SPF, DKIM, and DMARC: The Three Email Security Standards Explained

Emil Gheonea

Software engineer & founder of LinkThreatScan · 11 March 2026

Email was designed in an era when the internet was trusted and small. Authentication wasn't considered necessary. The result is that without additional configuration, anyone can send an email claiming to be from any address — including yours. Three DNS-based standards have been developed to address this: SPF, DKIM, and DMARC. Together they form the foundation of modern email authentication.

SPF (Sender Policy Framework)

An SPF record is a DNS TXT record that lists the IP addresses and mail servers authorised to send email on behalf of your domain. When a receiving mail server gets a message purportedly from your domain, it looks up your SPF record and checks whether the sending server's IP is listed. If it isn't, the message fails SPF. Example: v=spf1 include:_spf.google.com ~all — this authorises Google's mail servers to send for the domain. The '~all' means soft-fail (flag but deliver) while '-all' means hard-fail (reject).

How SPF can be bypassed

SPF checks only the envelope-from (the technical MAIL FROM header used during SMTP), not the visible From: header shown to users. An attacker can use a look-alike domain that passes SPF, while setting a spoofed display name. This is why SPF alone is insufficient — it needs DKIM and DMARC to provide meaningful protection.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to outgoing emails. The signing mail server generates a signature from the message headers and body using a private key, and adds it as a DKIM-Signature header. The corresponding public key is published in a DNS TXT record. The receiving server looks up the public key and verifies the signature. This proves that the message was sent by a server holding the private key and that the signed headers and body haven't been altered in transit.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC builds on SPF and DKIM by defining what should happen when a message fails authentication checks, and by requiring alignment between the domain in the From: header and the domains validated by SPF/DKIM. A DMARC record specifies a policy: none (monitoring only), quarantine (send to spam), or reject (discard the message). Example: v=DMARC1; p=reject; rua=mailto:[email protected] — a reject policy is the strongest protection, preventing spoofed emails from reaching recipients at all.

DMARC reports

DMARC includes a powerful reporting mechanism. Receiving mail servers send aggregate and forensic reports back to the address specified in the rua/ruf tags of your DMARC record. These reports show you who is sending email claiming to be from your domain, which authentication mechanisms are passing and failing, and where suspicious sending is originating. This visibility is invaluable for detecting phishing campaigns targeting your brand.

Implementation priority

Start with SPF (add the TXT record for your domain). Then configure DKIM signing in your mail server or email platform. Finally, add a DMARC record starting with p=none to collect reports without affecting delivery. Analyse the reports for several weeks, fix legitimate senders that are failing, and then progressively tighten the policy to quarantine and eventually reject. Our scanner checks all three records and reports on their presence, syntax, and strength.