QUICK ANSWER
SPF, DKIM, and DMARC are three DNS records that work together to authenticate your emails and prevent spoofing. SPF specifies which servers can send email from your domain, DKIM adds a cryptographic signature to prove an email hasn't been tampered with, and DMARC tells receiving servers what to do if SPF or DKIM checks fail.
Email was never designed with authentication in mind. Anyone can put any address in the "From" field, which is why email spoofing and phishing are so common. SPF, DKIM, and DMARC are the three standards that fix this problem — and all three work together as layers of defence.
If your domain doesn't have all three configured correctly, your legitimate emails may land in spam and attackers can impersonate your domain.
SPF is a DNS record that lists which mail servers are authorised to send emails on behalf of your domain. When a receiving server gets an email claiming to be from your domain, it checks your SPF record to see if the sending server is on the approved list.
A basic SPF record looks like this:
yourdomain.co.uk. IN TXT "v=spf1 include:_spf.google.com ~all"
This tells receiving servers: "Only Google's mail servers are allowed to send emails from my domain. Treat anything else as suspicious."
The ~all at the end is the qualifier. There are four options:
+all — pass (allow all, essentially useless)~all — softfail (mark as suspicious but still deliver)-all — hardfail (reject unauthorised senders)?all — neutral (no policy)The most frequent problem is including too many third-party services. Each include statement triggers a DNS lookup, and SPF has a hard limit of 10 DNS lookups. If you exceed this limit, SPF fails and your emails may be rejected.
For example, if you use Google Workspace, Mailchimp, Salesforce, and HubSpot, you might hit the limit quickly. The fix is to consolidate: use a service that flattens SPF records, or remove includes for services you no longer use.
Another common mistake is having multiple SPF records. You can only have one SPF record per domain. If you need to authorise multiple services, put them all in a single record.
DKIM adds a cryptographic signature to every outgoing email. This signature proves the email genuinely came from your domain and hasn't been modified in transit.
Here's how it works:
A DKIM DNS record contains a selector (which identifies the key) and the public key itself. The selector allows you to have multiple keys — useful for key rotation.
Key rotation is a security best practice. Generate a new key pair, publish the new public key in DNS with a new selector, update your mail server to sign with the new private key, and remove the old record after a transition period.
Most email providers (Google Workspace, Microsoft 365, Mailchimp) handle DKIM signing automatically once you add the DNS record. You just need to publish the record they give you.
DMARC ties SPF and DKIM together. It tells receiving servers what to do when SPF or DKIM authentication fails, and it sends you reports about which emails are passing or failing authentication.
A DMARC record is published at _dmarc.yourdomain.co.uk and looks like this:
_dmarc.yourdomain.co.uk. IN TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected]"
p=none — monitor only. Emails still deliver even if they fail authentication. Useful for the initial setup phase to see what's happening without affecting delivery.p=quarantine — failed emails go to spam. A good intermediate step once you've verified that all legitimate senders are passing.p=reject — failed emails are rejected outright. The strongest protection. Only use this once you're confident all legitimate email sources are properly authenticated.The rua tag specifies where aggregate reports are sent. These reports show you every email that used your domain — which ones passed SPF and DKIM, which failed, and what IP addresses sent them. This is invaluable for spotting unauthorised senders.
The ruf tag specifies where forensic reports are sent (samples of individual failed emails). Not all providers support forensic reports, but they give you detailed evidence when something goes wrong.
DMARC checks "alignment" — whether the domain in the visible From address matches the domain that passed SPF or DKIM. This prevents a subtle attack where an attacker passes SPF for their own domain but uses your domain in the From header. With DMARC alignment enabled, the domains must match.
None of these records is sufficient on its own:
Together, they create a complete authentication chain: SPF verifies the sending server, DKIM verifies the message integrity, and DMARC enforces the policy and provides reporting.
If your domain has none of these records configured:
Major email providers increasingly require these records. Google and Yahoo both announced in 2024 that bulk senders must have DMARC configured. If you send any volume of email, these records are no longer optional.
You can check your current SPF, DKIM, and DMARC configuration using free tools. Open a terminal and run:
nslookup -type=TXT yourdomain.co.uk
nslookup -type=TXT _dmarc.yourdomain.co.uk
Or use an online checker like MXToolbox or DMARC Analyzer. PulseShield's free scan also checks whether your domain has SPF, DKIM, and DMARC configured and flags missing records as findings in your security report.
Run a free scan on your domain to check your email authentication status.
Run a free scan to find out if your SPF, DKIM, and DMARC records are configured correctly.
Free Security ScanOngoing monitoring from £29/month — view plans