SPF, DKIM and DMARC explained for beginners, including how these DNS records help protect business email and improve deliverability.
SPF, DKIM and DMARC are three email authentication technologies that help protect your domain from spoofing, improve email deliverability and increase trust with receiving mail providers such as Gmail, Outlook and Yahoo.
If you run a business website, send invoices, receive enquiries through contact forms or use email marketing platforms, understanding these DNS records is essential. Modern email systems increasingly rely on authentication records to determine whether messages should be delivered, filtered into spam folders or rejected completely.
While the names sound technical, the underlying concepts are straightforward. SPF verifies which servers are allowed to send email for your domain, DKIM verifies that email content has not been modified during delivery and DMARC tells receiving mail servers how to handle messages that fail authentication checks.
SPF, DKIM and DMARC work together to verify email senders, protect against spoofing and improve deliverability.
SPF (Sender Policy Framework) is a DNS TXT record that specifies which mail servers are authorised to send email on behalf of your domain. When an email arrives claiming to come from your domain, the receiving mail server checks your SPF record to see whether that server is permitted to send mail.
For example, if your business uses Microsoft 365, Google Workspace or a marketing platform such as Mailchimp, those services should be included within your SPF record. If an attacker attempts to send email from an unauthorised server while pretending to be your domain, SPF can help identify the message as suspicious.
One of the most common mistakes is creating multiple SPF records. A domain should only have one SPF record containing all authorised email providers and services.
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing email messages. Receiving mail servers use a public key stored in DNS to verify that the message has not been altered after leaving the sender.
Unlike SPF, which validates the sending server, DKIM validates the integrity of the email itself. If the message is modified during transit, the DKIM verification check will fail.
Most modern email providers support DKIM and provide the necessary DNS records automatically. Once configured correctly, DKIM works silently in the background with very little ongoing management required.
DMARC (Domain-based Message Authentication, Reporting and Conformance) builds upon SPF and DKIM by defining what should happen when authentication checks fail.
DMARC policies can be configured in three stages:
DMARC reporting also provides valuable insight into which systems are sending email using your domain, helping identify configuration problems and potential spoofing attempts.
| Technology | Primary Purpose | Benefit |
|---|---|---|
| SPF | Validates authorised sending servers. | Helps prevent unauthorised systems sending email from your domain. |
| DKIM | Validates message integrity. | Confirms email content has not been modified during delivery. |
| DMARC | Applies authentication policies and reporting. | Provides visibility and protection against domain spoofing. |
Together, SPF, DKIM and DMARC form the foundation of modern email authentication. Businesses that correctly implement all three technologies generally benefit from improved deliverability, reduced spoofing risks and greater trust from customers and email providers.
Before making changes, document your current DNS records and identify every service that sends email using your domain. Small configuration errors can have a significant impact on deliverability.
Most domain registrars and hosting providers allow you to view and edit DNS TXT records. DNS lookup tools can be used to verify that SPF, DKIM and DMARC records are published correctly and returning the expected results.
After making changes, allow time for DNS propagation and send test emails to multiple providers such as Gmail and Outlook. Reviewing the authentication results within email headers is one of the best ways to confirm that your configuration is working correctly.
A quick recap of SPF, DKIM and DMARC for better email security and deliverability.
SPF ensures only authorised servers can send email on behalf of your domain, helping prevent spoofing.
DKIM adds a digital signature to emails to confirm that the message has not been altered in transit.
DMARC builds on SPF and DKIM by telling email providers how to handle failed authentication attempts.
Together, these three technologies form the foundation of modern email security, helping businesses protect their brand, improve deliverability and reduce the risk of email spoofing.
Install for quick access to hosting, tools, billing and support.