ReferenceEmail Security·10 min read

What Are SPF, DKIM and DMARC? How Email Authentication Works

SPF, DKIM and DMARC are three DNS-based email authentication standards that together form the primary defence against email spoofing and domain impersonation. All three need to be in place — and continuously monitored — for email to be reliably authenticated.

Key takeaways

  • SPF tells receiving servers which IP addresses are authorised to send email from your domain.
  • DKIM adds a cryptographic signature to email that can be verified using a public key in DNS.
  • DMARC ties SPF and DKIM together and sets a policy for what to do when authentication fails.
  • All three can break silently — SPF when senders are added or changed, DKIM when keys rotate, DMARC when policy or alignment changes.

In this article

The email spoofing problem

Email was designed in 1971. The original protocol (SMTP) has no authentication built in — anyone can send an email claiming to be from ceo@yourcompany.com. This is email spoofing, and it's trivially easy without authentication controls in place.

Spoofed emails are the mechanism behind business email compromise (BEC), phishing, and invoice fraud — attacks that collectively cause billions in losses annually. SPF, DKIM and DMARC were developed specifically to address this gap, and major email providers (Google, Microsoft, Yahoo) now require DMARC for bulk senders and reject or quarantine unauthenticated email.

All three standards work entirely via DNS records. Configuring them correctly is not enough — because the records need to stay correct as your email infrastructure evolves.

SPF — Sender Policy Framework

SPF (RFC 7208) allows a domain owner to publish a list of IP addresses and mail servers authorised to send email from that domain. The receiving mail server checks this list during delivery and can reject or penalise email that comes from an unauthorised source.

SPF is published as a TXT record on the domain:

TXT record for example.com

v=spf1 include:_spf.google.com include:sendgrid.net ip4:192.0.2.0/24 ~all

Reading this record from left to right:

  • v=spf1 — declares this as an SPF record
  • include:_spf.google.com — authorises all IPs listed in Google Workspace's SPF record (for @gmail.com or Google-hosted mail)
  • include:sendgrid.net — authorises SendGrid's sending infrastructure (for transactional email)
  • ip4:192.0.2.0/24 — explicitly authorises the /24 subnet of a custom mail server
  • ~all — softfail: email from any other IP is suspicious but not rejected. -all is a hard fail (reject); ?all is neutral.

⚠️ The 10 DNS lookup limit

SPF evaluates a maximum of 10 DNS lookups per check. Each include: mechanism that itself contains further include: directives counts against this limit. Exceeding 10 lookups causes a permanent error (permerror) — which some mail servers treat as a hard fail. Large organisations with many sending providers regularly hit this limit without realising it.

DKIM — DomainKeys Identified Mail

DKIM (RFC 6376) works differently to SPF. Instead of checking IP addresses, it adds a cryptographic signature to email messages. The receiving server verifies the signature using a public key published in DNS — if the signature is valid, the email was sent by someone in control of the domain.

How it works:

  1. The sending mail server signs specific email headers and the body with a private key.
  2. The signature is added to the email as a DKIM-Signature header.
  3. The receiving server looks up the corresponding public key in DNS at: selector._domainkey.example.com
  4. It verifies the signature. If it matches, the email was genuinely sent by the domain — and the signed content hasn't been tampered with in transit.

TXT record for google._domainkey.example.com

v=DKIM1; k=rsa; p=MIIBIjANBgkqhkiG9w0BAQEFAAOC...

The selector prefix (e.g. google, selector1,mail) allows multiple DKIM keys for the same domain — useful when using different email providers simultaneously, or during key rotation.

A critical DKIM advantage over SPF: DKIM survives email forwarding. Because DKIM validates the signed content rather than the sending IP, a forwarded email retains a valid DKIM signature even after being relayed through a different mail server.

DMARC — policy and reporting

DMARC (RFC 7489) sits on top of SPF and DKIM. It does two things:

  1. It specifies a policy — what the receiving server should do when an email fails both SPF and DKIM authentication.
  2. It requests reports — aggregate and forensic data about emails claiming to be from your domain, sent back to an address you specify.

DMARC is also published as a TXT record:

TXT record for _dmarc.example.com

v=DMARC1; p=reject; rua=mailto:dmarc@example.com; pct=100

The p= policy has three values:

p=noneMonitor only

No action is taken on failing mail. DMARC reports are collected. Use this to assess your email sending landscape before enforcing policy.

p=quarantineMove to spam

Email failing DMARC authentication is moved to the recipient's spam/junk folder. A meaningful step up that impacts deliverability for spoofed mail.

p=rejectReject delivery

Email failing DMARC is rejected outright at the SMTP level — it never reaches the inbox. The strongest protection against domain impersonation.

DMARC alignment is the requirement that either SPF or DKIM must pass AND the domain used in the authentication must match the From: header domain. This prevents attackers from passing SPF check on a different domain and using that to evade DMARC.

MTA-STS and BIMI

Two further email security standards build on top of SPF/DKIM/DMARC:

  • MTA-STS (Mail Transfer Agent Strict Transport Security) — publishes a policy that tells other mail servers your domain requires TLS for email delivery and the certificate must be valid. Prevents downgrade attacks where a connection starts TLS-encrypted but is stripped to plaintext.
  • BIMI (Brand Indicators for Message Identification) — once DMARC is at p=quarantine or p=reject and SPF/DKIM are passing consistently, BIMI allows you to publish an SVG logo in DNS that major email clients (Gmail, Apple Mail, Yahoo) will display next to authenticated emails from your domain.

How they fail silently

Common failure patterns

  • New sender added without SPF update: Onboarding a new marketing platform or CRM without updating the SPF record. Email from that platform fails SPF — bounces or lands in spam silently.
  • DKIM key rotation without DNS update: The mail server rotates its private key but the public key in DNS isn't updated. All outgoing signatures immediately fail to verify — globally, within seconds.
  • DMARC policy tightened without verification: Moving from p=none to p=reject without confirming all legitimate senders pass SPF or DKIM. Valid transactional email starts being rejected.
  • SPF lookup limit exceeded: Adding one more include: mechanism pushes the record over the 10 DNS lookup limit — causing a permerror that some servers treat as an SPF fail.

What Aideworks monitors

Aideworks continuously monitors all email security records for every domain in your account:

  • SPF presence and syntax — validates the record exists, parses correctly, and doesn't exceed the 10-lookup limit.
  • DKIM key presence — checks configurable selectors to verify the public key record is present and correctly formatted.
  • DMARC policy — verifies the record exists, the policy is configured, and the reporting address is present.
  • MTA-STS policy — checks that the MTA-STS policy record and policy file are present and correctly formed.
  • Change alerts for all records — any modification to SPF, DKIM, or DMARC records triggers an immediate alert.

For agencies and MSPs: read the full article on why email security monitoring matters for client domains.

Monitor email security records with Aideworks

Aideworks watches SPF, DKIM and DMARC across every domain you manage — alerting you the moment a record changes or a misconfiguration is detected.

Start monitoring free →