June 8, 2026 · 4 min read · Deepbluework Team

What Is DMARC, SPF, and DKIM? Email Authentication Explained Simply

If you run business email on your own domain, you will encounter three acronyms: SPF, DKIM, and DMARC. Together they form the foundation of email authentication — proving to receiving servers that your messages are legitimate and not spoofed by attackers.

This guide explains each record in plain language and why they matter for deliverability.

Why email authentication exists

Email was designed in the 1970s without strong sender verification. Anyone can forge a "From" address. Spammers and phishers exploit this daily — sending fake invoices from billing@yourbank.com or impersonating CEOs to trick employees.

Authentication records let domain owners declare which servers may send on their behalf and what receivers should do with messages that fail checks.

SPF (Sender Policy Framework)

What it does: SPF is a DNS TXT record listing the IP addresses and servers authorised to send email for your domain.

Example record:

v=spf1 include:_spf.yourprovider.com mx ~all

How it works: When a receiving server gets a message claiming to be from @yourcompany.com, it checks whether the sending server's IP is listed in your SPF record.

Common mistakes:

Too many include: mechanisms (DNS lookup limit of 10)
Using +all (allows anyone to send — never do this)
Forgetting to update SPF when changing email providers

DKIM (DomainKeys Identified Mail)

What it does: DKIM adds a cryptographic signature to each outgoing message. The receiving server verifies the signature using a public key published in your DNS.

How it works:

Your mail server signs the message with a private key
The signature travels with the message header
The receiving server looks up your public DKIM key in DNS
If the signature is valid, the message has not been altered in transit

Why it matters: DKIM proves message integrity — the content was not modified between sender and recipient.

DMARC (Domain-based Message Authentication, Reporting and Conformance)

What it does: DMARC tells receiving servers what to do when SPF or DKIM checks fail, and where to send aggregate reports about authentication results.

Example record:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourcompany.com

Policy levels (p=):

none — monitor only, no action on failures (good for initial setup)
quarantine — send failing messages to spam/junk
reject — reject failing messages entirely (strongest protection)

Why it matters: DMARC is the policy layer. Without it, SPF and DKIM results are informational but receivers may not act on failures consistently.

How the three work together

Sender sends email
       ↓
Receiving server checks SPF → Is the sending IP authorised?
       ↓
Receiving server checks DKIM → Is the signature valid?
       ↓
Receiving server checks DMARC → What policy applies if checks fail?
       ↓
Inbox, quarantine, or reject

For DMARC to pass, a message typically needs to pass either SPF or DKIM alignment (the authenticated domain must match the "From" domain).

What happens without authentication?

Without SPF, DKIM, and DMARC:

Your legitimate messages are more likely to land in spam
Attackers can spoof your domain to phish your customers
Enterprise recipients may block unauthenticated mail entirely
Google and Microsoft increasingly require authentication for bulk senders

How to set up authentication

Most business email providers generate the correct records for you:

Manual setup: Copy MX, SPF, DKIM, and DMARC records from your provider into your domain registrar's DNS panel.
Automatic setup: Platforms supporting DomainConnect configure all records in one click.

Deepbluework configures SPF, DKIM, and DMARC automatically when your registrar supports DomainConnect. For manual setup, the admin dashboard shows the exact records to add.

Monitoring with DMARC reports

When you add a rua= address to your DMARC record, you receive aggregate XML reports showing:

Which servers send email claiming to be from your domain
How many messages pass or fail SPF/DKIM
Potential spoofing attempts

Review these reports monthly, especially after changing email providers.

Quick checklist

[ ] SPF TXT record published at your domain root
[ ] DKIM TXT record published (selector provided by your email host)
[ ] DMARC TXT record published at _dmarc.yourdomain.com
[ ] Start with p=none, move to quarantine after monitoring
[ ] Send test emails and verify headers show spf=pass, dkim=pass

Deepbluework and email authentication

Deepbluework is a business email platform that handles SPF, DKIM, and DMARC setup as part of domain provisioning. Every mailbox includes IMAP/SMTP, 10 GB storage, calendar, and meetings — with authentication configured so your messages reach inboxes, not spam folders.

Set up authenticated business email →

Ready to set up business email?

Deepbluework is a business email platform with IMAP/SMTP, calendar, and meetings on your domain. First mailbox free forever.

Get started →