What Are SPF, DKIM, and DMARC?
These three are email authentication methods that help prevent email spoofing—when someone fakes your domain to send spam or phishing emails. Think of them as security guards that verify whether an email claiming to be from your domain is legit.
SPF (Sender Policy Framework)
What it does:
SPF tells the world which servers are allowed to send email on behalf of your domain.
Layman analogy:
Imagine a guest list at a party. SPF is the list that says, “Only these people (servers) are allowed in.” If someone not on the list tries to send email as you, they get rejected or flagged.
DNS record format (TXT record):
v=spf1 +a +mx include:spf.ipns.com ip4:xxx.xxx.xxx.xxx -all
Breakdown:
v=spf1: Version of SPF- +a: Include all A records in the zone
- +mx: Include all MX records in the zone
include:spf.ipns.com: This includes all of our IP addresses across our network and must be includedip4:xxx.xxx.xxx.xxx: Only needed to include IP addresses that are off-network-all: Reject everything else
DKIM (DomainKeys Identified Mail)
What it does:
DKIM adds a digital signature to your emails, proving they haven’t been tampered with and were really sent by your domain. This is created by the server, and includes a public key that is added to the domain's zone record, and a private key (unseen) that is compared for authenticity.
For every server that sends email under your domain, you need to add a DKIM record that is prepared on that server (where the private key resides) and the public key added to your zone record. An example would be an industry forum hosted remotely that you participate in.
Layman analogy:
It’s like sealing a letter with a wax stamp that only you have. If the stamp matches, the recipient knows it’s authentic.
DNS record format (TXT record) example:
default._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBA..."
Breakdown:
default._domainkey: Selector used to find the DKIM key. The 'default' will be different for off-network DKIM records.v=DKIM1: Versionk=rsa: Type of encryptionp=...: Public key used to verify the signature
DMARC (Domain-based Message Authentication, Reporting & Conformance)
What it does:
DMARC tells email providers what to do if SPF or DKIM checks fail—and sends you reports about who’s trying to spoof your domain. We suggest setting your record to 'quarantine' so that if your email gets flagged on a receiving mail server, it will be quarantined for your correspondent to review, rather than rejected. You can add a contact email to receive reports if your email fails authenticity checks.
Layman analogy:
It’s like telling the bouncer, “If someone shows a fake ID or isn’t on the guest list, have them stand outside till we confirm.”
DNS record format (TXT record):
_dmarc.example.com IN TXT "v=DMARC1;p=quarantine;sp=quarantine;adkim=r;aspf=r;pct=100;fo=0;rf=afrf;ri=86400;rua=mailto:dmarc-reports@example.com"
Breakdown:
v=DMARC1: Versionp=quarantine: Domain Policy (reject, quarantine, or none)sp=quarantine: Subdomain Policy (reject, quarantine, or none)- adkim=r: Relaxed DKIM to allow subdomains
- aspf=r: Relaxed SPF to allow subdomains
- pct=100: Apply DMARC policy to 100% of emails
- fo=0: Report is both SPF and DKIM fail (other options: 1= either fails, d=DKIM fails, s= SPF fails)
- rf=afrf: Aggregate Feedback Report Format
- ri=86400: Send reports every 86,400 seconds (once per day)
rua=mailto:...: Where to send reports, if you want to receive them
Summary Table
| Protocol | Purpose | DNS Record Type | Example |
|---|---|---|---|
| SPF | Lists allowed senders | TXT |
v=spf1 +a +mx include:spf.ipns.com -all |
| DKIM | Verifies email integrity | TXT |
default._domainkey IN TXT "v=DKIM1; k=rsa; p=..." |
| DMARC | Sets policy & gets reports | TXT |
|
