SPF, DKIM & DMARC: Email Authentication Guide
SPF and DKIM: Essential Email Authentication
Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) are critical standards for email authentication. SPF lets you define which mail servers are permitted to send email on behalf of your domain, thereby preventing spoofing. DKIM adds a cryptographic digital signature to your emails, ensuring that messages are sent by an authorized source and that their content remains unchanged during transit.
These protocols are widely implemented by platforms such as Microsoft 365, Google Workspace, Salesforce, HubSpot, Mailchimp, and more. Proper configuration improves email deliverability and protects your brand reputation against phishing and spoofing.
Deep Dive into DKIM: How It Works and Why It Matters
DKIM (DomainKeys Identified Mail) provides a method to validate an email's authenticity by using cryptographic signatures. When an email is sent, the originating server creates a unique DKIM signature by encrypting selected header fields and the message body with a private key. This signature is then attached to the email in a header field named DKIM-Signature.
The public key corresponding to the private key is published in the DNS as a TXT record under a specific selector (e.g., selector._domainkey.example.com). When the recipient server receives the email, it retrieves the public key from DNS and uses it to verify the signature. A successful verification ensures that the email was sent by an authorized sender and has not been altered during transit.
Implementing DKIM correctly is crucial. It not only increases the trustworthiness of your emails but also plays a vital role when combined with SPF and DMARC, helping to further secure your email communications. Learn more about DKIM records
Understanding SPF Notation and Configurations
SPF records are published as TXT records in DNS and begin with v=spf1. They consist of mechanisms and qualifiers that specify which servers are authorized to send email on your behalf. For example, a typical SPF record might look like: v=spf1 ip4:192.168.0.1 include:example.com -all. Learn more about SPF records
| Qualifier | Meaning | Effect |
|---|---|---|
| + | Pass | The server is authorized to send mail on behalf of the domain. |
| - | Fail | The server is not authorized; the email should be rejected. |
| ~ | Soft Fail | The server is not authorized; the email is accepted but tagged as suspicious. |
| ? | Neutral | No definitive policy is applied. |
Understanding DMARC Policies and Configuration
DMARC (Domain-based Message Authentication, Reporting, and Conformance) builds on SPF and DKIM to instruct receiving mail servers on how to handle emails that fail authentication. A DMARC record is published as a TXT record in DNS (typically under _dmarc.example.com). For example: v=DMARC1; p=reject; rua=mailto:[email protected]. Learn more about DMARC records
DMARC not only defines the policy—whether to take no action (none), quarantine, or reject emails—but also specifies reporting options that allow you to monitor your email traffic and adjust your configuration over time.
| Policy | Description | Effect |
|---|---|---|
| p=none | No enforcement | Emails are delivered, but DMARC reports are generated. |
| p=quarantine | Mark as suspicious | Emails failing DMARC checks are typically sent to spam or junk folders. |
| p=reject | Strict enforcement | Emails failing DMARC checks are rejected outright. |
DMARC Notation Guide
| DMARC Tag | Notation | Description | Recommended Usage |
|---|---|---|---|
| aspf | r | Relaxed SPF alignment. | Typically used unless strict SPF alignment is needed. |
| aspf | s | Strict SPF alignment. | Use if SPF is correctly set up and you want tighter control. |
| adkim | r | Relaxed DKIM alignment. | Typically used as default. |
| adkim | s | Strict DKIM alignment. | Use when DKIM signing is reliable and you want stricter control. |
Verifying Your DNS Records with nslookup and dig
We of course want to encourage you to continue to use DNSai for nslookup, IP lookup and AI assisted DNS lookups. However, you can also use command-line tools like nslookup and dig to verify and troubleshoot your DNS records on your own workstation with no additional software. Native nslookup and dig lookup commands are fantastic knowledge points to ensure that your SPF, DKIM, DMARC, MX, and A records are correctly configured.
