Back to Blog
Email Security

DMARC, SPF, and DKIM Explained: Email Authentication for Small Businesses

By DoppelDown Team

Your customers trust emails that appear to come from your business. But without proper email authentication, anyone can send emails that look like they came from you. Cybercriminals know this, and they exploit it relentlessly.

SPF, DKIM, and DMARC are three protocols that work together to prevent email spoofing and protect your brand from being impersonated in phishing campaigns. This guide explains what each protocol does, why they matter for small businesses, and exactly how to implement them — no computer science degree required.

The Problem: Email Was Not Built for Security

Email was invented in 1971, long before security was a major concern. The protocol was designed to be open and decentralized, which worked great for connectivity but created a massive vulnerability: there is no built-in way to verify that an email actually came from the address in the "From" field.

This is why phishing works so well. An attacker can set up a mail server and send emails claiming to be from support@yourcompany.com. Without authentication protocols, receiving email servers have no reliable way to know these messages are fake.

SPF, DKIM, and DMARC fix this by adding cryptographic verification to email. Together, they create a system where receiving servers can confidently identify legitimate emails from your domain and reject imposters.

SPF: The First Line of Defense

SPF (Sender Policy Framework) is the simplest of the three protocols. It is a DNS record that lists which mail servers are authorized to send email on behalf of your domain.

Think of SPF like a guest list for a party. Your DNS record says: "These specific servers are allowed to send email as me." When an email claims to be from your domain, receiving servers check if it came from a server on your list. If not, it fails SPF authentication.

How SPF Works

  1. You create an SPF record in your DNS settings listing authorized mail servers
  2. A receiving server gets an email claiming to be from your domain
  3. The server looks up your SPF record
  4. It checks if the sending server's IP address is in your authorized list
  5. If yes, SPF passes. If no, SPF fails.

Setting Up SPF

SPF records are TXT records in your DNS. Here is a basic example:

v=spf1 include:_spf.google.com include:sendgrid.net -all

Let us break this down:

  • v=spf1 — The SPF version
  • include:_spf.google.com — Authorizes Google's mail servers (for Gmail/Google Workspace)
  • include:sendgrid.net — Authorizes SendGrid (if you use them for transactional emails)
  • -all — Fail any emails not from authorized servers (the strictest policy)

Common SPF mechanisms:

  • ip4:192.168.1.1 — Authorize a specific IP address
  • ip4:192.168.1.0/24 — Authorize an IP range
  • a — Authorize the domain's A record
  • mx — Authorize the domain's mail servers
  • include:example.com — Include another domain's SPF record

SPF qualifiers:

  • + (pass) — Allow (default if no qualifier specified)
  • - (fail) — Hard fail, reject the email
  • ~ (softfail) — Mark as suspicious but accept
  • ? (neutral) — No policy, accept

DKIM: Cryptographic Proof of Authenticity

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to your emails. This signature proves two things: the email was not altered in transit, and it was sent by someone with access to your domain's private key.

Think of DKIM like a wax seal on a letter. The seal proves the letter has not been opened or modified, and the unique design proves it came from the sender who owns that seal.

How DKIM Works

  1. Your mail server adds a DKIM signature to every outgoing email (in the email headers)
  2. This signature is created using a private key that only your servers possess
  3. The receiving server sees the DKIM signature and looks up your public key in DNS
  4. It uses the public key to verify the signature
  5. If verification succeeds, the email is authentic and unmodified

Setting Up DKIM

DKIM setup varies depending on your email provider:

Google Workspace:

  1. Go to Admin console > Apps > Google Workspace > Gmail > Authenticate email
  2. Click "Generate new record"
  3. Choose 2048-bit key length
  4. Copy the DNS TXT record provided
  5. Add it to your DNS with the selector prefix (usually google._domainkey)
  6. Return to Google Admin and click "Start authentication"

Microsoft 365:

  1. Go to Microsoft Defender portal > Email & collaboration > DKIM
  2. Select your domain
  3. Click "Create DKIM keys"
  4. Add the provided CNAME records to your DNS
  5. Return to Defender and enable DKIM signing

Other providers: Most email services (SendGrid, Mailgun, AWS SES) provide DKIM setup in their dashboards. Look for "Domain Authentication" or "DKIM" in your settings.

