EmailPosture
ToolsResourcesPricingSign in

SPF, DKIM, and DMARC Explained

The complete plain-English guide. Email Posture.

Email was built without any way to prove who a message is from. By default, anyone can put your domain in the From address and most servers will deliver it. That's the mechanism behind phishing and invoice fraud that appears to come from real companies. Three DNS records fix this, and they're free to set up. This guide explains what each one does, how they work together, and where to go next.

If you'd rather just see where your domain stands, run a free check first. It grades all of this and tells you what to fix.

The three records at a glance

SPF and DKIM are the evidence. DMARC is the policy that acts on it. You need all three.

SPF: who can send for you

SPF (Sender Policy Framework) is a single TXT record listing the servers and services authorized to send mail using your domain: your mailbox provider, your marketing platform, your help desk, and so on. When a server receives mail claiming to be from you, it checks whether the sending server is on your list. SPF has real limits, though: it's tied to the technical envelope sender (not the visible From address), and it breaks when mail is forwarded. That's why it isn't enough on its own. See the common SPF mistakes and fixes.

DKIM: a signature that proves it's really you

DKIM (DomainKeys Identified Mail) signs each outgoing message with a private key. You publish the matching public key in DNS, and receivers use it to confirm the message genuinely came from your domain and wasn't tampered with in transit. Unlike SPF, DKIM survives forwarding, which makes it the more reliable signal. It's enabled inside each sending service rather than in one place. See how to set up DKIM.

DMARC: the policy that stops impersonation

DMARC (Domain-based Message Authentication, Reporting and Conformance) is where it all comes together. It does two things. First, it tells receivers what to do with mail that fails authentication: nothing, send to spam, or reject. Second, it asks receivers to send you reports about who is sending mail as you, which is how you discover both your own forgotten senders and the people spoofing you.

The crucial concept is alignment. DMARC passes only if SPF or DKIM not only passes but is aligned, meaning the domain it authenticates matches the domain a human sees in the From field. A message can pass raw SPF for a vendor's domain yet fail DMARC for yours because the domains don't line up. DKIM alignment is the more dependable path, which is the practical reason to make sure DKIM is on. See how to set up DMARC safely.

The DMARC policy ladder

DMARC has three policy levels, and the whole point is to climb from the first to the last without breaking your real mail:

Many domains stall at p=none and mistakenly believe they're protected. They aren't. The DMARC guide walks the safe path all the way to enforcement.

Two more worth knowing: DNSSEC and MTA-STS

SPF, DKIM, and DMARC are the core, but two related protections round out a strong posture. DNSSEC cryptographically signs your DNS records so they can't be forged in transit; it's neglected almost everywhere, even by large companies. MTA-STS enforces encrypted delivery to your mail servers. Neither replaces the core three, but both raise the bar.

How to put it all together

  1. Get SPF correct: one record, every legitimate sender listed, under the lookup limit.
  2. Turn on DKIM for every service that sends as you.
  3. Publish DMARC at p=none, read the reports, fix any legitimate senders that are failing.
  4. Move up to p=quarantine, then p=reject.
  5. Re-check after each change to confirm it took.

See your SPF, DKIM, DMARC, and DNSSEC grade in ten seconds, with the exact fixes.

Check your domain free

Guides: Set Up DMARC · Set Up DKIM · Fix SPF · Read DMARC Reports · Emails Going to Spam?

© 2026 Email PostureAboutPricingResourcesFAQSecurityHow We GradeTermsPrivacyContact