SPF, DKIM & DMARC: Complete Email Authentication Guide

Email remains the most exploited attack vector for businesses, with phishing and spoofing attacks accounting for the majority of successful breaches. If your domain lacks proper email authentication, attackers can send emails that appear to come from your company, deceiving employees, customers, and partners. SPF, DKIM, and DMARC are three DNS-based protocols that work together to verify that an email actually originated from your domain and has not been tampered with in transit. Implementing all three is no longer optional for any business that depends on email communication.

What Is SPF and How Does It Work?

Sender Policy Framework (SPF) is a DNS record that specifies which mail servers are authorized to send email on behalf of your domain. When a receiving mail server gets a message claiming to be from your domain, it checks your SPF record to confirm that the sending server's IP address is on the approved list. If the IP is not listed, the message fails SPF validation and can be flagged, quarantined, or rejected.

How to Create an SPF Record

An SPF record is a TXT record published in your domain's DNS. A basic SPF record looks like this:

v=spf1 include:spf.protection.outlook.com include:_spf.google.com -all

The include: directives specify which third-party services are allowed to send mail for your domain, such as Microsoft 365 or Google Workspace. The -all at the end tells receiving servers to reject any email that does not match the authorized senders. Using ~all (soft fail) is less strict and typically used during testing, but -all (hard fail) is recommended for production environments.

Common SPF Mistakes

One of the most frequent SPF errors is exceeding the 10 DNS lookup limit. Each include: directive counts as a lookup, and nested includes add to the total. Exceeding this limit causes SPF validation to fail entirely, which is worse than having no SPF record at all. Other common mistakes include forgetting to authorize third-party services like marketing platforms and help desk software, or publishing multiple SPF records for the same domain instead of combining them into one.

What Is DKIM and Why Does It Matter?

DomainKeys Identified Mail (DKIM) adds a cryptographic signature to outgoing emails. The sending server signs each message with a private key, and the corresponding public key is published as a DNS record. When the receiving server gets the email, it retrieves the public key and uses it to verify that the message content has not been altered since it was signed.

How DKIM Protects Your Email

While SPF verifies the sending server, DKIM verifies the message itself. This means that even if an email passes through forwarding services or mailing lists that might break SPF alignment, DKIM can still confirm the message's authenticity. DKIM is especially important for businesses that send transactional emails, marketing campaigns, and automated notifications, as it ensures recipients can trust that those messages genuinely came from your organization.

Setting Up DKIM

Most email platforms like Microsoft 365, Google Workspace, and major email marketing services provide DKIM signing capabilities. Setup typically involves generating a DKIM key pair through your email provider and publishing the public key as a CNAME or TXT record in your DNS. Each sending service needs its own DKIM selector, so businesses that use multiple email platforms need to configure DKIM for each one.

What Is DMARC and How Does It Tie Everything Together?

Domain-based Message Authentication, Reporting, and Conformance (DMARC) builds on SPF and DKIM by adding a policy layer and a reporting mechanism. DMARC tells receiving servers what to do when an email fails both SPF and DKIM checks, and it sends reports back to you so you can monitor who is sending email using your domain.

DMARC Policies Explained

A DMARC record includes a policy directive that instructs receiving servers how to handle authentication failures:

• p=none - Monitor only. No action is taken on failing emails, but you receive reports. This is the starting point for most organizations.
• p=quarantine - Emails that fail authentication are sent to the spam or junk folder. This provides moderate protection while you refine your configuration.
• p=reject - Emails that fail authentication are blocked entirely. This is the strongest protection and the ultimate goal for every domain.

A basic DMARC record looks like this:

v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; pct=100

The Importance of DMARC Reports

DMARC aggregate reports (sent to the address specified in the rua tag) provide visibility into every source sending email from your domain. These reports reveal legitimate services you may have forgotten to authorize, shadow IT email tools employees have adopted without approval, and active spoofing attempts against your domain. Reviewing these reports regularly is essential before moving to a p=reject policy.

How SPF, DKIM, and DMARC Work Together

Each protocol addresses a different aspect of email authentication, and they are most effective when deployed together. SPF verifies the sending server, DKIM verifies the message integrity, and DMARC enforces policy based on the results of both checks. Without DMARC, SPF and DKIM failures generate no actionable consequences. Without SPF and DKIM, DMARC has nothing to evaluate. The three protocols form a complete email authentication framework that significantly reduces your exposure to phishing, spoofing, and business email compromise (BEC) attacks.

Alignment Requirements

DMARC requires alignment between the domain in the email's "From" header and the domain validated by SPF or DKIM. There are two alignment modes: strict (exact domain match) and relaxed (subdomain match is acceptable). For most businesses, relaxed alignment is appropriate and avoids issues with subdomains used by marketing platforms and transactional email services.

Implementation Roadmap for Your Business

Rolling out email authentication should follow a phased approach to avoid accidentally blocking legitimate email.

Phase 1: Inventory and SPF

Start by identifying every service that sends email on behalf of your domain. This includes your primary email platform (Microsoft 365 or Google Workspace), marketing automation tools, CRM systems, help desk software, and any custom applications. Publish an SPF record that includes all authorized senders and set it to soft fail (~all) during the inventory phase.

Phase 2: DKIM and DMARC Monitoring

Enable DKIM signing for all authorized email services. Publish a DMARC record with p=none and configure aggregate reporting. Monitor reports for 4 to 8 weeks to identify any legitimate senders you missed and any unauthorized sources attempting to use your domain.

Phase 3: Enforcement

Once your reports show clean alignment for all legitimate email, move your DMARC policy to p=quarantine and eventually to p=reject. Update your SPF record to hard fail (-all). Continue monitoring reports indefinitely, as new services or changes to your email infrastructure can introduce authentication gaps.

How Unio Digital Can Help

Configuring email authentication correctly requires careful attention to DNS records, third-party service coordination, and ongoing monitoring. Unio Digital provides comprehensive email security services that include full SPF, DKIM, and DMARC implementation, ongoing report analysis, and policy enforcement. As part of our broader cybersecurity solutions, we ensure your email infrastructure is hardened against spoofing, phishing, and impersonation attacks.

If you are unsure whether your domain has proper email authentication in place, contact Unio Digital for a free assessment. We will review your current DNS records, identify gaps, and provide a clear plan to reach full DMARC enforcement.