SPF, DKIM, and DMARC: Complete Email Security Guide for 2026

What Are SPF, DKIM, and DMARC?

Email authentication protocols that verify the legitimacy of emails sent from your domain:

• SPF (Sender Policy Framework): Specifies which mail servers can send email on behalf of your domain
• DKIM (DomainKeys Identified Mail): Adds a digital signature to verify email hasn't been tampered with
• DMARC (Domain-based Message Authentication, Reporting & Conformance): Tells receiving servers what to do with emails that fail SPF/DKIM checks

Implementing SPF Records

What is SPF?

SPF prevents spammers from sending emails with forged sender addresses from your domain. It's a DNS TXT record that lists authorized mail servers.

SPF Record Syntax

v=spf1 ip4:192.0.2.0 include:_spf.google.com ~all

Breaking it down:

• v=spf1 - SPF version 1
• ip4:192.0.2.0 - Authorize this IPv4 address
• include:_spf.google.com - Include Google's SPF records
• ~all - Soft fail for unauthorized servers

SPF Mechanisms

| Mechanism | Description | Example | |-----------|-------------|---------| | ip4 | IPv4 address or range | ip4:192.0.2.0/24 | | ip6 | IPv6 address or range | ip6:2001:db8::/32 | | a | Domain's A record | a:mail.example.com | | mx | Domain's MX records | mx | | include | Include another domain's SPF | include:_spf.google.com | | all | Default result | -all (hard fail) |

Creating Your SPF Record

1. List all servers that send email for your domain
2. Build the SPF record:

v=spf1 ip4:203.0.113.0 include:sendgrid.net include:_spf.google.com -all

3. Add as TXT record to your DNS:

example.com. IN TXT "v=spf1 ip4:203.0.113.0 include:sendgrid.net -all"

SPF Best Practices

✅ DO:

• Use -all (hard fail) in production
• Keep SPF record under 255 characters
• Limit DNS lookups to 10 or fewer
• Use ip4 and ip6 instead of include when possible

❌ DON'T:

• Use multiple SPF records (only one allowed)
• Forget to include all email sending services
• Use +all (allows anyone to send)

Implementing DKIM

What is DKIM?

DKIM adds a digital signature to email headers. The receiving server verifies the signature using a public key published in your DNS.

Generating DKIM Keys

Most email providers generate keys for you, but here's how to create your own:

# Generate 2048-bit RSA key pair
openssl genrsa -out dkim_private.pem 2048
openssl rsa -in dkim_private.pem -pubout -out dkim_public.pem

DKIM DNS Record

Add a TXT record at selector._domainkey.yourdomain.com:

default._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."

Breaking it down:

• v=DKIM1 - DKIM version
• k=rsa - Key type (RSA)
• p=... - Public key (base64 encoded)

Configuring DKIM Signing

For Postfix:

# /etc/opendkim.conf
Domain                  example.com
Selector                default
KeyFile                 /etc/opendkim/keys/default.private

Testing DKIM

Send a test email and check headers:

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=example.com; s=default;
        h=from:to:subject:date;
        bh=2jUSOH9NhtVGCQWNr9BrIAPreKQjO6Sn7XIkfJVOzv8=;
        b=YJsxevLfIvVW7X3cuP8vNAh3YZPmFu2EzZc...

Implementing DMARC

What is DMARC?

DMARC builds on SPF and DKIM, telling receiving servers how to handle authentication failures and where to send reports.

