How SPF, DKIM, and DMARC Work Together to Protect Your Domain

If your legitimate emails are landing in spam or being spoofed by attackers, your authentication setup might be the problem. To make sure your emails are trusted, you need three essential protocols: SPF, DKIM, and DMARC.

These technologies form the foundation of secure email delivery. Together, they prevent phishing, domain impersonation, and spam, ensuring that your messages reach the inbox safely.

This guide explains what each protocol does, how they work together, and how to set them up correctly.

Why Email Authentication Matters

Every day, millions of phishing emails are sent pretending to be from legitimate companies. Without proper authentication, spammers can forge your domain name and send fake messages that look real.

Strong email authentication:

• Protects your brand reputation

• Improves deliverability

• Increases user trust

• Prevents unauthorized senders from using your domain

What Is SPF?

SPF (Sender Policy Framework) is a DNS record that specifies which mail servers are allowed to send emails on behalf of your domain.

When an email is received, the receiving mail server checks the sender’s domain and verifies if the sending IP address is listed in the SPF record.

If it matches, the SPF check passes. If not, it fails and may be marked as spam or rejected.

Example SPF Record

v=spf1 include:autosend.com -all

How it works:

1. The receiving mail server extracts the domain from the “Return-Path” header.

2. It looks up the SPF record for that domain.

3. If the IP address sending the message matches one listed, the email is authenticated.

Best Practices for SPF

• Use -all instead of ~all to enforce strict validation.

• Keep the record under 10 DNS lookups to avoid breaking SPF.

• Update it whenever you add or remove an email service.

What Is DKIM?

DKIM (DomainKeys Identified Mail) adds a digital signature to your emails to prove that the content has not been modified.

Each outgoing email is signed with a private key that only your mail server knows.
The recipient can then verify this signature using a public key stored in your domain’s DNS.

Example DKIM Record

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0B...

How it works:

1. Your mail server generates a DKIM signature and attaches it to each email header.

2. The receiving server fetches the public key from your DNS.

3. It verifies the signature to ensure that the email body and headers were not altered.

Best Practices for DKIM

• Use at least a 2048-bit key for stronger security.

• Rotate DKIM keys periodically (every 6–12 months).

• Ensure your “From” domain matches the signing domain for alignment with DMARC.

What Is DMARC?

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together and defines what to do when an email fails authentication.

DMARC allows you to tell receiving servers how to handle unauthenticated messages (none, quarantine, or reject) and provides detailed reports on who is sending emails using your domain.

Example DMARC Record

v=DMARC1; p=quarantine; rua=mailto:[email protected]; adkim=s; aspf=s

How it works:

1. The receiving server checks if the email passes SPF or DKIM.

2. It verifies if the domain in those checks aligns with the “From” domain.

3. Based on your DMARC policy (p=), it either delivers, quarantines, or rejects the message.

Policy Options

• p=none: Monitor only (no enforcement)

• p=quarantine: Mark suspicious emails as spam

• p=reject: Block unauthorized emails entirely

Best Practices for DMARC

• Start with p=none to collect reports.

• Review your DMARC reports for legitimate senders.

• Move to quarantine and finally reject once everything is aligned.

How SPF, DKIM, and DMARC Work Together

Think of SPF, DKIM, and DMARC as three layers of email defense.

Layer Purpose Protects Against SPF Authorizes sending IP addresses Spoofing and unauthorized senders DKIM Signs messages to verify integrity Message tampering DMARC Enforces policy and alignment Phishing and domain abuse

Here’s how the process works when you send an email:

1. The recipient’s server checks if the sending IP is authorized by SPF.

2. It verifies the DKIM signature to ensure the message is intact.

3. It applies your DMARC policy to decide what to do with emails that fail either check.

If both SPF and DKIM align with your domain and pass validation, your message is considered legitimate.

How to Set Them Up for Your Domain

Setting up these records takes just a few minutes but has long-term benefits.

Step 1: Add SPF Record

In your DNS settings, add a TXT record:

v=spf1 include:autosend.com -all

Step 2: Add DKIM Record

Your email service provider (like AutoSend) gives you a DKIM key.
Add it as:

default._domainkey.yourdomain.com IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkq..."

Step 3: Add DMARC Record

Finally, publish your DMARC policy:

_dmarc.yourdomain.com IN TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected]; aspf=s; adkim=s"

Once added, use tools like:

• MXToolbox

• DMARC Analyzer

• Mail-Tester

to confirm that everything is working.

Why This Matters for Deliverability

Mailbox providers like Gmail and Yahoo use these checks to decide whether to trust your domain.
Without them, even legitimate emails can end up in spam.
Strong authentication helps build domain reputation, leading to better inbox placement and fewer delivery issues.

Once SPF, DKIM, and DMARC are properly configured, you can take authentication a step further with BIMI (Brand Indicators for Message Identification).
BIMI allows you to display your verified logo and checkmark next to your emails in supported inboxes, signaling authenticity and boosting brand trust.

TL;DR

To protect your domain and ensure your emails reach the inbox:

1. Set up SPF to authorize your sending IPs.

2. Enable DKIM to sign and verify message integrity.

3. Enforce DMARC to align and control authentication results.

Together, these three protocols secure your brand, prevent abuse, and improve deliverability.