Secure Email Setup: SPF, DKIM and DMARC Guide

Why Email Security Matters

Email remains the most widely used communication channel for businesses. At the same time, phishing and email fraud are among the biggest threats. Attackers can easily forge sender addresses and send emails that appear to come from your organization — with serious consequences for trust and security.

With SPF, DKIM and DMARC, you can prove that email actually comes from your servers, and instruct recipients how to handle messages that fail the checks. For organizations handling personal data, this is especially important in light of GDPR and data protection regulations.

What Is Email Authentication?

Email authentication is a set of technical standards that let recipients verify that an email message actually comes from the stated sender. Without these mechanisms, anyone can send email that "looks" like it comes from @yourcompany.com.

The three main pillars are SPF (who can send), DKIM (is the message unchanged?) and DMARC (what should the recipient do when checks fail?). All three are stored as DNS records — you can check status with our email security tool.

SPF in Detail

SPF (Sender Policy Framework) is a TXT record that lists which IP addresses and servers are authorized to send email for your domain. When a recipient server receives email from @example.com, it looks up the SPF record and checks whether the sender's IP is on the list.

Example: v=spf1 include:_spf.google.com ~all. This includes Google's SPF (for Gmail/Workspace), and ~all means "soft fail" — servers that don't match should be treated with caution. Use -all for "hard fail" (reject).

Common mistakes: Forgetting to include third-party services (e.g. Mailchimp, SendGrid), having too many DNS lookups (max 10), or using +all which allows everyone — making SPF worthless.

DKIM in Detail

DKIM (DomainKeys Identified Mail) cryptographically signs email messages. The sender server adds a digital signature to the email header. The recipient server fetches the public key from DNS and verifies that the message was not altered in transit.

You create a key pair: a private key (secret, on the mail server) and a public key (published as a TXT record, e.g. selector._domainkey.example.com). Your email platform (Google Workspace, Microsoft 365, own server) signs messages with the private key.

Important: Rotate DKIM keys regularly (e.g. annually) and ensure old keys remain valid during a transition period.

DMARC in Detail

DMARC (Domain-based Message Authentication, Reporting and Conformance) builds on SPF and DKIM. It tells recipients what to do with email that fails SPF or DKIM checks, and controls "alignment" — that the sender domain matches the From address.

Policy (p=):

p=none — Monitor only (recommended first to review reports)
p=quarantine — Put suspicious email in spam
p=reject — Reject email that fails (strictest)

Reporting: rua=mailto:dmarc@example.com for aggregate reports (daily), ruf=mailto:dmarc@example.com for forensic reports on individual failures. Reports show who is trying to send email on behalf of your domain.

Step-by-Step: Set Up Email Security

Identify all services that send email for your domain (email provider, newsletter, CRM, etc.)
Create the SPF record with all necessary include: entries. Start with ~all.
Enable DKIM at your email provider and add the public key to DNS.
Create DMARC with p=none and rua for reports. Wait 1–2 weeks.
Analyze reports — do you see legitimate traffic failing? Fix issues before tightening.
Increase to p=quarantine, monitor again, then p=reject when confident.

Email Security and Compliance

In many jurisdictions, GDPR and data protection laws apply. Regulators recommend that organizations implement technical measures to protect personal data. Email authentication reduces the risk of sensitive data reaching the wrong recipients via phishing.

ISO 27001 and similar information security standards require measures for communication security. SPF, DKIM and DMARC are recognized and recommended controls that demonstrate you take email security seriously.

Common Mistakes and How to Avoid Them

Overly strict SPF — Forgetting a service can cause legitimate email to fail. Test thoroughly before switching to -all.
Missing DKIM rotation — Old keys without overlap can cause messages to fail when you rotate.
DMARC p=none forever — Monitoring mode is good initially, but you should eventually tighten for real protection.
Subdomains — Remember that subdomains (e.g. newsletter.example.com) need their own SPF/DKIM/DMARC or subdomain policy.

Frequently Asked Questions About Email Security

What is the difference between SPF and DKIM?

SPF checks whether the sender's IP address is authorized to send for the domain. DKIM cryptographically signs the message itself, so the recipient can verify the content wasn't altered. Both are important — DMARC requires at least one to pass (with alignment).

Why is my email failing the SPF check?

Common causes: The sender server isn't listed in the SPF record, you use a third-party service that isn't included, or you have multiple SPF records (you can only have one SPF record per domain). Use the email security check to analyze your configuration.

Can I have both SPF and DKIM?

Yes, and you should have both. DMARC requires at least one to pass with alignment. Many recipients (e.g. Gmail) prefer both to be in place for the best delivery rate.

What does DMARC alignment mean?

Alignment means the domain in the From address matches the domain verified by SPF or DKIM. Organizational alignment (adkim=o) is more flexible than strict alignment (adkim=s). Without alignment, an attacker could use a subdomain that technically passes SPF/DKIM.

How long does it take to set up SPF, DKIM and DMARC?

The DNS changes themselves take minutes. Propagation can take up to 48 hours. Recommended workflow: Set up everything, start with DMARC p=none, wait 1–2 weeks for reports, fix any issues, then gradually tighten.

What do I do with DMARC reports?

Reports show who is sending email on behalf of your domain. Use them to identify legitimate traffic you may have forgotten in SPF, and to detect spoofing attempts. Many tools (e.g. Postmark, Valimail) parse reports for you.

Do subdomains need their own SPF?

Subdomains do not inherit SPF from the root domain. If newsletter.example.com sends email, you must either have an SPF record for that subdomain, or use include from the root domain. Many use the same SPF for the entire domain via include.

Is email authentication required by law?

It is not legally mandated everywhere, but regulators and information security standards recommend technical measures for data security. For organizations handling personal data, SPF, DKIM and DMARC are good practice that reduce risk and demonstrate compliance.

Secure Email Setup: SPF, DKIM and DMARC