SPF, DKIM, and DMARC: The Complete Email Authentication Guide

SPF, DKIM, and DMARC are the three pillars of email authentication. Each serves a different purpose, but together they protect your domain from spoofing and help your legitimate emails reach the inbox.

If you're setting up email authentication for the first time, or trying to understand why your emails are failing, here's what you need to know about each protocol and how they work together.

The Three Protocols at a Glance

Before diving into details, here's what each protocol does:

SPF verifies that the sending server is authorized to send email for your domain.

DKIM adds a digital signature to prove the email hasn't been tampered with.

DMARC ties SPF and DKIM together and tells receivers what to do when authentication fails.

You need all three for complete email authentication. Here's why.

SPF: Who Can Send Email for Your Domain

SPF (Sender Policy Framework) is a list of servers authorized to send email on behalf of your domain. You publish this list as a DNS record, and receiving mail servers check it to verify incoming email.

How SPF Works

When an email arrives, the receiving server:

1. Looks at the envelope sender domain (Return-Path)
2. Queries DNS for that domain's SPF record
3. Checks if the sending server's IP is in the authorized list
4. Returns pass, fail, softfail, or neutral

What an SPF Record Looks Like

v=spf1 include:_spf.google.com include:sendgrid.net -all

This record says: accept email from Google's servers and SendGrid's servers, and reject everything else (-all).

SPF Limitations

SPF has one major weakness: it only checks the envelope sender, not the From header that recipients see. An attacker can pass SPF with their own domain while displaying your domain in the From field.

That's why SPF alone isn't enough.

You can check your SPF record to verify it's configured correctly.

DKIM: Proving Email Integrity

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your emails. This signature proves the email came from your domain and hasn't been modified in transit.

How DKIM Works

When you send an email:

1. Your mail server creates a hash of the email content
2. It encrypts that hash with your private key
3. It adds the encrypted signature to the email headers

When the email arrives:

1. The receiving server extracts the DKIM signature
2. It looks up your public key in DNS
3. It decrypts the signature and compares the hash
4. If they match, DKIM passes

What a DKIM Record Looks Like

DKIM uses a selector to identify which key to use:

selector._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBg..."

The p= value is your public key.

DKIM Limitations

DKIM proves the email is authentic, but like SPF, it doesn't control what happens when authentication fails. A spoofer could simply not sign their fake emails.

You can test your DKIM setup to verify your keys are working.

DMARC: Bringing It All Together

DMARC (Domain-based Message Authentication, Reporting & Conformance) is the policy layer that makes SPF and DKIM useful for protection against spoofing.

What DMARC Adds

DMARC solves the limitations of SPF and DKIM by:

1. Requiring alignment: The domain that passes SPF or DKIM must match the From address domain
2. Defining policy: You specify what happens to emails that fail (none, quarantine, reject)
3. Providing reports: You receive feedback about who's sending email as your domain

How DMARC Works

When an email arrives:

1. The receiving server checks the From header domain
2. It looks up the DMARC record for that domain
3. It verifies that SPF or DKIM passes AND aligns with the From domain
4. It applies your policy if authentication fails
5. It sends you a report about what happened

What a DMARC Record Looks Like

v=DMARC1; p=reject; rua=mailto:dmarc@example.com

This says: reject emails that fail DMARC and send aggregate reports to dmarc@example.com.

How the Three Work Together

Here's a real-world example of the authentication flow:

Scenario: You send an email from your company's Google Workspace account.

1. SPF Check

   • Envelope sender: bounces@example.com
   • Sending IP: Google's mail server
   • SPF record includes Google → SPF passes
   • Domain matches From header → SPF aligns

2. DKIM Check

   • Email is signed with d=example.com
   • Public key found in DNS
   • Signature validates → DKIM passes
   • Signing domain matches From header → DKIM aligns

3. DMARC Result

   • At least one mechanism passed with alignment
   • DMARC passes → Email delivered normally

Now consider a spoofing attempt:

Scenario: An attacker tries to send email pretending to be from your domain.

1. SPF Check

   • Sending IP: Attacker's server (not in your SPF)
   • SPF fails (or passes for attacker's domain, but doesn't align)

2. DKIM Check

   • No valid signature for your domain
   • DKIM fails

3. DMARC Result

   • Neither mechanism passed with alignment
   • Your policy is p=reject
   • Email blocked

Setting Up All Three

The recommended order for implementation:

Step 1: Set Up SPF

Create an SPF record listing all services that send email as your domain:

v=spf1 include:_spf.google.com include:sendgrid.net -all

Verify with SPF Record Check.

Step 2: Set Up DKIM

Configure each email-sending service to sign with your domain. This typically involves:

1. Generating a key pair (the service usually does this)
2. Adding the public key to your DNS
3. Enabling signing in the service

Verify with DKIM Test.

Step 3: Set Up DMARC

Start with a monitoring policy to collect data:

v=DMARC1; p=none; rua=mailto:dmarc@example.com

Review reports for 2-4 weeks, fix any issues, then progress to enforcement.

If you need help creating a DMARC record, use DMARC Creator.

Common Problems and Solutions

"SPF passes but DMARC fails"

This usually means SPF alignment failed. The envelope sender domain doesn't match the From header domain. Configure your sending service to use a custom return-path on your domain.

"DKIM passes but DMARC fails"

The DKIM signature domain doesn't match the From header. Configure your sending service to sign with your domain, not theirs.

"Everything passes for my mail server but fails for third-party services"

Each service that sends email as your domain needs SPF and DKIM configured separately. Check your marketing platform, CRM, support desk, and any other services.

"I'm not receiving DMARC reports"

Verify your rua= address is correct and the mailbox exists. Some services require DNS verification to receive reports for external domains.

Checking Your Setup

After configuring all three protocols:

1. Check SPF - Verify all sending IPs are included
2. Check DKIM - Verify keys are published correctly
3. Check DMARC - Verify your policy and reporting are configured
4. Send test emails and check headers for pass/fail results
5. Monitor DMARC reports for any failures

Monitor Your DMARC Records

Checking once is good. Monitoring continuously is better. The Email Deliverability Suite watches your SPF, DKIM, DMARC, and MX records daily and alerts you when something breaks.