Finally, p=reject β maximum protection. Spoofed emails are rejected outright.
Common Mistakes
- Forgetting transactional email services β if you use SendGrid, Mailchimp, or similar services, they need to be in your SPF record
- Going straight to p=reject β always start with p=none and monitor first, or you may block legitimate email
- Multiple SPF records β a domain must have exactly one SPF record. Multiple records cause both to fail
- Not monitoring DMARC reports β the reports are the whole point of the monitoring phase. Use a service like DMARCian or Postmark to parse them
For a complete domain security assessment, combine email security checks with SSL certificate verification, DNS record analysis, and WHOIS data review. You can also check your IP address to understand your own network configuration.
Check Your Domain Security β