🎉 FREE 1 Month on All Shared Hosting Plans — No Money Due Today! No Promo Code Required

What Are SPF, DKIM, And DMARC?

Understand the three main email authentication technologies and how they help protect domain reputation.

Email Authentication Helps Receiving Servers Make Decisions

SPF, DKIM, and DMARC are DNS-based technologies that help receiving mail systems evaluate whether a message is authorized and whether the visible sender matches the authenticated domain.

SPF

SPF lists servers allowed to send mail for a domain. The receiving server compares the sending IP address with the SPF policy.

A domain should normally publish one SPF record. Multiple separate SPF records can create a permanent error.

DKIM

DKIM adds a digital signature to outgoing messages. The receiving system uses a public key stored in DNS to verify that the signed parts of the message were not changed after signing.

DMARC

DMARC tells receiving servers what to do when SPF or DKIM checks fail and alignment requirements are not met. Policies can monitor, quarantine, or reject messages.

Start With Monitoring

Organizations often begin with a DMARC policy of none while collecting reports. This helps identify legitimate services before moving to stricter enforcement.

Common Problems

  • Old services are missing from SPF.
  • SPF exceeds lookup limits.
  • DKIM signing is not enabled.
  • The visible From domain does not align.
  • DMARC is set to reject before legitimate senders are identified.

Authentication Does Not Guarantee Delivery

These records improve trust, but reputation, message content, sending patterns, complaints, and list quality still affect delivery.