SPF, DKIM, DMARC: Stop Attackers From Spoofing Your Emails

The short version

Email was invented in an era of trust. The protocol (SMTP) has no built-in way to verify who sent an email. Anyone can forge the "From" address and send emails that look like they come from your domain.

SPF, DKIM, and DMARC are three protocols that fix this. They work together to let receiving mail servers verify that an email actually came from an authorized sender.

SPF: who's allowed to send?

SPF (Sender Policy Framework) is a DNS record that lists which servers are allowed to send email on behalf of your domain. Defined in RFC 7208.

Example DNS record:

v=spf1 include:_spf.google.com include:sendgrid.net -all

This says: "Google and SendGrid can send emails for our domain. Reject everything else."

The receiving server checks the sending server's IP against your SPF record. If there's no match, the email fails SPF.

Limitation: SPF checks the envelope sender (MAIL FROM), not the From header that users see. An attacker can pass SPF while still showing a spoofed From address to the recipient.

DKIM: is the email authentic?

DKIM (DomainKeys Identified Mail) adds a digital signature to every email. The sending server signs the email with a private key; the receiving server verifies it using a public key published in DNS. Defined in RFC 6376.

This proves two things:

1. The email was sent by someone with access to the private key.
2. The email wasn't modified in transit.

Limitation: DKIM doesn't tell receiving servers what to do if the signature is missing or invalid. That's where DMARC comes in.

DMARC: the policy layer

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together. It does two things, as defined in RFC 7489:

1. Alignment: Checks that the domain in the From header matches the domain verified by SPF or DKIM.
2. Policy: Tells receiving servers what to do with emails that fail: nothing (none), quarantine (quarantine), or reject (reject).

Example DNS record:

v=DMARC1; p=reject; rua=mailto:dmarc@example.com

This says: "Reject emails that fail authentication. Send me aggregate reports about what's happening."

How they work together

1. Email arrives at Gmail (or any receiver)
2. Gmail checks SPF: Was it sent from an authorized server?
3. Gmail checks DKIM: Is the signature valid?
4. Gmail checks DMARC: Does the From domain align with SPF/DKIM? What does the domain owner want us to do with failures?

All three need to be in place. SPF without DMARC can be bypassed. DKIM without DMARC is ignored when it fails. DMARC without SPF and DKIM has nothing to enforce.

How to set them up

All three are DNS records. You don't install anything on your server.

1. SPF: Add a TXT record listing your email providers (Google Workspace, SendGrid, Resend, etc.)
2. DKIM: Your email provider gives you a DNS record to add. It contains the public key.
3. DMARC: Start with p=none to collect reports. Once you're confident, switch to p=quarantine, then p=reject.

# Start with monitoring only
v=DMARC1; p=none; rua=mailto:dmarc-reports@example.com

Common mistakes

Jumping straight to p=reject. Start with p=none to see reports first. You might have legitimate email sources you forgot to add to SPF.

Forgetting a sending service. If you use Resend for transactional emails but forgot to add them to SPF, those emails will fail authentication.

Not monitoring DMARC reports. The rua tag sends you aggregate reports. Use a service like Google Postmaster Tools to read them.

Check your site

Want to know if your site has this issue? Scan it now and find out in 60 seconds.