SPF, DKIM & DMARC for email senders
A plain-English explanation of the three DNS records that prove your emails are legitimate and protect your domain from being spoofed.
SPF, DKIM, and DMARC are three security records that live in your domain's DNS settings. Together, they prove to receiving mail servers that emails from your domain are genuine — and instruct them on what to do if they're not.
You don't need to fully understand how they work, but you should know what they are, why they matter, and whether yours are set up correctly.
Quick summary
SPF, DKIM, and DMARC are DNS records that authenticate your email. They prevent others from sending fake emails pretending to be from your domain (spoofing), and they improve your deliverability. If Chykalophia set up your email, these should already be configured. Ask us to verify if you're unsure.
Why these records exist
Without authentication records, anyone in the world could send an email that appears to come from yourbusiness.com. They could impersonate you to defraud your clients, spread phishing attacks, or damage your reputation.
Authentication records let receiving servers verify: "Did this email actually come from someone authorized to send on behalf of yourbusiness.com?"
They also tell spam filters your email is trustworthy, which improves deliverability.
SPF — who is allowed to send?
SPF (Sender Policy Framework) is a DNS TXT record that lists all the mail servers that are authorized to send email from your domain.
What it does: When someone receives an email claiming to be from yourbusiness.com, their mail server checks your domain's SPF record to see if the sending server is on the approved list.
What it looks like in DNS:
v=spf1 include:_spf.google.com ~allThis example says: "Emails from this domain may be sent by Google's mail servers. Treat anything else with suspicion."
What you need to do: Your SPF record should list every service that sends email on your behalf — your email platform (Google Workspace or Microsoft 365), your website's form notifications, any marketing email service you use (Mailchimp, Klaviyo, etc.).
If you have multiple sending services, they all need to be included in one SPF record. (You cannot have more than one SPF record on a domain.)
DKIM — is this email genuine?
DKIM (DomainKeys Identified Mail) adds a digital signature to every email you send. It works like a tamper-evident seal: if the email is modified in transit, the signature breaks.
What it does: When your mail server sends an email, it adds a hidden DKIM signature. The receiving server looks up your domain's DKIM public key (stored as a DNS TXT record) to verify the signature. If it matches, the email is genuine.
What you need to do: Your email platform (Google Workspace, Microsoft 365) handles DKIM signing automatically once you add the right DNS record. Chykalophia sets this up when we configure your email.
DMARC — what should happen if authentication fails?
DMARC (Domain-based Message Authentication, Reporting & Conformance) is a policy that tells receiving mail servers what to do with emails that fail SPF or DKIM checks.
The three DMARC policies:
| Policy | What happens to failing emails |
|---|---|
none | Deliver them but send reports to the domain owner |
quarantine | Put them in the spam/junk folder |
reject | Block them entirely — they never reach the recipient |
What it looks like in DNS:
v=DMARC1; p=quarantine; rua=mailto:reports@yourbusiness.comThis says: "Quarantine emails that fail authentication, and send reports to reports@yourbusiness.com."
Start with 'none' before tightening
If you set DMARC to reject before your SPF and DKIM are correctly configured, you risk blocking your own legitimate emails. A good setup starts with none (monitoring mode) for a few weeks, then moves to quarantine, then reject once everything is confirmed working.
How they work together
Think of it this way:
- SPF checks the envelope: "Is this mail server on the approved list?"
- DKIM checks the letter: "Was this email signed by the claimed domain?"
- DMARC is the policy: "What do we do if either check fails?"
All three working together gives receiving servers maximum confidence that your emails are real.
Do I need to set these up myself?
No. Chykalophia handles this as part of setting up your email platform. If you're migrating email or adding a new sending service, we'll update your records.
What you should do: ask Chykalophia to confirm all three records are in place. We can also check using tools like MXToolbox.
What about sending email from my website?
Your website also sends email — form notifications, order confirmations, etc. Those emails need to be covered by your SPF record too. See Email sent from your website explained and What is SMTP?.
Common questions
Related guides
- Why your emails land in spam (deliverability)
- How to improve email deliverability
- Email DNS records (MX, SPF, DKIM, DMARC)
- SPF records explained
- DKIM records explained
- DMARC records explained
Need a hand?
Learn more
How to improve email deliverability
Practical steps to make sure your business emails reach the inbox instead of the spam folder.
Transactional vs marketing email
The difference between transactional emails (order confirmations, password resets) and marketing emails (newsletters, promotions) — and why they need different tools.