SPF, DKIM and DMARC Explained

If your business sends quotes, invoices, booking confirmations or support messages, customers need to trust that those emails are genuine. Without proper authentication, scammers may try to send messages that look like they came from your domain. Even if that does not happen, poorly configured email records can make your own emails more likely to land in junk folders.

Email providers such as Microsoft, Google and many security gateways use authentication signals when deciding whether to accept, reject or filter messages. Good records do not guarantee perfect deliverability, but they are now a basic part of professional email setup.

SPF stands for Sender Policy Framework. It is a DNS record that lists which services are allowed to send email for your domain. For example, your domain may allow Microsoft 365, Google Workspace, a website form service or an email marketing platform to send messages.

Problems happen when the SPF record is missing, duplicated or does not include all legitimate senders. A business might move to Microsoft 365 but forget that the website contact form still sends through another service. The result can be inconsistent email delivery or messages that fail checks.

DKIM stands for DomainKeys Identified Mail. It adds a digital signature to outgoing messages. Receiving mail servers can check that signature against a public DNS record to confirm that the email was not changed in transit and that it was sent through an authorised system.

Most business owners do not need to read the DKIM code itself. What matters is making sure the correct DKIM records are added for the email provider and that signing is enabled in the provider account. Microsoft 365, Google Workspace and email marketing platforms each have their own setup steps.

DMARC builds on SPF and DKIM. It tells receiving mail servers what to do when a message fails authentication and where to send reports. A basic DMARC policy can start by monitoring. Stronger policies can ask receivers to quarantine or reject suspicious messages.

DMARC should be introduced carefully. If SPF or DKIM is incomplete, a strict DMARC policy can block legitimate messages. That is why it is worth reviewing every system that sends mail for your domain before tightening the policy.

The most common issue is that email records are set up once and then forgotten. Over time, businesses add a website form, CRM, booking system, newsletter platform or advertising lead tool. Each service may need permission to send on behalf of the domain. If the DNS records are not updated, delivery can become unreliable.

Another common problem is having multiple SPF records. A domain should normally have one SPF record that includes the required services. Adding several separate records can cause SPF checks to fail. This is a good example of why DNS changes should be handled carefully.