Understanding the three pillars of email authentication and how they work together to protect your domain.
You need all three for complete email security:
| Feature | SPF | DKIM | DMARC |
|---|---|---|---|
| What it does | Specifies authorized mail servers | Adds cryptographic signature to emails | Enforces policy when authentication fails |
| How it works | Checks sender IP against authorized list | Verifies email signature with public key | Validates SPF/DKIM alignment + enforces action |
| Protects against | Sender IP spoofing | Email tampering, replay attacks | Domain spoofing, phishing |
| Setup difficulty | Easy | Medium | Easy |
| DNS record type | TXT | TXT (selector-specific) | TXT at _dmarc |
| Provides reports | |||
| Can stand alone | Partial protection | Partial protection | Needs SPF/DKIM |
Someone sends an email claiming to be from your domain
Receiver verifies the sender's IP is authorized in your SPF record
Receiver validates the email signature using your public key
Receiver checks if SPF/DKIM "From" domains align with the email's "From" domain
If DMARC fails, receiver applies your policy (none/quarantine/reject)
Receiver sends you a report about the authentication results
Start with SPF and DMARC in monitoring mode (p=none). This gives you visibility and some protection.
Implement all three: SPF, DKIM, and DMARC with p=quarantine or p=reject. This is the gold standard.
Don't implement DMARC p=reject without first testing with p=none. You could block legitimate emails.
See if your SPF, DKIM, and DMARC records are properly configured.
Check Your Domain Now