What is SPF, DKIM, and DMARC? A Beginner’s Guide to Email Security

So, you’ve set up your business email and everything is going smoothly.

You’re sending out newsletters, invoices, and client updates with no issues.

Then one day, your emails start landing in spam. Or worse off, someone sends a phishing email pretending to be you. And your client clicks on it.

Sounds scary, right? It should, because email fraud is one of the most common cyber threats.

Billions of phishing emails get sent every single day. And most of them succeed because the sender’s domain has zero authentication in place.

This is why SPF, DKIM, and DMARC are essential.

These three protocols are the backbone of email security. And today we’ll go over each of them so you can understand how to protect yourself and your users.

What is SPF?

SPF stands for Sender Policy Framework.

It’s an email authentication method that lets you specify which mail servers are allowed to send emails on behalf of your domain.

SPF works through a DNS TXT record. 

You publish this record in your domain’s DNS settings, and it contains a list of IP addresses and hostnames authorized to send mail for your domain. 

When someone receives an email claiming to come from your domain, their mail server looks up your SPF record and checks whether the sending server’s IP address matches any of the approved entries.

Real-world example of SPF

Let’s say you run a small e-commerce business using the domain myshop.co.in.

You use Google Workspace for internal emails and Mailchimp for marketing campaigns.

Without SPF, any server on the internet could send an email pretending to come from myshop.co.in. 

A scammer could send your customers a fake invoice, and their inbox would have no way to tell it apart from your real emails.

With SPF, you publish a DNS record that says: “Only Google’s servers and Mailchimp’s servers are allowed to send email for myshop.co.in.” 

Now, when a scammer’s random server tries to send mail as you, the recipient’s mail server checks your SPF record, sees the server isn’t listed, and either rejects the email or sends it to spam.

SPF Pros

a) Easy to set up – SPF only requires adding a TXT record to your DNS. Most hosting providers and email platforms provide the exact record you need to copy and paste.

b) Blocks unauthorized servers – It prevents random, unapproved servers from sending mail using your domain, which is the most basic form of spoofing protection.

c) Widely supported – Almost every major email provider (Gmail, Outlook, Yahoo) checks SPF records when processing incoming mail.

d) Free to implement – There’s no cost involved. SPF is an open standard available to anyone with a domain.

SPF Cons

a) Breaks with forwarding – When an email is forwarded, the forwarding server’s IP isn’t in your SPF record. So the forwarded message can fail SPF checks even though it’s legitimate.

b) 10-lookup limit – SPF records have a maximum of 10 DNS lookups. If you use multiple third-party services (CRM, email marketing, helpdesk, etc.) you can hit this limit quickly.

c) Only checks the envelope sender – SPF validates the “Return-Path” address (the technical sender), not the “From” address that recipients actually see.

This means attackers can pass SPF by using a domain they own in the envelope sender while spoofing a trusted domain in the “From:” header.

d) Doesn’t verify message content – SPF confirms the sending server is authorized but says nothing about whether the email’s content has been tampered with in transit.

What is DKIM?

DKIM stands for DomainKeys Identified Mail. While SPF verifies the sending server, DKIM verifies the message itself.

How DKIM works

When you send an email, your mail server attaches a unique digital signature to the message header. 

This signature is generated using a private cryptographic key that only your server holds. The corresponding public key is published in your domain’s DNS records.

When the recipient’s mail server receives your email, it retrieves your public key from DNS and uses it to verify the signature. 

If the signature checks out, the server knows two things: the email genuinely came from your domain, and its content hasn’t been altered since it was sent.

DKIM Pros

a) Protects message integrity – DKIM ensures that the body and key headers of an email haven’t been modified between the sender and the recipient. Any tampering invalidates the signature.

b) Survives forwarding – Unlike SPF, DKIM signatures stay intact when emails are forwarded.

This is because the signature is attached to the message itself, not just the sending server’s IP address.

c) Builds domain reputation – Email providers use DKIM authentication as a positive signal when scoring your domain’s trustworthiness.

Consistently passing DKIM improves your long-term deliverability.

d) Works across third-party services – You can configure DKIM signing for services like Mailchimp, SendGrid, or HubSpot.

This ensures emails sent through those platforms still carry your domain’s verified signature.

DKIM Cons

a) More complex to configure – DKIM requires generating key pairs and publishing public keys in DNS. For non-technical users, the setup process can be intimidating compared to SPF.

b) Key management overhead – DKIM keys should be rotated periodically for security.

Managing and updating these keys, especially across multiple sending services, adds on administrative work.

c) Doesn’t specify a policy – DKIM can tell a receiving server that a signature is valid or invalid, but it doesn’t instruct the server on what to do with unsigned or failed messages. There’s no built-in enforcement mechanism.

d) Partial signing is possible – DKIM doesn’t necessarily sign every part of an email.

Attackers can sometimes add content to unsigned portions of a message without breaking the signature.

What is DMARC?

DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. 

It’s the protocol that ties SPF and DKIM together and adds two critical features they lack: reporting and policy enforcement.

How DMARC Works

DMARC works by checking alignment. When an email arrives, it verifies that the domain in the visible “From” address matches the domain validated by SPF or DKIM. 

