Understanding Email Authentication: SPF, DKIM & DMARC
Email authentication uses three protocols—SPF, DKIM, and DMARC—to verify emails are legitimate. Learn how they work together to stop spoofing and improve deliverability.
The Three Authentication Protocols
SPF (Sender Policy Framework)
What: Lists which mail servers can send email for your domain
How: DNS TXT record with approved IP addresses
Checks: "Is this email from an authorized server?"
v=spf1 ip4:192.0.2.0 include:_spf.google.com ~allDKIM (DomainKeys Identified Mail)
What: Cryptographic signature proving email authenticity
How: Mail server signs emails with private key, receivers verify with public key in DNS
Checks: "Has this email been tampered with?"
DKIM-Signature: v=1; a=rsa-sha256; d=yourdomain.com...DMARC (Domain-based Message Authentication)
What: Policy telling receivers what to do when SPF/DKIM fail
How: DNS TXT record with enforcement policy (none/quarantine/reject) + reporting
Checks: "What should I do with failed emails?"
v=DMARC1; p=reject; rua=mailto:reports@yourdomain.comHow They Work Together
SPF Check
Receiving server checks if sender IP is in your SPF record. Pass = authorized server. Fail = unauthorized.
DKIM Check
Server verifies DKIM signature using your public key. Pass = authentic email. Fail = tampered or forged.
DMARC Policy
If both SPF and DKIM fail, DMARC policy determines action: deliver (p=none), spam (p=quarantine), or block (p=reject).
Quick Comparison
| Feature | SPF | DKIM | DMARC |
|---|---|---|---|
| Verifies | Sender IP | Email signature | Domain alignment |
| Setup | DNS TXT record | DNS + mail config | DNS TXT record |
| Enforcement | None | None | Yes (p=reject) |
| Reports | No | No | Yes (daily) |
Implementation Order
2. DKIM second: Enable email signing
3. DMARC last: Set policy and collect reports
DMARC requires SPF and DKIM to function properly.