SPF, DKIM, and DMARC Explained: The Ultimate Guide for 2025

What Are Email Authentication Protocols?

Email authentication protocols are technical standards that verify the identity of the sender and protect against email spoofing. The three key protocols are SPF, DKIM, and DMARC.

SPF (Sender Policy Framework)

SPF tells receiving mail servers which IP addresses are authorized to send email on behalf of your domain. You publish an SPF record in DNS as a TXT record.

Example SPF record:

v=spf1 include:_spf.google.com include:sendgrid.net ~all

The ~all at the end is a "soft fail" — unauthenticated emails are accepted but marked. Use -all for a hard fail.

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every outgoing email. Receiving servers verify the signature using your public key published in DNS. If the email was modified in transit, the signature breaks.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC builds on SPF and DKIM. It tells receiving servers what to do when authentication fails: none, quarantine, or reject.

Recommended DMARC record:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.com; pct=100

Why This Matters

Without these records, anyone can spoof your domain and send emails pretending to be you. DMARC enforcement also gives you visibility into who is sending email on your behalf.

Action Steps

1. Check your current SPF, DKIM, and DMARC setup using our Domain Health Checker
2. Use our SPF Generator to build the right record for your stack
3. Generate a DMARC record with DMARC Generator
4. Monitor your DMARC reports weekly and gradually move to p=reject