DMARC Record Syntax

_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100; adkim=s; aspf=s"

DMARC Tags Explained

| Tag | Description | Values | |-----|-------------|--------| | v | Protocol version | DMARC1 | | p | Policy for domain | none, quarantine, reject | | sp | Policy for subdomains | none, quarantine, reject | | rua | Aggregate report email | mailto:[email protected] | | ruf | Forensic report email | mailto:[email protected] | | pct | Percentage of messages filtered | 0-100 | | adkim | DKIM alignment mode | r (relaxed), s (strict) | | aspf | SPF alignment mode | r (relaxed), s (strict) |

DMARC Implementation Roadmap

v=DMARC1; p=none; rua=mailto:[email protected]; pct=100

v=DMARC1; p=quarantine; rua=mailto:[email protected]; pct=100

v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100; adkim=s; aspf=s

Reading DMARC Reports

Aggregate reports arrive as XML attachments. Key metrics:

• Pass rate: Percentage of emails passing authentication
• Source IPs: Where your email is being sent from
• Failures: Emails failing SPF/DKIM checks

Use tools like:

• Dmarcian
• PostmarkApp DMARC
• WebScore - Automated DMARC monitoring

Complete Example

Here's a full setup for example.com:

SPF Record

example.com. IN TXT "v=spf1 ip4:203.0.113.0 include:_spf.google.com include:sendgrid.net -all"

DKIM Record

default._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC..."

DMARC Record

_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100; adkim=s; aspf=s"

Testing Your Setup

Tools for Validation

1. MXToolbox: mxtoolbox.com/SuperTool.aspx
2. DMARC Analyzer: dmarcian.com/dmarc-inspector
3. Mail-tester: mail-tester.com
4. WebScore: Comprehensive email security scanning

Send a Test Email

Use mail-tester.com:

1. Send email to the provided address
2. Check your score (aim for 10/10)
3. Review SPF, DKIM, DMARC results

Command Line Testing

# Check SPF record
dig txt example.com
 
# Check DKIM record
dig txt default._domainkey.example.com
 
# Check DMARC record
dig txt _dmarc.example.com

Common Mistakes to Avoid

DKIM vs DMARC: What's the Difference?

This is one of the most common questions in email security, and the answer is straightforward: DKIM and DMARC serve different but complementary roles.

DKIM (DomainKeys Identified Mail) is an authentication mechanism. It proves that an email actually came from your domain and wasn't tampered with in transit. It does this by attaching a cryptographic signature to every email you send. The receiving server verifies this signature using a public key published in your DNS.

DMARC (Domain-based Message Authentication, Reporting & Conformance) is a policy layer that sits on top of DKIM and SPF. It tells receiving servers what to do when an email fails authentication — accept it, quarantine it, or reject it entirely. DMARC also provides reporting so you can see who's sending email using your domain.

DKIM vs DMARC Comparison

| Aspect | DKIM | DMARC | |--------|------|-------| | Purpose | Verify email authenticity | Define policy for failed auth | | How it works | Cryptographic signature on emails | DNS policy record | | Prevents | Email tampering | Email spoofing (with SPF) | | Works alone? | Yes, but limited protection | No — requires SPF and/or DKIM | | Reporting | No | Yes (aggregate + forensic) | | DNS record type | TXT at selector._domainkey.domain | TXT at _dmarc.domain |

Do You Need Both?

Yes. DKIM without DMARC means failed authentication goes unnoticed — receiving servers can still accept spoofed emails. DMARC without DKIM means you lose the tamper-proof verification that DKIM provides. The strongest email security requires all three: SPF + DKIM + DMARC working together.

Use WebScore's Email Security Scanner to check if your domain has all three properly configured.

Monitoring with WebScore

WebScore automatically checks your email authentication setup:

✅ SPF validation - Verifies syntax and DNS lookups ✅ DKIM detection - Checks for properly configured keys ✅ DMARC policy review - Ensures optimal settings ✅ Continuous monitoring - Alerts on configuration changes ✅ Deliverability scoring - Track email reputation

Start your free scan today to verify your email security configuration.

Conclusion

Implementing SPF, DKIM, and DMARC is essential for:

• Preventing email spoofing
• Protecting brand reputation
• Improving email deliverability
• Meeting compliance requirements (GDPR, HIPAA)

Start with monitoring (p=none), analyze reports, fix issues, then gradually move to quarantine and reject policies. Your email security is worth the investment.