Email Security8 min read

The Role of SPF, DKIM, and DMARC in Email Security

SPF, DKIM, and DMARC are three complementary DNS-based protocols that together protect your domain from email spoofing, phishing, and spam. Each plays a distinct role in the authentication chain.

Email is one of the most impersonated communication channels on the internet. Attackers routinely forge "From" addresses to trick recipients into trusting malicious messages. Three DNS-based protocols — SPF, DKIM, and DMARC — form a layered defence that verifies the sender's identity and tells receiving mail servers what to do when verification fails.

What Is SPF?

Sender Policy Framework (SPF) is a DNS TXT record that lists every mail server authorised to send email on behalf of your domain. When a receiving server gets a message claiming to be from @example.com, it queries the SPF record for example.com and checks whether the sending server's IP address is on the approved list.

  • Prevents spammers from sending email using your domain as the return-path address.
  • Published as a TXT record at the apex of your domain (e.g. example.com).
  • Evaluated against the envelope sender (MAIL FROM), not the visible From header.
text
v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.1 ~all # v=spf1 — SPF version # include:... — authorise Google Workspace and SendGrid mail servers # ip4:... — authorise a specific IP directly # ~all — soft-fail all other senders (use -all for hard-fail)
SPF Lookup LimitSPF allows a maximum of 10 DNS lookups during evaluation. Exceeding this limit causes a PermError and can result in legitimate email being rejected. Use the SPF Lookup tool to check your record's lookup count.

What Is DKIM?

DomainKeys Identified Mail (DKIM) adds a cryptographic signature to every outgoing email. The sending mail server signs the message with a private key, and the corresponding public key is published in DNS. Receiving servers retrieve the public key and use it to verify that the message body and selected headers have not been altered in transit.

  • Verifies message integrity — any tampering invalidates the signature.
  • Authenticates the signing domain, which may differ from the visible From address.
  • Published as a TXT record at selector._domainkey.example.com.
text
# Record name: google._domainkey.example.com v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC... # v=DKIM1 — DKIM version # k=rsa — key type (rsa is most common; ed25519 is more modern) # p=... — the base64-encoded public key
Use the DKIM Lookup toolVerify your DKIM record is published correctly with the DKIM Lookup tool. Enter your domain and DKIM selector to confirm the public key is reachable.

What Is DMARC?

Domain-based Message Authentication, Reporting, and Conformance (DMARC) builds on top of SPF and DKIM. It answers two questions SPF and DKIM cannot answer on their own:

  1. Alignment: Does the domain in the visible From header match the domain that passed SPF or DKIM?
  2. Policy: What should the receiving server do if a message fails alignment checks — deliver it, quarantine it, or reject it outright?

DMARC also enables aggregate and forensic reporting — domain owners receive XML reports from major mail providers showing which sources are sending email on their behalf and whether authentication is passing or failing.

text
# Record name: _dmarc.example.com v=DMARC1; p=reject; rua=mailto:dmarc-reports@example.com; ruf=mailto:forensics@example.com; pct=100 # p=reject — reject messages that fail DMARC (use none → quarantine → reject progressively) # rua= — aggregate report destination # ruf= — forensic report destination # pct= — percentage of messages subject to the policy (100 = all)

How SPF, DKIM, and DMARC Work Together

Each protocol addresses a different aspect of email authentication. They are designed to be used together:

ProtocolWhat It ChecksWhat It Cannot Do
SPFSending server is authorised for the envelope domainDoes not protect the visible From header; breaks with forwarding
DKIMMessage body and headers are unaltered; signing domain is verifiedDoes not specify what to do on failure; signing domain may differ from From
DMARCFrom header aligns with SPF/DKIM domain; enforces a policy on failureRequires at least one of SPF or DKIM to pass and align

A message passes DMARC if at least one of the following is true:

  • SPF passes and the SPF domain aligns with the From header domain.
  • DKIM passes and the DKIM signing domain aligns with the From header domain.
Email forwarding breaks SPFWhen email is forwarded, the sending server changes and SPF will fail for the new sender. DKIM survives forwarding because the signature is in the message headers. This is why having both SPF and DKIM — and DMARC alignment against DKIM — is important for domains that receive forwarded mail.

Recommended Deployment Order

  1. Publish an SPF record listing all your legitimate sending services. Use ~all (soft-fail) initially to avoid breaking existing email flows.
  2. Enable DKIM signing on each sending service (your email platform, newsletter tool, transactional email provider, etc.). Publish the public key in DNS for each selector.
  3. Start DMARC at p=none to collect aggregate reports without affecting mail delivery. Monitor the reports to identify all legitimate sending sources.
  4. Move to p=quarantine once you are confident the reports show only expected senders. Unauthenticated mail will go to the spam folder rather than the inbox.
  5. Enforce p=reject to block unauthenticated email outright. This is the goal for full protection.
Use the DMARC Lookup toolCheck whether your DMARC record is correctly published and what policy is active using the DMARC Lookup tool.

Impact on Email Deliverability

Beyond security, SPF, DKIM, and DMARC have a direct effect on deliverability. Major providers — including Google, Microsoft, and Yahoo — use DMARC compliance as a signal for inbox placement. Domains without DMARC are increasingly likely to see their email routed to spam or blocked entirely.

In February 2024, Google and Yahoo mandated that bulk senders (sending more than 5,000 emails per day to their users) must have SPF, DKIM, and a DMARC record in place. Domains without these records face rejection at the gateway.

Frequently Asked Questions

Do I need all three protocols?

Yes. SPF and DKIM each protect against different attack vectors, and neither alone enforces what happens when authentication fails. DMARC ties them together and provides the policy enforcement and reporting that make the system effective.

Can I implement DMARC without DKIM?

Technically yes — DMARC can pass on SPF alignment alone. However, SPF breaks when email is forwarded, so without DKIM you will see false DMARC failures for forwarded mail. DKIM is strongly recommended alongside SPF for robust coverage.

What is the difference between relaxed and strict DMARC alignment?

In relaxed mode (the default), the organisational domain in the From header just needs to match the organisational domain used for SPF/DKIM — subdomains are allowed. In strict mode, the domains must match exactly. Strict mode is safer but can break legitimate use of subdomains as sending addresses.

How long does it take for DMARC reports to arrive?

Aggregate reports are typically sent once per day by participating mail providers. Forensic reports (for individual failures) may arrive sooner but are not sent by all providers. Allow 24–48 hours after publishing your record before expecting reports.

Will implementing DMARC break my existing email?

Starting at p=none means DMARC is monitoring-only and will not affect mail flow. Only move to quarantine or reject once you have reviewed reports and confirmed all legitimate sending sources are properly authenticated.

Related Articles