Skip to content
>_ITDITDWeb Security Platform

Glossary

#email authentication#SPF#DMARC

What are SPF / DKIM / DMARC — the trio that protects your domain from spoofed email

SPF, DKIM, and DMARC are three DNS settings that let receivers verify whether mail from your domain is genuine. Without them, you can't stop phishing emails sent in your name. The role of each, a diagram of how mail is verified, and how to set them up safely (start DMARC at p=none) — explained plainly.

Published 2026-06-08 Updated 2026-06-08 3 min read

"Phishing emails go out in your domain's name without you knowing" — SPF / DKIM / DMARC stop that. Here's the role of each and how to set them up safely.

The role of each

SettingRole (in one line)
SPFDeclares in DNS which servers may send for this domain
DKIMAdds a cryptographic signature proving the mail is unaltered and from a legitimate source
DMARCDeclares what to do if SPF/DKIM fail, and receives reports (the keystone that binds the three)

How mail gets verified

Receivers (Gmail, etc.) check SPF and DKIM on an incoming message, then apply your DMARC policy to decide "pass / quarantine / reject."

Incoming mail (in your domain's name)
↓ receiver verifies
SPF: is the sending server authorized?
DKIM: is the signature valid, untampered?
↓ match results against DMARC policy
DMARC: on failure → pass / quarantine / reject
The receiver checks SPF/DKIM, then the DMARC policy makes the call. All three must mesh to work.

So SPF and DKIM alone may "check but do nothing"; only with a DMARC policy do they actually "stop spoofing."

How to set them up safely

1

One correct SPF record

Authorize every legitimate sender (your own, mail services, etc.). Keep one SPF record per domain (multiple records tend to break it).

2

Enable DKIM signing

Turn on DKIM in your mail platform and publish the public key in DNS, so legitimate mail is signed.

3

Start DMARC at p=none

Don't reject immediately. Begin with p=none (monitor only) + reporting to confirm legitimate mail isn't dropped.

4

Tighten gradually

Once reports show no legitimate senders are missed, move p=quarantinep=reject, finally reaching "spoofing is rejected."

ITD's view: you're also protecting your users

SPF/DKIM/DMARC isn't only about your mail arriving — it protects your users from phishing that impersonates your domain. Phishing is ultimately an entry to stealing credentials and keys. Many domains stop at SPF/DKIM and never raise DMARC to enforcement (reject). Don't settle at p=none — read the reports and ramp all the way to reject for it to matter.

FAQ

QWhat are SPF / DKIM / DMARC for?
A

So receivers (Gmail, etc.) can verify whether mail from your domain is genuine. Without them, anyone can send spoofed phishing in your name unchecked, and your domain's reputation suffers.

QWhat's the difference between the three?
A

SPF declares 'which servers may send for this domain', DKIM is a 'cryptographic signature proving it wasn't tampered with', and DMARC is 'what to do if SPF/DKIM fail, plus reporting'. DMARC ties SPF/DKIM together and gives them teeth.

QWhat should I watch out for when configuring?
A

Authorize all legitimate senders (mail services, etc.) before tightening. Especially DMARC: jumping straight to reject can drop legitimate mail, so start at p=none (monitor only), read the reports, then move p=quarantine → p=reject.