SPF, DKIM, and DMARC work together to authenticate email and prevent spoofing. Essential for preventing phishing attacks using your domain.
SPF (Sender Policy Framework)
Specifies which mail servers can send email for your domain.
# DNS TXT record for example.com
v=spf1 include:_spf.google.com include:sendgrid.net -all
# Components:
# v=spf1 - SPF version
# include: - Authorize third-party senders
# -all - Reject all other senders (strictest)DKIM (DomainKeys Identified Mail)
Signs emails cryptographically so recipients can verify authenticity.
# DNS TXT record: selector._domainkey.example.com
v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQ...
# Verify DKIM
dig google._domainkey.example.com TXTDMARC
Tells receivers what to do with emails that fail SPF/DKIM checks.
# DNS TXT record: _dmarc.example.com
# Start with monitoring (none)
v=DMARC1; p=none; rua=mailto:[email protected]
# Quarantine after testing
v=DMARC1; p=quarantine; pct=25; rua=mailto:[email protected]
# Reject (strictest - recommended after testing)
v=DMARC1; p=reject; rua=mailto:[email protected]Implementation Order
- Configure SPF record
- Set up DKIM signing
- Deploy DMARC with p=none (monitoring)
- Analyze DMARC reports for 2-4 weeks
- Move to p=quarantine then p=reject
Testing Tools
- mail-tester.com
- mxtoolbox.com
- dmarcanalyzer.com
December 2024