β Blog Β· May 18, 2026 Β· email, security
SPF, DKIM, and DMARC: The Email Auth Stack in 10 Minutes
SMTP was designed in 1982 with the trust model of "everyone who has a mail server is a reasonable person." Forty-plus years later, the spam war has been fought through three TXT records bolted on top: SPF, DKIM, and DMARC. Here's what each one actually does and how they fit together.
SPF β "who is allowed to send from this domain"
SPF (Sender Policy Framework, RFC 7208) is a TXT record on your domain that lists the IP addresses and other domains permitted to send mail with your domain in the envelope-from. A receiving mail server looks up the SPF record, checks whether the connecting IP is in it, and pass/fail/softfails accordingly.
example.com. IN TXT "v=spf1 ip4:203.0.113.5 include:_spf.google.com ~all"The big gotcha: SPF only checks the envelope-from (the MAIL FROM), not the visible From: header. A phisher can writeFrom: ceo@yourcompany.com in the header while using their own envelope domain. SPF won't catch it. That's a job for DMARC.
SPF also caps at 10 DNS lookups. Stacking too manyinclude: mechanisms (Google + Mailchimp + SendGrid + β¦) will blow that limit and SPF will silently fail. The SPF builder warns you when you cross 10.
DKIM β "this message is cryptographically signed"
DKIM (DomainKeys Identified Mail, RFC 6376) signs each message with a private key held by the sending server. The signature lives in a DKIM-Signature:header and includes a hash of the body and selected headers. The corresponding public key sits in a TXT record at <selector>._domainkey.example.com.
selector1._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEB..."The receiver fetches the public key, verifies the signature, and now has cryptographic proof that (1) the body wasn't tampered with in transit and (2) it was signed by a key that the claimed domain controls. Where SPF is "is this IP allowed," DKIM is "is this signature valid."
DMARC β "what should the receiver do when SPF or DKIM fail"
DMARC (RFC 7489) sits on top of SPF and DKIM. It does two things:
- Tells the receiver what to do with mail that fails alignment (none / quarantine / reject).Alignment means the domain shown in the visible
From:header matches the domain SPF or DKIM authenticated. This is the gap SPF alone leaves open. - Asks the receiver to send aggregate reports back to you β daily XML files at
rua=showing pass/fail counts per source IP. This is invaluable.
_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; aspf=r; adkim=r"The first time you turn DMARC on with p=reject, expect to break something β usually a forgotten SaaS that sends invoices on your behalf. Always start at p=none and watch reports.
The rollout order that actually works
- Week 0: publish SPF with all your senders, ending in
~all(softfail). - Week 0: enable DKIM on every legitimate sending source. Most providers (Google, Microsoft 365, Mailchimp, SendGrid) give you DKIM keys to add.
- Week 1: publish DMARC with
p=none; rua=mailto:dmarc@example.com. Just monitor. - Week 2-4: review aggregate reports daily. Fix any legitimate sources that aren't aligned.
- Week 4-8: move to
p=quarantine; pct=10, then ramp topct=100. - Week 8+: move to
p=reject. You're done.
Skip the monitoring phase and you'll cut off your own marketing emails the day you turn on p=reject. The aggregate reports are not optional.
What about BIMI, ARC, MTA-STS?
Three newer add-ons round out the picture:
- MTA-STS (RFC 8461) β forces TLS for incoming mail. Prevents downgrade attacks.
- ARC (RFC 8617) β preserves DKIM/SPF signatures across forwarders (mailing lists used to break DMARC for this reason).
- BIMI β your logo next to authenticated mail in supported clients. Requires a VMC (verified mark certificate) for most providers. Mostly marketing theater right now.