SPF, DKIM, and DMARC explained

These three DNS records help verify that your domain’s email is legitimate. They prevent spoofing, phishing, and spam issues with emails and webmail sending and receiving.

SPF (Sender Policy Framework)

What it is:
A DNS record that lists which mail servers are allowed to send email for your domain.

Purpose:
Stops others from sending fake emails pretending to be you.

Example SPF record:

v=spf1 include:spf.protection.outlook.com -all

Meaning:

  • Allow Microsoft 365 to send email
  • Reject everything else

DKIM (DomainKeys Identified Mail)

What it is:
A digital signature added to all outgoing emails.

Purpose:
Proves the email was not changed and truly came from your mail server.

How it works:
Your mail server signs outgoing mail with a private key.
DNS publishes the public key so receiving servers can verify the signature.

Example DKIM selector record:

selector1._domainkey.yourdomain.com

DKIM is usually turned on inside Microsoft 365, Google Workspace, or your mail host.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

What it is:
A DNS policy that tells receiving servers how to treat emails that fail SPF or DKIM.

Purpose:
Prevents spoofing and phishing using your domain.

Example DMARC record:

v=DMARC1; p=quarantine; rua=mailto:postmaster@yourdomain.com; pct=100

Meaning:

  • If SPF/DKIM fails → send email to spam (quarantine)
  • Send daily reports to postmaster@yourdomain.com
  • Apply policy to 100% of messages

DMARC policies:

  • none = monitor only
  • quarantine = send suspicious emails to spam
  • reject = block them completely

Summary

Record What it does Protects you from
SPF Confirms which servers can send email Fake senders
DKIM Adds a digital signature to emails Tampering, forgery
DMARC Sets rules if SPF/DKIM fail Spoofing, phishing

Together, they improve deliverability, protect your domain, and keep emails out of spam.