If you send email from a custom domain, SPF, DKIM and DMARC are essential. Together, they form a three-layer email authentication system that prevents your domain from being used for spam and phishing, and helps your emails reach the inbox instead of the spam folder.
SPF (Sender Policy Framework)
SPF is a DNS TXT record that lists the mail servers authorised to send email on behalf of your domain. When an email arrives claiming to be from example.com, the receiving server checks the domain's SPF record to verify the sending server is listed.
v=spf1 include:_spf.google.com include:sendgrid.net ~allThe ~all at the end means "fail softly" (mark as suspicious) for any server not listed. -all means "fail hard" (reject).
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic digital signature to every outgoing email. The signature is verified using a public key stored in a DNS TXT record. This proves two things:
- The email was sent by an authorised sender
- The email content was not modified in transit
The DKIM DNS record looks like:
selector._domainkey.example.com IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCS..."DMARC (Domain-based Message Authentication, Reporting and Conformance)
DMARC builds on SPF and DKIM. It tells receiving servers what to do when an email fails authentication checks:
_dmarc.example.com IN TXT "v=DMARC1; p=quarantine; rua=mailto:[email protected]"Policies (p=) can be:
none— Monitor only, take no actionquarantine— Send failing emails to spamreject— Reject failing emails outright
Do You Need All Three?
Yes. SPF alone can be bypassed. DKIM alone doesn't prevent spoofing in the From header. DMARC without SPF or DKIM has nothing to enforce. Together, they provide comprehensive protection.
How to Check Your Records
Use our DNS Lookup tool — select "TXT" to see your SPF and DMARC records. For DKIM, search for selector._domainkey.yourdomain.com.