Email Security Explained: SPF, DKIM and DMARC
SPF, DKIM, and DMARC are three DNS records that, together, tell the world which servers are allowed to send email on behalf of your domain - and what should happen if a message fails that check. Most small businesses have never heard of them, and most small business domains do not have them configured correctly.
SPF: who is allowed to send
SPF (Sender Policy Framework) is a DNS record that lists the mail servers authorised to send email using your domain. When a receiving server gets a message claiming to be from your domain, it checks the SPF record to confirm the sending server is on the approved list. Without SPF, anyone can send email that claims to be from your domain, and there is no easy way for the recipient's server to tell the difference.
DKIM: proving the message was not altered
DKIM (DomainKeys Identified Mail) attaches a digital signature to outgoing messages, generated using a private key that only your mail server holds. The receiving server checks this signature against a public key published in your DNS. If the signature matches, the receiving server can be confident the message genuinely came from your domain and was not altered in transit.
DMARC: what to do when a check fails
DMARC (Domain-based Message Authentication, Reporting and Conformance) ties SPF and DKIM together and tells receiving servers what to do if a message fails either check - quarantine it, reject it outright, or simply monitor and report on it. DMARC also provides reporting, giving domain owners visibility into who is sending mail using their domain, which is often the first way a business discovers it is being impersonated.
Why this matters for a small business
Two practical consequences follow from missing or misconfigured records:
- Deliverability - mail from a domain without proper authentication is more likely to be filtered into recipients' spam folders, even when it is entirely legitimate.
- Impersonation risk - without DMARC enforcement, it is straightforward for an attacker to send phishing emails that appear to come from your domain, damaging trust with your customers and partners.
Configuring and maintaining all three records is included as standard across every platform we manage - Microsoft 365, Google Workspace, and cPanel/WHM. If you are not sure whether your domain has these records set up correctly, schedule a free 30-minute exploratory call and we will check for you.