Cybersecurity
SPF, DKIM, and DMARC explained
SPF, DKIM, and DMARC are three email authentication records that prove your email is really from you and stop scammers spoofing your domain. Here is what each one does and how to set them up in the right order.
SPF, DKIM, and DMARC are three email authentication records that prove your email is really from you and block scammers from spoofing your domain. SPF lists who can send for your domain, DKIM signs your messages, and DMARC tells receiving servers what to do when a message fails. Together they stop most domain spoofing and improve your deliverability.
What is SPF (Sender Policy Framework)?
SPF is a DNS record that lists the mail servers allowed to send email for your domain. When a receiving server gets a message claiming to be from you, it checks whether the sending server is on your SPF list. If it is not, the message looks forged. SPF on its own is limited, because it breaks when mail is forwarded, which is why it works best alongside DKIM and DMARC.
What is DKIM (DomainKeys Identified Mail)?
DKIM adds a cryptographic signature to every message you send, using a private key only your mail system holds. The matching public key sits in your DNS, so a receiving server can verify the message genuinely came from your domain and was not altered in transit. Unlike SPF, DKIM survives most forwarding, which makes it the stronger of the two checks.
What is DMARC, and why it ties it all together
DMARC is the policy layer. It tells receiving servers what to do with a message that fails SPF and DKIM, do nothing, quarantine it to junk, or reject it outright, and it sends you reports on who is sending mail in your name. Without DMARC, a failed check is just information. With a DMARC policy set to quarantine or reject, you actively stop spoofed email from reaching your customers and staff.
Why SPF, DKIM, and DMARC matter for your business
Email is still the number one way attackers get in, and domain spoofing lets them impersonate your company to your own clients and employees. A phishing message that appears to come from your CEO or your billing address is far more convincing when your domain is unprotected. Setting all three records, and moving DMARC to an enforcing policy, closes that door and protects both your people and your sender reputation.
How to set up SPF, DKIM, and DMARC
The records live in your DNS and in your mail platform, usually Microsoft 365 or Google Workspace. The order that works is: publish SPF, enable DKIM signing, then start DMARC in monitoring mode to see who sends on your behalf before you switch it to quarantine or reject. Rushing straight to reject can block legitimate mail. bdManagedIT configures and monitors email security, including SPF, DKIM, and DMARC, as part of managed IT. If you are not sure where your domain stands, a quick security check will flag the missing records.
Frequently asked questions
- What is the difference between SPF, DKIM, and DMARC?
- SPF lists the servers allowed to send for your domain. DKIM cryptographically signs each message so it can be verified and proven unaltered. DMARC sets the policy for what happens when a message fails SPF and DKIM, and reports on who is sending as you.
- Do I need all three?
- Yes. They cover different gaps. SPF can break on forwarding, DKIM does not enforce anything on its own, and DMARC only works once SPF and DKIM are in place. Together they give you both verification and enforcement, which is what actually stops spoofing.
- What does a DMARC policy of quarantine or reject mean?
- Quarantine sends failing messages to the junk folder; reject blocks them outright. Both are enforcing policies. Many domains start at a monitor-only policy to gather data, then move to quarantine or reject once they confirm legitimate mail is passing.
- Will email authentication improve deliverability?
- Often, yes. Mailbox providers trust authenticated mail more, so a correctly configured domain is less likely to land in spam. Just as important, it protects your sender reputation by stopping attackers sending junk in your name.
- How does bdManagedIT help with SPF, DKIM, and DMARC?
- We audit your current records, publish and correct SPF and DKIM, then roll out DMARC in monitoring mode before moving it to an enforcing policy without blocking legitimate mail. We monitor the reports as part of managed email security.
Want a straight answer for your business?
Book a first appointment with a bdManagedIT strategist. No sales script, no obligation.
Book your first appointment