Back to Blog
Email Security

SPF, DKIM, and DMARC: The Three Email Security Standards Explained

Email spoofing is trivially easy without proper DNS configuration. Learn how SPF, DKIM, and DMARC work together to protect your domain from being used in phishing attacks.

EEmil Gheonea11 March 20269 min read

The Email Spoofing Problem

Email was designed in the 1970s with zero authentication. Anyone could claim to be anyone. Decades later, three DNS-based standards were created to fill this gap: SPF, DKIM, and DMARC. Together they form the backbone of modern email authentication.

SPF — Sender Policy Framework

SPF tells receiving mail servers which IP addresses are allowed to send email on behalf of your domain. It lives in a DNS TXT record.

v=spf1 include:_spf.google.com include:sendgrid.net ~all

How it works:

  1. An email arrives claiming to be from example.com.
  2. The receiving server looks up the SPF record for example.com.
  3. It checks whether the sending IP is in the authorised list.
  4. If not, the email fails the SPF check.

Limitations: SPF only checks the envelope sender (the Return-Path address), not the visible From header. This is why SPF alone is not enough.

DKIM — DomainKeys Identified Mail

DKIM adds a cryptographic signature to every outgoing email. The signature is verified using a public key stored in DNS.

selector._domainkey.example.com  IN TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCS..."

How it works:

  1. Your mail server signs the email headers and body with a private key.
  2. The signature is added as a header: DKIM-Signature:
  3. The receiving server fetches your public key from DNS.
  4. It verifies the signature — proving the email was not modified in transit.

Key benefit: DKIM survives email forwarding in ways SPF cannot, because it is tied to the message content, not the sending IP.

DMARC — Domain-based Message Authentication, Reporting & Conformance

DMARC builds on top of SPF and DKIM. It tells receiving servers what to do when an email fails authentication, and sends you reports about what is happening with your domain.

_dmarc.example.com  IN TXT  "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"

Policies:

  • p=none — Monitor only, take no action.
  • p=quarantine — Move suspicious emails to spam.
  • p=reject — Block the email entirely.

DMARC requires alignment — the domain in the From header must match the domain that passed SPF or DKIM. This closes the spoofing gap that SPF alone leaves open.

Implementation Checklist

StepAction
1Publish an SPF record listing all legitimate sending sources
2Enable DKIM signing on your mail server or provider
3Start with p=none DMARC and collect reports for 2–4 weeks
4Fix any legitimate sources that are failing
5Move to p=quarantine, then p=reject

Why This Matters for Your Users

Domains without DMARC enforcement are easy to spoof. Attackers send phishing emails that appear to come from your brand. Your users — and your reputation — pay the price. A p=reject DMARC policy eliminates this attack vector entirely.

Summary

  • SPF controls which servers can send mail for your domain.
  • DKIM signs each email so tampering is detectable.
  • DMARC enforces the rules and gives you visibility via reports.

Implementing all three correctly is one of the highest-impact, lowest-effort security improvements you can make for your domain.

E

Emil Gheonea

Software Developer & Security Enthusiast

Full-stack developer with a focus on cybersecurity tooling and infrastructure. I built VirusPurge to make fast, private file scanning accessible to everyone — and I write about security topics to keep the knowledge sharp.

Connect on LinkedIn

Related reads

Phishing8 min

The Most Common Phishing Tactics in 2026

Read article
Web Security8 min

HTTP Security Headers Every Website Should Have

Read article
Back to all articles