SPF, DKIM and DMARC explained: email authentication
Last updated: 31 December 2025
Why email authentication?
Email authentication prevents spammers from abusing your domain for phishing. Without SPF, DKIM and DMARC, criminals can send emails that appear to come from your company. Additionally, these records improve your deliverability.
SPF: Sender Policy Framework
SPF specifies which mail servers may send on behalf of your domain.
How it works
- You publish an SPF record in DNS
- Receiving mail server checks if sending server is in SPF record
- If server is not authorized, mail can be rejected
SPF record example
v=spf1 include:_spf.google.com include:spf.protection.outlook.com ~all
Explanation:
v=spf1- SPF version 1include:- trust SPF of these domains~all- soft fail for unauthorized servers
Setting up SPF
- Identify all servers that send mail (hosting, newsletter, CRM)
- Create SPF record with all sources
- Add as TXT record in DNS
- Test with SPF checker tools
DKIM: DomainKeys Identified Mail
DKIM adds a digital signature to outgoing email.
How it works
- Your mail server signs each mail with a private key
- The public key is in your DNS
- Recipients verify signature with public key
- If signature matches, mail wasn't modified in transit
DKIM record example
selector._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIGf..."
Setting up DKIM
- Generate a DKIM keypair (usually via your mail provider)
- Publish public key as TXT record
- Configure mail server to sign
- Test with DKIM validators
DMARC: Domain-based Message Authentication
DMARC combines SPF and DKIM and determines what happens on failure.
How it works
- DMARC policy specifies action on SPF/DKIM failure
- You receive reports about failed authentication
- You can gradually become stricter
DMARC record example
_dmarc.example.com TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
Policies:
p=none- report only, no actionp=quarantine- move to spamp=reject- refuse
Setting up DMARC
- Start with
p=noneto monitor - Analyze reports
- Fix authentication issues
- Increase to
p=quarantine - Eventually to
p=reject
Implementation order
- SPF - first, simplest
- DKIM - next, requires mail server configuration
- DMARC - last, builds on SPF and DKIM
Common mistakes
- Multiple SPF records (only one allowed)
- Starting too strict with DMARC
- Forgetting to publish DKIM selector
- SPF too many includes (max 10 DNS lookups)
Frequently Asked Questions
How long does it take to implement this?
Implementation time varies per situation. Simple configurations can be done within an hour, more complex setups may take several hours to a day.
What are the costs?
Costs depend on your hosting provider and package. Many basic features are included for free, advanced features may incur additional costs.
Do I need technical knowledge?
You need little technical knowledge for the basics. Most hosting providers offer extensive documentation and support to help you.
Was this article helpful?
Compare hosting packages directly to find the best choice for your situation.
Related articles
What is web hosting? Explanation for beginners
Discover what web hosting is and how it works. Complete explanation about servers, domains and different hosting types for beginners.
What is VPS Hosting?
VPS hosting explained: what is a Virtual Private Server, who is it suitable for and what are the advantages compared to shared hosting?
What is an SSL Certificate?
Everything about SSL certificates: what is SSL, why do you need it and how do you recognize a secure website? Essential for every website.
What is Uptime in Web Hosting?
What does uptime mean in web hosting? Learn about uptime percentages, SLA guarantees and why 99.9% uptime is important for your website.
How much storage do I need for my website?
Discover how much disk space you really need for your website. Practical guide with examples per website type.