Email is the backbone of business communication, but without proper security controls your domain can be spoofed, your messages can land in spam, and your reputation can suffer. This guide explains how to secure your domain with SPF, DKIM, and DMARC, and how to roll out these protections safely.
Why basic authentication isn’t enough
Attackers can spoof your visible From: address even if they are not sending from your servers. SPF alone checks only the envelope sender (Return-Path), which is invisible to end users. To properly protect your brand, you need both DKIM and DMARC with strict alignment.
Step 1: publish a strict spf record
SPF defines which mail servers are allowed to send for your domain. It must be limited to your actual outbound IPs or mail providers, and end with -all to reject everything else.
example.com. 300 IN TXT "v=spf1 ip4:203.0.113.25 include:mailprovider.com -all" Verification: Use dig +short TXT example.com to confirm only one SPF record exists. Send test mail and check headers for spf=pass.
Step 2: enable dkim signing
DKIM signs outgoing mail with a private key and publishes the public key in DNS. This allows receivers to confirm authenticity.
default._domainkey.example.com. 300 IN TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqh..." Verification: Query DNS for your selector (dig TXT default._domainkey.example.com) and send a test email. The header should show dkim=pass header.d=example.com.
Step 3: enforce alignment with dmarc
DMARC requires that either SPF or DKIM passes, and that the domain used matches the visible From:. Roll it out in stages to avoid accidental rejections.
Monitoring mode
_dmarc.example.com. 300 IN TXT "v=DMARC1; p=none; adkim=s; aspf=s; fo=1; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-reports@example.com" Generates reports without affecting delivery.
Quarantine mode
_dmarc.example.com. 300 IN TXT "v=DMARC1; p=quarantine; sp=quarantine; adkim=s; aspf=s; fo=1; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-reports@example.com" Messages failing alignment are typically delivered to spam/junk.
Reject mode
_dmarc.example.com. 300 IN TXT "v=DMARC1; p=reject; sp=reject; adkim=s; aspf=s; fo=1; rua=mailto:dmarc-reports@example.com; ruf=mailto:dmarc-reports@example.com" Messages failing alignment are rejected outright. This offers the strongest protection against spoofing.
Subdomain considerations
If you send mail from subdomains (e.g., mail.example.com or alerts.example.com), publish DMARC for each subdomain or use the sp= tag in the parent record to control them. If you do not send from subdomains, set sp=reject to stop attackers abusing them.
Operational best practices
- Reverse DNS (PTR): The IP of your mail server should resolve to a hostname you control, and that hostname should resolve back to the same IP.
- HELO/EHLO identity: Your mail server should present its hostname consistently in the SMTP banner.
- Consistent from addresses: Use clear role addresses (e.g.,
noreply@,support@) instead of system accounts likeroot@. - One SPF record: Multiple SPF records cause validation failure. Merge all rules into one.
- Third-party senders: Authorize any SaaS platforms (marketing, CRM, billing) with proper SPF includes and/or DKIM signing.
Testing and monitoring
- Send test emails to Gmail, Outlook, and other major providers.
- Check Authentication-Results headers for
spf=pass,dkim=pass, anddmarc=pass. - Review DMARC aggregate reports (
rua) to see which servers are sending on your behalf and whether they pass authentication. - Review forensic reports (
ruf) to investigate failed messages in detail.
Common pitfalls
- Malformed DNS records: Watch for stray quotes, semicolons, or line breaks in TXT records.
- Overly permissive SPF: Avoid
+allor~all— use-allto enforce. - Unaligned third-party mail: Newsletters or services not DKIM-signed with your domain will fail DMARC unless configured properly.
- Multiple SPF TXT records: Only one is valid — consolidate all sources.
