Stop Email Spoofing: A No-Fluff Guide to SPF, DKIM, and DMARC
Read Time 8 mins | Written by: Noman Azam
If you own a domain and send emails from it, you need to care about one thing: email authentication. Why? Because attackers love pretending to be you.
They'll spoof your domain, send phishing emails to your clients or employees, and ruin your reputation—all without actually touching your email servers.
The good news? You can stop most of that nonsense with three simple DNS records: SPF, DKIM, and DMARC.
Let’s break them down in plain English.
What Is SPF?
SPF (Sender Policy Framework) tells the world who’s allowed to send emails from your domain. If a server isn’t on the list, it’s not you—and smart mail systems will treat it with suspicion.
Think of SPF like a guest list. If someone shows up to your party who’s not on the list, the bouncer doesn’t let them in.
Example SPF record:
v=spf1 include:spf.protection.outlook.com include:sendgrid.net -all
That record says:
"Only Microsoft 365 and SendGrid can send emails on our behalf. Everyone else? Denied."
What Is DKIM?
DKIM (DomainKeys Identified Mail) is like sealing your emails with a wax stamp. It proves that the message really came from you—and that no one messed with it along the way.
Your email server signs the message with a private key. The receiving server checks your DNS for the public key. If it matches, you're golden.
What it looks like in DNS:
selector1._domainkey.yourdomain.com v=DKIM1; k=rsa; p=YourVeryLongPublicKeyHere
You’ll usually set this up directly in your email platform (Microsoft, Google, etc.), and it’ll tell you exactly what to publish.
What Is DMARC?
DMARC (Domain-based Message Authentication, Reporting & Conformance) ties SPF and DKIM together and gives you control over what happens when things fail.
It tells inboxes what to do:
-
Let it through (
p=none) -
Send it to spam (
p=quarantine) -
Block it completely (
p=reject)
It also lets you receive reports, so you know who’s trying to impersonate your domain.
Example DMARC record:
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100
Translation?
“Quarantine any email that fails SPF and DKIM. And send us the details so we can keep an eye on things.”
How They Work Together
You need all three:
| Protocol | Purpose | Helps Prevent... |
|---|---|---|
| SPF | Validates sender IP | Spoofed sending servers |
| DKIM | Verifies message integrity | Tampered emails |
| DMARC | Enforces rules + reports | Domain abuse, phishing |
SPF and DKIM do the checking. DMARC enforces the consequences.
Why Should You Bother?
If you don’t lock this down:
-
Attackers can send phishing emails that look like they’re from you.
-
Your legit emails may get flagged as spam.
-
You risk getting blacklisted.
That’s bad for your brand—and even worse for your customers.
Not Sure Where to Start?
-
Check if you have SPF, DKIM, and DMARC set up → Use MXToolbox or DMARC Analyzer
-
Work with your email provider (Microsoft 365, Google Workspace, etc.) to generate the correct records.
-
Add them to your domain's DNS (Cloudflare, GoDaddy, etc.)
-
Monitor your DMARC reports and adjust policy as needed.
Final Word
SPF, DKIM, and DMARC aren’t “nice to have.” They’re the foundation of email security. Set them up once, and you’ll save yourself a world of trouble later.
If you need help configuring them—or just want someone to double-check what you’ve got—reach out to us. We’re here to help.