If there’s a mismatch, DMARC flags the message as unauthenticated.

DMARC also tells the receiving server what to do with messages that fail. 

DMARC Reporting

One of DMARC’s most powerful features is its built-in feedback system. 

When receiving mail servers process your emails, they send detailed reports back to you.

The reports give you visibility into every server attempting to send email on behalf of your domain. This includes both legitimate services you’ve authorized and unauthorized sources trying to impersonate you. 

With this data, you can identify gaps in your authentication setup, spot abuse, and fine-tune your policies over time. This ensures only trusted senders can operate under your domain name.

DMARC Enforcement

Once your DMARC record is published, you need to choose how strictly it should be enforced. 

DMARC policies come in three levels:

• p=none – Monitor only. No action is taken.
• p=quarantine – Suspicious emails that fail DMARC checks are routed to the recipient’s spam or junk folder.
• p=reject – Emails that fail DMARC are blocked completely and never reach the inbox.

Starting with p=none is a sensible first move. It lets you collect reports, identify all your legitimate sending sources, and understand your email ecosystem without risking disruption.

Industry research suggests that 75-80% of domains with a published DMARC record never move past the p=none stage. The reasons vary from misconfigurations to fear of blocking legitimate mail or simply losing momentum after initial setup. 

The goal, however, is to progress to p=quarantine or p=reject as you gain confidence in your configuration.

That’s when DMARC stops being an observation tool and starts being an actual shield.

Ready to put this into practice? Check out our step-by-step guide on How to Set Up SPF, DKIM, and DMARC for Your Domain With cPanel.

DMARC Pros

a) Comprehensive protection – DMARC addresses the gap in SPF and DKIM leave by requiring alignment between the authenticated domain and the displayed sender.

b) Actionable policies – Unlike SPF and DKIM, DMARC gives you direct control over what happens to unauthenticated emails: monitor, quarantine, or reject.

c) Visibility through reporting – Aggregate and forensic reports give you a clear picture of your email ecosystem, including unauthorized use of your domain.

d) Improves deliverability – Domains with enforced DMARC policies are trusted more by inbox providers, leading to better placement in recipients’ primary inboxes.

DMARC Cons

a) Requires SPF and DKIM first – DMARC doesn’t work in isolation. You need functioning SPF and DKIM records before DMARC can do its job.

b) Complex rollout – Moving from p=none to p=reject safely requires careful analysis of reports, identification of all legitimate sending sources, and gradual policy tightening. This process can take weeks or even months.

c) Report overload – High-volume senders can receive thousands of XML-based reports daily. Without a dedicated DMARC analytics tool, parsing these reports manually is impractical.

d) Third-party alignment challenges – Getting every third-party service you use (marketing platforms, CRMs, transactional email providers, etc.) to pass DMARC alignment can be a time-consuming configuration effort.

How SPF, DKIM, and DMARC Work Together

SPF and DKIM are powerful on their own, but they each only solve part of the problem. DMARC is the layer that brings them together, checks that everything aligns, and actually enforces what happens when something doesn’t.

Here’s how SPF, DKIM, and DMARC work together:

a) SPF check – When you send an email, the receiving server looks at the IP address it came from and checks it against your SPF record.

If the sending IP is on the list, the email passes. If not, the email fails SPF check.

b) DKIM check – Next, the receiving server retrieves your public key from DNS and uses it to verify the DKIM signature on the message.

If the signature is valid, the server knows the email is authentic and untampered. If the signature is broken or missing, the DKIM check fails.

c) DMARC checks alignment – DMARC takes over. It doesn’t just look at whether SPF and DKIM passed; it also checks whether the domain that passed those checks actually matches the “From” address your recipient sees in their inbox.

This means an email could pass SPF or DKIM but still fail DMARC if the domains don’t align. This is the gap attackers try to exploit.

d) DMARC applies your policy – Based on the alignment result and your policy, DMARC instructs the receiving server on what to do.

It can instruct the server to send the email normally, route it to spam, or reject it entirely.

e) Reports are sent back to you – Finally, the recipient’s mail server generates feedback reports containing authentication results, failure details, and sending source information. This helps you monitor and improve the setup over time.

How Can Truehost Help?

Setting up SPF, DKIM, and DMARC can feel technical, especially if you’re just starting out.

This is where the hosting provider you choose becomes critical.

At Truehost, we make email authentication straightforward, even if you’re just getting started.

Here’s how we help:

1. Guided setup
   We provide step-by-step guidance to configure SPF, DKIM, and DMARC correctly from the start.
2. Pre-configured email environments
   Our email hosting solutions are optimized to support secure email sending with minimal manual configuration.
3. DNS management tools
   You get easy access to DNS settings, allowing you to add and update authentication records without hassle.
4. Ongoing support
   If something breaks or if you’re unsure about your setup, our support team is ready to help you troubleshoot and optimize.
5. Deliverability optimization
   We help ensure your emails reach inboxes, not spam folders, by aligning your authentication setup with industry best practices.

If you’re serious about protecting your domain and improving email performance, working with a reliable hosting provider like us isn’t optional; it’s essential.

Explore our email hosting plans and get your domain’s email authentication set up the right way.

Frequently Asked Questions (FAQs)