SpoofSentrySpoofSentry
Start Free Trial

Fundamentals

Email Authentication Explained: SPF, DKIM, and DMARC

Understanding how the three pillars of email authentication work together to protect your domain.

Email authentication is a set of techniques used to verify that an email message actually comes from the domain it claims to be from. Without these protocols, anyone can send emails pretending to be your organization—a technique known as email spoofing.

The problem: By default, email has no built-in way to verify sender identity. This makes it trivially easy for attackers to impersonate your brand in phishing attacks.

SPF: Sender Policy Framework

What it does:

SPF specifies which IP addresses and mail servers are authorized to send email on behalf of your domain.

How SPF Works

  1. You publish a TXT record in DNS listing authorized senders
  2. When someone receives an email "from" your domain, they check your SPF record
  3. The receiving server compares the sending IP against your authorized list
  4. If the IP isn't authorized, the email fails SPF

Example SPF Record

v=spf1 include:_spf.google.com include:sendgrid.net -all

This record authorizes Google Workspace and SendGrid to send email for the domain.

→ Check your SPF record

DKIM: DomainKeys Identified Mail

What it does:

DKIM adds a cryptographic signature to outgoing emails, allowing recipients to verify the message wasn't tampered with in transit.

How DKIM Works

  1. Your mail server signs outgoing emails with a private key
  2. You publish the corresponding public key in DNS
  3. Receiving servers retrieve your public key and verify the signature
  4. If the signature is valid, the email passes DKIM

Example DKIM Record

google._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSq..."

The selector (google) identifies which key to use. Large organizations often have multiple DKIM keys.

→ Check your DKIM record

DMARC: Domain-based Message Authentication, Reporting & Conformance

What it does:

DMARC builds on SPF and DKIM by adding alignment requirements and telling receivers what to do when authentication fails.

How DMARC Works

  1. DMARC requires either SPF or DKIM to pass AND align with the From domain
  2. You specify a policy: none (monitor), quarantine (spam), or reject (block)
  3. Receivers send you reports about authentication results
  4. You gain visibility into who's sending email as your domain

Example DMARC Record

_dmarc.example.com TXT "v=DMARC1; p=reject; rua=mailto:[email protected]"
→ Check your DMARC record

How They Work Together

1

Email is sent

Server signs with DKIM, SPF record lists authorized IPs

2

Receiving server checks SPF

Is the sending IP authorized for this domain?

3

Receiving server checks DKIM

Does the signature match the public key in DNS?

4

DMARC evaluates alignment

Do the authenticated domains match the From header?

5

Action taken based on DMARC policy

None, quarantine, or reject based on your configuration

Why You Need All Three

SPF Alone

❌ Doesn't verify message integrity
❌ No visibility into failures
❌ Breaks with forwarding

DKIM Alone

❌ No policy for failures
❌ No reporting mechanism
❌ Complex key management

SPF + DKIM + DMARC

✅ Complete authentication
✅ Policy enforcement
✅ Visibility & reporting

Check Your Email Authentication

Use our free tools to verify your SPF, DKIM, and DMARC records are properly configured.

DMARC CheckerSPF CheckerDKIM Checker

Related Guides

How to Set Up DMARC

Step-by-step guide to implementing DMARC for your domain.

DMARC Checker

Check your DMARC policy and get recommendations for none, quarantine, and reject.

Email Authentication Explained: SPF, DKIM, and DMARC Guide | SpoofSentry | SpoofSentry