What Are SPF, DKIM, and DMARC? A Simple Guide to Email Security

Email is still one of the most important tools businesses use every day. It is how invoices are sent, passwords are reset, quotes are approved, vendors communicate, and customers reach out.

Unfortunately, that also makes email one of the easiest ways for attackers to target a business.

One of the biggest problems with email is that it was not originally built with strong identity verification. In simple terms, someone can try to make an email look like it came from your domain, even if it did not. That is where SPF, DKIM, and DMARC come in.

These three email security records help protect your domain from spoofing, phishing, and impersonation. They also help improve email deliverability, which means your legitimate emails are more likely to reach inboxes instead of landing in spam.

Google, Yahoo, and Microsoft now expect businesses to have proper email authentication in place, especially for organizations that send bulk or marketing emails. Google and Yahoo both require sender authentication and DMARC alignment for many senders, and Microsoft describes SPF, DKIM, and DMARC as core protections against spoofed senders used in business email compromise, ransomware, and phishing attacks.

What Is SPF?

SPF stands for Sender Policy Framework.

Think of SPF like a guest list for your domain. It tells receiving email servers which mail systems are allowed to send email on behalf of your domain.

For example, if your business uses Microsoft 365, Google Workspace, Mailchimp, Constant Contact, Freshdesk, QuickBooks, or another platform to send email, your SPF record tells the internet, “These services are approved to send email for us.”

Without SPF, a receiving mail server has less confidence that the email actually came from an approved source. Microsoft explains that SPF uses a DNS TXT record to identify valid mail sources for the sending domain.

Simple example

Someone receives an email from:

billing@yourcompany.com

The receiving mail server checks your SPF record and asks:

“Was this email sent from a server approved by yourcompany.com?”

If yes, that is a good sign.

If no, the email may be treated as suspicious.

Important note about SPF

SPF alone is not enough. SPF checks the technical sending source, but it does not fully prove that the visible “From” address is trustworthy. That is why DKIM and DMARC are also needed.

What Is DKIM?

DKIM stands for DomainKeys Identified Mail.

If SPF is the guest list, DKIM is the digital signature.

DKIM adds a cryptographic signature to outgoing email. This signature helps prove that the message was authorized by your domain and that the email was not changed in transit.

For example, when your company sends an email through Microsoft 365 or Google Workspace, DKIM can sign that message. The receiving mail server can then check the public DKIM record in DNS to confirm that the signature is valid.

Microsoft notes that DKIM signing for Microsoft 365 custom domains requires DNS CNAME records and that outbound mail can be signed after the custom domain is properly added and detected.

Simple example

Your business sends an invoice to a client.

DKIM helps the receiving server verify:

“This message really came from an authorized system for this domain, and the message was not altered after it was sent.”

That is important because attackers often try to modify emails, impersonate executives, or send fake payment instructions.

What Is DMARC?

DMARC stands for Domain based Message Authentication, Reporting, and Conformance.

DMARC is the policy layer that brings SPF and DKIM together.

It tells receiving mail servers what to do when an email fails authentication checks. It can also send reports back to the domain owner so the business can see who is sending email on behalf of their domain.

DMARC can be set to three common policy levels:

1. None

This is a monitoring mode.

The receiving server does not block failed emails based on DMARC alone, but reports can be collected. This is usually the safest starting point because it lets you see what is happening before enforcing stricter rules.

2. Quarantine

Failed messages are usually sent to spam or junk.

This is stronger than monitoring but less aggressive than blocking.

3. Reject

Failed messages are rejected.

This is the strongest protection because it tells receiving servers not to accept email that does not properly authenticate.

Google recommends setting up SPF and DKIM before enabling DMARC and rolling DMARC out gradually, often starting with a policy of none before moving toward stronger enforcement.

How SPF, DKIM, and DMARC Work Together

Here is the easiest way to understand the relationship:

SPF checks whether the sending server is approved.

