Email Authentication with DMARC, SPF, and DKIM: A Complete Setup Guide

Why Email Authentication Matters

Email spoofing - sending emails that appear to come from your domain - is a primary tool for phishing attacks and business email compromise. Without proper authentication, anyone can send an email that looks like it came from your CEO, your HR department, or your billing system. SPF, DKIM, and DMARC work together to verify that emails truly originate from authorized senders.

SPF: Sender Policy Framework

SPF publishes a DNS TXT record that lists the IP addresses authorized to send email for your domain. When a receiving server gets an email from your domain, it checks the SPF record to verify the sending IP is authorized. Start by auditing every service that sends email on your behalf: your mail server, marketing platforms, CRM systems, and transactional email services. Include all their IP ranges in your SPF record.

DKIM: DomainKeys Identified Mail

DKIM adds a cryptographic signature to every outgoing email using a private key. The corresponding public key is published in your DNS records. Receiving servers verify the signature to confirm the email was not modified in transit and truly originated from your domain. Configure DKIM on every system that sends email for you - most email service providers have simple setup instructions.

DMARC: Tying It All Together

DMARC builds on SPF and DKIM by defining a policy for what should happen when authentication fails. Start with a "none" policy that only monitors without blocking. Review the DMARC reports to identify legitimate email sources that are not properly authenticated. Once all legitimate sources pass SPF and DKIM, change to a "quarantine" policy and eventually "reject" to block unauthorized emails. True Protection monitors your DMARC reports and alerts you when unauthorized senders attempt to spoof your domain.