Email Security — SPF, DKIM & DMARC Explained

Email spoofing is one of the most common attack vectors. Without proper authentication, anyone can send emails appearing to come from your domain. Since February 2024, Google and Yahoo require SPF and DKIM for all bulk email senders. Emails without authentication are increasingly rejected or sent to spam.

SPF is a DNS TXT record specifying which mail servers are authorized to send email for your domain. Example: v=spf1 include:_spf.google.com include:sendgrid.net -all. The -all mechanism tells receivers to reject unauthorized senders.

DKIM adds a cryptographic signature to every outgoing email. The sending server signs with a private key; receivers verify using a public key in DNS. This proves the email was authorized and unmodified in transit.

DMARC ties SPF and DKIM together with a policy: p=none (monitor), p=quarantine (spam), p=reject (block). Start with p=none, use reports to identify legitimate senders, then move to p=reject.

Use the DNS Visor MX & Email Check tool to verify your SPF, DKIM, and DMARC setup. It identifies missing or misconfigured records and provides recommendations.