DKIM checks whether the message has a valid digital signature.

DMARC checks whether SPF or DKIM aligns with the domain shown in the From address and tells the receiving server what to do if the message fails.

Google and Yahoo both state that the domain in the visible From header should align with either the SPF domain or the DKIM domain for DMARC alignment.

Real world example

Let’s say your company domain is:

examplecompany.com

An attacker tries to send a fake email that looks like it came from:

accounting@examplecompany.com

If your domain does not have SPF, DKIM, and DMARC configured correctly, that fake message has a better chance of reaching someone’s inbox.

http://examplecompany.com

If your domain does have proper email authentication, the receiving server has a much better chance of identifying that the message is not legitimate.

That can help stop fake invoices, wire fraud attempts, payroll scams, vendor impersonation, and phishing emails.

Why This Matters for Small Businesses

A lot of small businesses assume this only matters to large companies, but attackers often prefer smaller organizations because they may not have strong security controls in place.

SPF, DKIM, and DMARC matter because they help with:

Reducing domain spoofing

Attackers are less likely to successfully impersonate your domain.

Improving email deliverability

Properly authenticated emails are more likely to be trusted by receiving mail systems.

Protecting your brand

Customers, vendors, and partners are less likely to receive fake emails pretending to be from your company.

Supporting compliance and security best practices

Email authentication is now a basic expectation for modern business email.

Reducing business email compromise risk

Spoofed emails are commonly used in phishing, ransomware delivery, fake payment requests, and credential theft.

Microsoft specifically describes DMARC as helping prevent spoofed senders used in business email compromise, ransomware, and phishing attacks.

Common Mistakes Businesses Make

One of the most common mistakes is assuming that email security is automatically finished because a business uses Microsoft 365 or Google Workspace.

Those platforms provide the tools, but DNS records still need to be configured correctly.

Other common mistakes include:

Using more than one SPF record.

Forgetting to include third party email platforms.

Setting DMARC to reject too early without reviewing reports.

Not enabling DKIM for the company’s custom domain.

Using old vendors in DNS records after switching platforms.

Assuming marketing platforms are covered by the main email provider.

Not checking whether emails are actually passing alignment.

These mistakes can cause email delivery problems or leave the domain exposed to impersonation.

A Simple Business Analogy

Imagine your company email domain is your business address.

SPF is the front desk list that says who is allowed to send packages on your behalf.

DKIM is the tamper proof seal that proves the package was not modified.

DMARC is the security policy that tells the mailroom what to do if something looks fake.

Without these controls, someone could walk in wearing a fake badge and pretend to represent your company.

With them, there is a process to verify identity before the message is trusted.

Should Every Business Have SPF, DKIM, and DMARC?

Yes.

At a minimum, every business using a custom domain for email should have SPF, DKIM, and DMARC configured.

Even if your company does not send marketing emails, these records still help protect your domain from spoofing and impersonation.

For many businesses, the best approach is:

Start by reviewing all services that send email for your domain.

Confirm SPF includes only approved senders.

Enable DKIM for your primary email platform.

Add DKIM records for third party senders when needed.

Publish a DMARC record in monitoring mode.

Review DMARC reports.

Gradually move toward quarantine or reject once everything legitimate is passing.

This should be done carefully because an incorrect configuration can cause legitimate emails to fail.

Final Thoughts

SPF, DKIM, and DMARC may sound technical, but the purpose is simple. They help prove that your business emails are actually coming from your business.

In a world where phishing, fake invoices, spoofed executives, and vendor impersonation are common, email authentication is no longer optional. It is a basic layer of protection every business should take seriously.

Your email domain is part of your company’s identity. Protecting it helps protect your customers, your vendors, your employees, and your reputation.

At Innosoft Engineering, we help businesses review, configure, and secure their email environments so they can communicate with confidence. If your business is not sure whether SPF, DKIM, and DMARC are set up correctly, now is a good time to check.