SPF, DKIM and DMARC Explained
Email's "From" address is trivially forgeable. Three DNS records let receiving servers verify that a message really came from your domain.
The three records
| Record | Question it answers | Published at |
|---|---|---|
| SPF | Is this sending IP allowed to send for the domain? | TXT at the domain |
| DKIM | Is this message cryptographically signed by the domain? | TXT at <selector>._domainkey.<domain> |
| DMARC | What to do if SPF/DKIM fail, and where to report? | TXT at _dmarc.<domain> |
How they work together
DMARC ties SPF and DKIM to the visible From: domain (this is called alignment). A message passes DMARC if either SPF or DKIM passes and aligns. DKIM is the more robust of the two because its signature survives mailing lists and forwarding, which break SPF.
Deploy safely
- Publish SPF listing your real senders, ending in
~all. - Enable DKIM at your mail provider and publish the public key.
- Start DMARC at
p=nonewith arua=reporting address. - Read the aggregate reports, fix any legitimate source that fails, then tighten to
p=quarantineand finallyp=reject.
Check any domain with our email auth checker. Related: DNS record types and DNSSEC.
Note: Don't jump straight to
p=reject. Without a reporting period you risk silently dropping your own newsletters, ticketing systems and third-party senders.