Email spoofing — forging the sender address to impersonate your domain — is trivially easy without proper DNS-based authentication. SPF, DKIM, and DMARC are three complementary DNS records that together prevent attackers from sending emails that appear to come from your domain. They’re essential for any domain used for business communication and dramatically improve email deliverability to major providers like Gmail, Outlook, and Yahoo.
The Three Layers
| Record | What It Does |
|---|---|
| SPF | Lists which servers are authorized to send email for your domain |
| DKIM | Adds a cryptographic signature to emails, proving they weren’t tampered with |
| DMARC | Tells receiving servers what to do with emails that fail SPF/DKIM, and sends reports |
SPF (Sender Policy Framework)
SPF is a TXT record in your domain’s DNS that lists authorized sending IP addresses or services.
Creating Your SPF Record
A basic SPF record allowing only Google Workspace to send:
TXT yourdomain.com "v=spf1 include:_spf.google.com ~all"Common include values:
- Google Workspace:
include:_spf.google.com - Microsoft 365:
include:spf.protection.outlook.com - Mailchimp:
include:servers.mcsv.net - SendGrid:
include:sendgrid.net - Your own server by IP:
ip4:203.0.113.10
The ending qualifier:
~all= SoftFail — suspicious but accept (recommended while testing)-all= Fail — reject emails from unauthorized sources (use after confirming all legitimate senders are listed)?all= Neutral — no policy (too permissive)
Example for multiple senders:
TXT yourdomain.com "v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.10 -all"SPF limitation: SPF only validates the envelope sender (MAIL FROM), not the From header visible to users. DMARC addresses this.
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to outgoing emails. The receiving server verifies the signature using a public key published in DNS.
Setting Up DKIM
Your email provider generates the DKIM key pair. You publish the public key in DNS.
Google Workspace:
- Admin Console → Apps → Google Workspace → Gmail → Authenticate email
- Generate a new record → note the selector (e.g.,
google) - Add the provided TXT record to DNS
Microsoft 365:
- Security & Compliance → DKIM
- Select your domain → Enable
- Add the two CNAME records shown to DNS
Self-hosted mail (Postfix + OpenDKIM):
sudo apt install opendkim opendkim-tools
sudo opendkim-genkey -t -s mail -d yourdomain.com
# Keys generated in current directory: mail.private, mail.txtThe mail.txt file contains your DNS record. Publish it:
TXT mail._domainkey.yourdomain.com "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSI..."(Replace mail with your selector name and the long string with your actual public key.)
Verify DKIM
Send a test email to check-auth@verifier.port25.com — they’ll reply with a full authentication report.
Or use mxtoolbox.com/dkim.aspx to verify the DNS record.
DMARC (Domain-based Message Authentication, Reporting & Conformance)
DMARC tells receiving servers what to do with emails that fail SPF or DKIM alignment, and sends you reports about authentication results.
Basic DMARC Record
TXT _dmarc.yourdomain.com "v=DMARC1; p=none; rua=mailto:dmarc-reports@yourdomain.com"Policies (p=):
p=none— Monitor only; take no action on failures (start here)p=quarantine— Send failing emails to spamp=reject— Reject failing emails outright (maximum protection)
Tags:
rua=— Aggregate report destination (daily XML reports)ruf=— Forensic report destination (per-failure reports — privacy concern, use carefully)pct=100— Percentage of emails the policy applies to (default 100%)sp=reject— Policy for subdomains
DMARC Rollout Strategy
Phase 1 — Monitor (p=none):
"v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"Watch reports for 2-4 weeks. Identify legitimate senders that fail authentication and fix their SPF/DKIM.
Phase 2 — Quarantine (p=quarantine):
"v=DMARC1; p=quarantine; pct=25; rua=mailto:dmarc@yourdomain.com"Start at 25% — monitor for false positives. Increase gradually to 100%.
Phase 3 — Reject (p=reject):
"v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com"Maximum protection — unauthorized emails are rejected before delivery.
Reading DMARC Reports
DMARC aggregate reports are XML files sent daily by receiving email providers. Use a free parser to make them readable:
- dmarcian.com — Free tier available
- DMARC Analyzer — Free reports view
- dmarc_analytics — Self-hosted Python parser
Verification
Use MXToolbox to verify all three records:
Or check with dig:
dig TXT yourdomain.com # SPF
dig TXT mail._domainkey.yourdomain.com # DKIM
dig TXT _dmarc.yourdomain.com # DMARCImpact on Deliverability
Beyond security, SPF + DKIM + DMARC at p=reject significantly improves deliverability. Gmail, Outlook, and other major providers weight DMARC compliance heavily in spam filtering — properly authenticated email lands in the inbox, not spam.
Google and Yahoo now require DMARC for bulk senders (>5000 emails/day) as of 2024. For any domain sending business email, these records are essential infrastructure.