SPF, DKIM and DMARC Explained: The Complete Email Authentication Guide

Email authentication rests on three DNS-based standards. SPF lists the servers allowed to send mail for your domain, DKIM cryptographically signs each message, and DMARC tells receivers what to do when those checks fail — and sends you reports about it.

SPF in one minute

SPF is a TXT record on your domain, for example: v=spf1 include:_spf.google.com ~all. When a server receives mail claiming to be from your domain, it checks whether the connecting IP is covered by this record. Validate yours with our SPF Validator — and keep the total DNS lookups under 10.

DKIM in one minute

Your mail server signs outgoing messages with a private key; the public key lives at selector._domainkey.yourdomain.com. Receivers verify the signature to confirm the message wasn't altered. Check any selector with the DKIM Validator.

DMARC ties it together

A DMARC record at _dmarc.yourdomain.com sets a policy (p=none, quarantine or reject) and a reporting address. Start at p=none, review reports for a few weeks, then enforce. Analyze your record with the DMARC Analyzer.

Rollout checklist

1. Publish SPF covering every legitimate sender (your mail host, marketing platform, helpdesk, etc.).
2. Enable DKIM signing at every sending service, each under its own selector.
3. Publish DMARC with p=none and a rua address.
4. After reports look clean, move to p=quarantine, then p=reject.