SPF, DKIM, and DMARC Explained with Real-World Configurations
Authentication protocols demystified. Learn how to properly configure SPF, DKIM, and DMARC records with practical DNS examples and troubleshooting tips.
Email spoofing costs businesses billions every year. SPF, DKIM, and DMARC are the three protocols that protect your domain. Here is how to configure them correctly.
SPF: The IP Whitelist
SPF lives in a TXT record at `_spf.yourdomain.com`. It lists the IP addresses and domains authorized to send email for your domain.
A typical record looks like this: `v=spf1 include:_spf.google.com include:sendgrid.net ip4:192.0.2.1 ~all`
The `~all` qualifier means "soft fail" — messages from unauthorized IPs should be treated with suspicion but not outright rejected. Start with `~all`, monitor your reports, then switch to `-all` once you are confident.
DKIM: Cryptographic Signatures
DKIM adds a digital signature to every outgoing message. The receiving server looks up your public key via DNS and verifies the signature. If the message body or headers were altered in transit, the signature breaks and the email fails authentication.
Generate a 2048-bit RSA key pair. Publish the public key as a TXT record at `selector1._domainkey.yourdomain.com`. Rotate selectors every 6 months and keep the old one live for 30 days during transition.
DMARC: The Enforcer
DMARC tells receiving servers what to do when SPF or DKIM fails. It also generates aggregate and forensic reports so you can spot spoofing attempts.
Start with: `v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; pct=100`
`p=none` means do not reject or quarantine yet — just report. After 30 days of clean reports, move to `p=quarantine`, then finally `p=reject`.
Misconfigured DNS records are the #1 cause of deliverability issues. Test every change with `dig TXT` and online validators before going live.
Written by Irfan Naseem
Senior Software Engineer at Netcode. Building email infrastructure and scalable systems.