Email Authentication Guide: SPF, DKIM, and DMARC Explained

Email remains the primary attack vector for cybercrime. The FBI's Internet Crime Complaint Center consistently reports that Business Email Compromise (BEC) costs organizations billions of dollars every year — more than any other type of cybercrime. In 2023 alone, BEC losses exceeded $2.9 billion in the United States.

The fundamental problem is that the original Simple Mail Transfer Protocol (SMTP), designed in the early 1980s, has no built-in mechanism to verify that a sender is who they claim to be. Anyone can configure a mail server to send messages claiming to originate from @yourcompany.com, and traditional SMTP will accept and deliver it. This is called email spoofing, and it is the foundation of phishing, CEO fraud, and countless other attacks.

Three DNS-based protocols — SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting and Conformance) — were developed to close this gap. Together, they form a chain of proof: SPF verifies the sending server's identity, DKIM proves the message content wasn't tampered with, and DMARC tells receivers what to do when checks fail and provides you with visibility via reports.

Beyond security, Google and Yahoo's 2024 bulk sender requirements made SPF, DKIM, and DMARC mandatory for anyone sending more than 5,000 messages per day to Gmail or Yahoo addresses. Without them, your email gets deferred or rejected outright.

SPF is a DNS TXT record published on your domain that lists every IP address and hostname authorized to send email on your behalf. When a receiving mail server gets a message claiming to be from [email protected], it looks up the SPF record for yourdomain.com in DNS and checks whether the sending server's IP is on the authorized list. If it isn't, the receiving server can treat the message as suspicious.

SPF Record Syntax Breakdown

Every SPF record starts with the version tag and ends with a qualifier that defines what to do with unauthorized senders:

• v=spf1Required version tag — always the first element.
• ip4:Authorizes a specific IPv4 address or CIDR range. Use ip6: for IPv6.
• include:Delegates to another domain's SPF record. Commonly used for third-party senders like Google Workspace, Mailchimp, Zendesk, or Salesforce.
• aAuthorizes the IP address(es) in your domain's A record.
• mxAuthorizes your domain's MX servers to send email.
• ~allSoftFail — messages from unlisted IPs should be accepted but marked as suspicious. Recommended while testing.
• -allHardFail — reject messages from unlisted IPs. Use only after thorough testing.
• ?allNeutral — no assertion about unauthorized senders. Rarely recommended for production.

Common SPF Mistakes

• ⚠️ Multiple SPF records: You must have exactly one SPF TXT record per domain. Publishing two records causes an immediate SPF PermError and both records are ignored.
• ⚠️ Exceeding 10 DNS lookups: Each include:, a, and mx mechanism causes a DNS lookup. SPF limits you to 10 total. Exceeding this results in a PermError. Use "SPF flattening" to convert lookups to raw IP ranges if needed.
• ⚠️ Forgetting third-party senders: Any service that sends mail as your domain — marketing platforms, ticketing systems, ERP software — must be included in your SPF record.
• ⚠️ SPF only covers the envelope sender: SPF checks the MAIL FROM address (the Return-Path), not the visible From: header. DMARC bridges this gap.

Use the EP Cybertools SPF Checker to instantly query and validate your SPF record, check lookup counts, and identify configuration issues.

DKIM uses public-key cryptography to attach a verifiable signature to every outgoing message. Your mail server signs the email headers and body with a private key, and publishes the corresponding public key in DNS. Receiving servers look up the public key and verify the signature — if it matches, they know the message genuinely came from your domain and that it hasn't been altered in transit.

How the Signing Process Works

1. Your mail server generates a cryptographic hash of specified headers (From, Subject, Date, To) and the message body.
2. That hash is encrypted with your private key and attached to the message as a DKIM-Signature header.
3. The receiving server extracts the signature, looks up your public key in DNS at selector._domainkey.yourdomain.com.
4. It decrypts the signature with your public key, rehashes the headers/body, and compares. If they match: DKIM pass.