Using nslookup
nslookup -type=A example.com
Retrieves the A record (IPv4 address) for example.com.nslookup -type=MX example.com
Displays the MX (Mail Exchange) records for example.com.nslookup -type=TXT example.com
Returns the TXT records, which include SPF, DKIM, and DMARC information.nslookup -type=PTR 203.0.113.5
Performs a reverse DNS lookup on the IP address 203.0.113.5.nslookup example.com
Provides general DNS information about example.com.
Using dig
dig example.com A +short
Retrieves the A record for example.com in a concise format.dig example.com MX +short
Retrieves the MX records for example.com.dig example.com TXT +short
Displays the TXT records (including SPF, DKIM, and DMARC) for example.com.dig -x 203.0.113.5 +short
Performs a reverse DNS lookup on the IP address 203.0.113.5.dig example.com ANY +short
Shows all available DNS records for example.com.
SPF vs DKIM vs DMARC: Key Differences
The three protocols are often confused because they work together, but each answers a different question. SPF checks where a message came from, DKIM checks whether it was tampered with, and DMARC decides what happens when either check fails — and reports back to you.
| SPF | DKIM | DMARC | |
|---|---|---|---|
| What it verifies | Sending server's IP is authorized | Message content wasn't altered; signer controls the domain | SPF/DKIM results align with the visible From address |
| How it works | TXT record listing allowed senders | Cryptographic signature + public key in DNS | Policy record telling receivers what to do on failure |
| DNS location | example.com TXT "v=spf1 …" |
selector._domainkey.example.com |
_dmarc.example.com |
| On failure | Receiver may flag or reject (per qualifier) | Signature invalid — message suspect | Enforces none / quarantine / reject & sends reports |
| Check yours | SPF Analyzer | DKIM Lookup | DMARC Lookup |
SPF, DKIM & DMARC FAQ
What is SPF (Sender Policy Framework)?
SPF is a DNS TXT record that specifies which mail servers are authorized to send email on behalf of your domain. It helps prevent email spoofing by allowing receiving servers to verify the sender's IP address against the SPF record.
What is DKIM (DomainKeys Identified Mail)?
DKIM adds a cryptographic digital signature to emails using a private key. The public key is published in DNS as a TXT record. Receiving servers verify the signature to ensure the email hasn't been modified during transit.
What is DMARC and how does it work?
DMARC (Domain-based Message Authentication, Reporting and Conformance) builds on SPF and DKIM to specify how receiving servers should handle emails that fail authentication. It uses policies like p=none (monitor), p=quarantine (spam folder), or p=reject (block).
What do SPF qualifiers +, -, ~, and ? mean?
SPF qualifiers define how to handle matching mechanisms: + (Pass - authorized), - (Fail - reject), ~ (SoftFail - accept but flag), ? (Neutral - no policy). The default -all qualifier rejects all unauthorized senders.
What is the difference between DKIM and DMARC?
DKIM is an authentication mechanism: it cryptographically signs each message so receivers can verify it wasn't altered and was authorized by the signing domain. DMARC is a policy layer on top: it checks that DKIM (or SPF) passed and aligned with the From domain, tells receivers what to do when both fail, and sends you aggregate reports. DKIM without DMARC provides a signature but no enforcement; DMARC without DKIM breaks on forwarded mail. You need both, plus SPF.
How do I check my DMARC record?
Run a free DMARC record lookup — it queries _dmarc.yourdomain.com and shows your policy, alignment, and reporting addresses. From the command line, use nslookup -type=TXT _dmarc.yourdomain.com or dig TXT _dmarc.yourdomain.com +short.
Explore All DNS Record Types
Browse our complete directory of 37+ DNS record types with detailed explanations.
View All Record Types →Related Resources
- Email Security — Overview of email threats and protection
- SPF Record — Sender Policy Framework details
- DKIM Record — DomainKeys Identified Mail details
- DMARC Record — Domain-based Message Authentication details
- BIMI Record — Brand Indicators for Message Identification
- DS Record — DNSSEC delegation signer explained
- CAA Record — Control which CAs can issue your TLS certificates
- DNSKEY Record — Public keys that anchor DNSSEC validation
- Domain Name System — DNS fundamentals
- SPF Analyzer — Analyze your SPF configuration