Do I need SPF, DKIM, and DMARC?

Yes. All three work together. SPF verifies the sending server, DKIM verifies the message content, and DMARC tells receiving servers what to do if either check fails. You need all three for proper email authentication.

What happens if I don't have DMARC?

Without DMARC, receiving mail servers have no instructions on how to handle unauthenticated emails from your domain. Your legitimate emails may be marked as spam, and attackers can freely impersonate your domain for phishing.

How do I check my SPF, DKIM, and DMARC records?

You can use free DNS lookup tools, or run an automated security audit with PulseShield that checks all three records along with 20+ other security areas in one scan.

SPF, DKIM, and DMARC Explained: Why Your Business Email Is Vulnerable

Q: What is an SPF record?

An SPF (Sender Policy Framework) record is a DNS TXT entry that lists which mail servers are authorised to send email on behalf of your domain. Without it, anyone can send email appearing to come from your domain.

If your domain does not have SPF, DKIM, and DMARC records configured, anyone can send emails that look like they came from your business. That is not a theoretical risk. It is happening to UK companies every day, and the consequences range from damaged reputation to regulatory fines.

What is an SPF record?

SPF (Sender Policy Framework) is a DNS record that tells the world which mail servers are allowed to send email on behalf of your domain. Think of it as a guest list for your email. If a server that is not on the list tries to send email from your domain, receiving servers can reject or flag it.

A basic SPF record looks like this:

yourdomain.co.uk. IN TXT "v=spf1 include:_spf.google.com ~all"

The include mechanism lists your authorised sending services. If you use Google Workspace, Microsoft 365, or a transactional email provider like SendGrid, each one needs to be included. The ~all at the end means "softfail" any server not on the list. A stricter -all (hard fail) is recommended once you have confirmed all your sending services are listed.

What is DKIM?

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every email you send. When your mail server sends a message, it signs it with a private key. The corresponding public key is published in your DNS records. Receiving servers use that public key to verify the email was genuinely sent by you and has not been tampered with in transit.

Without DKIM, an attacker could intercept an email from your domain, change the content (altering a bank account number in an invoice, for example), and forward it on. DKIM signatures would break, alerting the receiving server that the message is not legitimate.

Your email provider usually handles DKIM setup. Google Workspace, Microsoft 365, and most transactional email services generate the keys and give you the DNS records to add. You just need to make sure it is actually enabled.

What is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together. It is a DNS record that tells receiving servers what to do when an email fails SPF or DKIM checks. Without DMARC, receiving servers have no clear instruction and will often just deliver the email anyway.

DMARC has three policy levels:

none — Monitor only. You get reports but no emails are blocked.
quarantine — Failed emails go to spam or quarantine.
reject — Failed emails are rejected outright.

The standard approach is to start with p=none, collect reports for a few weeks to verify your legitimate senders are all passing, then move to p=reject. DMARC also gives you aggregate reports showing who is sending email from your domain, which is invaluable for spotting unauthorised senders.

Real UK phishing examples

Email impersonation is one of the most common attack vectors in the UK. The National Cyber Security Centre (NCSC) reports that phishing accounts for the majority of cyber incidents reported by British businesses. In 2025, a series of attacks targeted UK law firms where attackers sent emails from lookalike domains during property transactions, redirecting house purchase funds to their own accounts. Victims lost hundreds of thousands of pounds.

Closer to everyday business: attackers regularly impersonate companies like Royal Mail, HMRC, and banks. These attacks work because many legitimate domains have weak or missing email authentication. If the real organisation had properly configured SPF, DKIM, and DMARC, receiving servers would have a much easier time distinguishing genuine messages from fakes.

ICO and regulatory implications

Under the UK GDPR, organisations must implement "appropriate technical measures" to protect personal data. If an attacker impersonates your domain and tricks your customers or partners into handing over personal data, the ICO could consider your lack of email authentication as a failure to take reasonable precautions.

Email authentication is not optional. It is one of the most basic security measures the ICO and NCSC recommend, and it takes minutes to set up. A PulseShield security audit checks your SPF, DKIM, and DMARC configuration along with 20 other security areas.

How to check your records

You can check your current email authentication setup right now. Open a terminal and run:

nslookup -type=TXT yourdomain.co.uk
nslookup -type=TXT _dmarc.yourdomain.co.uk

Look for an SPF record starting with v=spf1 and a DMARC record starting with v=DMARC1. If either is missing, your domain is vulnerable to impersonation.

Alternatively, run a PulseShield audit and we will check all three records, validate their configuration, and flag any issues in a professional report.

Quick checklist

SPF record lists all authorised sending services
SPF ends with -all (hard fail) or ~all (soft fail)
DKIM is enabled with your email provider
DKIM public key is published in DNS
DMARC record exists at _dmarc.yourdomain.co.uk
DMARC policy is set to at least p=none (ideally p=reject)
DMARC aggregate reports are being sent to an address you monitor

Setting up SPF, DKIM, and DMARC is one of the highest-impact security improvements you can make. It protects your reputation, prevents phishing attacks that use your domain, and demonstrates to regulators that you take data protection seriously. Check our pricing page for a full security audit that covers email authentication and much more.