Selector Records and Key Sizes

The selector is a label you choose (e.g., google, mail1, s1) that appears in the DNS lookup path and in the DKIM-Signature header. Using distinct selectors allows you to use multiple DKIM keys simultaneously — critical for rotating keys without downtime.

Always use 2048-bit RSA keys minimum (4096-bit for critical domains). 1024-bit keys are no longer considered secure and are rejected by many receivers. Some providers now support Ed25519 keys (k=ed25519), which are smaller and computationally faster, though not yet universally supported.

Configuring DKIM for Popular Platforms

• 🔵 Google Workspace: Go to Admin Console → Apps → Google Workspace → Gmail → Authenticate email. Generate a key, copy the DNS record, publish it, then click Start Authentication.
• 🟦 Microsoft 365: In the Microsoft 365 Defender portal, navigate to Email & Collaboration → Policies → DKIM. Enable signing for your domain and publish the two CNAME records it provides.
• 📮 Postfix/self-hosted: Use OpenDKIM. Install the package, generate keys with opendkim-genkey, configure /etc/opendkim.conf and the milter socket, then publish the public key in DNS.

Key Rotation Best Practice

Rotate DKIM keys at least annually, or immediately after any security incident. The process: publish a new key under a new selector, update your mail server config to sign with the new key, wait 48–72 hours for the old key's signatures to expire from delivery queues, then remove the old DNS record. Never delete the old key before rotation is complete.

Use the EP Cybertools DKIM Checker to verify that your DKIM DNS record is correctly published and that the key size meets current recommendations.

DMARC is the policy layer that ties SPF and DKIM together. It answers the question: "If SPF or DKIM fail for a message claiming to be from my domain, what should the receiving server do?" It also adds a critical feature neither SPF nor DKIM provides alone: alignment checking.

Alignment means the domain in the visible From: header must match the domain that passed SPF or DKIM. This closes a major loophole: an attacker could craft an email that passes SPF for their own domain but displays your domain in the From header. DMARC prevents this.

DMARC Record Structure

• v=DMARC1 — Required version tag.
• p= — The policy: none (monitor only), quarantine (send to spam), or reject (discard). Start with none.
• pct= — Percentage of non-authenticated messages to apply the policy to. Use to gradually increase enforcement.
• rua= — Email address(es) to receive aggregate XML reports (daily summaries of all mail claiming your domain). Required for monitoring.
• ruf= — Email address for forensic (per-message failure) reports. Contains redacted message data.
• aspf= — SPF alignment mode: relaxed (subdomains match) or strict (exact match). Relaxed is recommended.
• adkim= — DKIM alignment mode: relaxed or strict.
• sp= — Policy for subdomains. Set to reject to protect subdomains even if they have no explicit DMARC record.

Gradual DMARC Rollout Strategy

Rushing to p=reject too quickly is a common cause of broken email flows. Follow this sequence:

1. Week 1–4: Publish p=none with rua= pointing to your reporting inbox. Collect aggregate reports.
2. Week 5–8: Analyze reports (or use a DMARC reporting tool). Identify and fix all legitimate sources that are failing SPF/DKIM alignment.
3. Week 9–12: Move to p=quarantine; pct=10. Monitor for complaints. Increase pct by 10–25% each week.
4. Week 13+: Once pct=100 quarantine is stable for 2+ weeks with no legitimate mail issues, move to p=reject.

Verify your DMARC record and policy strength instantly with the EP Cybertools DMARC Checker.

The order matters. SPF and DKIM must be working correctly before DMARC can enforce anything. A message needs to pass at least one of SPF or DKIM with proper alignment to satisfy DMARC. Here is a practical implementation checklist:

Important: Don't forget your parked domains and subdomains. Attackers frequently target domains you own but don't actively use for email. Publish a null SPF record (v=spf1 -all) and a DMARC reject policy on those domains too.