Hire Me
Email Security 8 min read

SPF vs DKIM vs DMARC: The Ultimate Guide

Learn what these three core email verification records do, how they protect your brand, and how to write a secure policy.

1. Overview

If you've researched email deliverability, you've likely seen the acronyms SPF, DKIM, and DMARC. These three DNS records form the backbone of modern email security. They confirm to mailbox providers (like Gmail and Outlook) that you are the legitimate sender, preventing hackers from spoofing your domain name.

2. Signs & Symptoms

If you lack these records, you will experience:

  • Spoofing attacks, where spammers send phishing emails claiming to be you.
  • Failed DMARC audits in SEO or security scanners.
  • Emails flagged with 'via sendgrid.net' or 'via mailchimp.com' next to your name.

3. Technical Explanation

Let's break down the differences:

  • SPF (Sender Policy Framework): Think of SPF as a guest list. You write a TXT record listing the specific servers (IP addresses) allowed to send mail for your domain.
  • DKIM (DomainKeys Identified Mail): Think of DKIM as a wax seal. Your server attaches a cryptographic signature to each email header. The receiving server uses your public key in your DNS to verify the signature.
  • DMARC (Domain-based Message Authentication): Think of DMARC as instructions for the gatekeeper. It tells receiving servers what action to take (none, quarantine, reject) if SPF or DKIM checks fail.

4. Step-by-Step Fixes

How to write and align these records correctly:

  1. Draft your SPF record: Combine all authorized services. Example: v=spf1 include:_spf.google.com ip4:192.0.2.1 ~all.
  2. Publish DKIM keys: Generate the TXT key inside Office 365, Google Workspace, or custom SMTP servers, then publish it under the selector name in DNS.
  3. Publish DMARC policies: Start with a monitor-only policy: 
    v=DMARC1; p=none; rua=mailto:reports@yourdomain.com
    Verify that DMARC reports show all your legitimate emails passing verification before upgrading to p=quarantine or p=reject.

5. Summary Checklist

A solid setup contains:

  • An SPF record containing all your valid email servers (under 10 DNS lookups).
  • A 2048-bit DKIM key published on a TXT record.
  • DMARC enabled to report authentication passes and failures.
🟢 Online & Ready Average response < 1hr
Hire on Fiverr