DMARC: The Enforcement Layer

DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together and tells receiving servers what to do when authentication fails. It also provides reports so you can monitor authentication activity.

If SPF and DKIM are security guards checking IDs, DMARC is the security policy that tells them when to refuse entry and how to report incidents.

How DMARC Works

  1. You publish a DMARC policy in your DNS
  2. Receiving servers check SPF and DKIM for incoming emails
  3. If both fail (or if DKIM alignment fails), the server consults your DMARC policy
  4. Your policy tells it to either monitor, quarantine, or reject the email
  5. The server sends you reports about authentication results

DMARC Policy Options

DMARC policies have three levels:

  • p=none — Monitor only. Collect data but take no action. Good for initial setup and testing.
  • p=quarantine — Suspicious emails go to spam/junk folders. Good intermediate step before full rejection.
  • p=reject — Block fraudulent emails entirely. The strongest protection.

Setting Up DMARC

A basic DMARC record is a TXT record at _dmarc.yourdomain.com:

v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com; ruf=mailto:dmarc@yourdomain.com; sp=none; adkim=r; aspf=r;

Breaking down the tags:

  • v=DMARC1 — DMARC version
  • p=none — Policy (none/quarantine/reject)
  • rua=mailto:... — Where to send aggregate reports (daily summaries)
  • ruf=mailto:... — Where to send forensic reports (individual failure details)
  • sp=none — Policy for subdomains
  • adkim=r — DKIM alignment (r=relaxed, s=strict)
  • aspf=r — SPF alignment (r=relaxed, s=strict)

The Gradual Rollout Strategy

Do not jump straight to p=reject. You might accidentally block legitimate emails. Follow this progression:

  1. Week 1-2: Set p=none and review daily reports. Identify all legitimate sending sources you might have missed.
  2. Week 3-4: Update SPF to include any missing legitimate services. Ensure all mail is DKIM-signed.
  3. Month 2: Move to p=quarantine at 10% (add pct=10 to your record). Monitor for any complaints about missing emails.
  4. Month 3: Increase to pct=50, then pct=100.
  5. Month 4+: Move to p=reject once confident no legitimate email is failing authentication.

Common Setup Mistakes to Avoid

Even with the best intentions, businesses often make these errors:

1. Multiple SPF Records

You can only have one SPF record per domain. If you need to authorize multiple services, combine them into a single record:

Wrong: Two separate TXT records
Right: v=spf1 include:_spf.google.com include:sendgrid.net -all

2. Exceeding SPF Lookup Limits

SPF has a hard limit of 10 DNS lookups. Each include, a, mx, or ptr mechanism counts toward this limit. Exceed it and SPF will permerror (permanent error), causing failures.

3. Not Monitoring DMARC Reports

Setting p=none and forgetting about it provides no protection. You must review reports to identify configuration issues and detect spoofing attempts.

4. Missing Third-Party Senders

Marketing platforms, support ticketing systems, HR tools, and CRMs often send email on your behalf. If they are not in your SPF or using DKIM with your domain, their emails will fail authentication.

5. Alignment Failures

DMARC requires alignment between the "From" header domain and the SPF/DKIM domains. If you send email from mail@newsletter.yourdomain.com but your SPF only covers yourdomain.com, you need relaxed alignment (the default) or a specific SPF record for the subdomain.

Why Email Authentication Matters for Brand Protection

Implementing SPF, DKIM, and DMARC is not just about deliverability — it is a critical brand protection measure:

Prevents Direct Domain Spoofing

With p=reject DMARC policy, attackers cannot send emails that appear to come directly from your domain. This eliminates the most convincing form of phishing: exact domain spoofing.

Provides Visibility Through Reporting

DMARC reports show you who is sending email claiming to be from your domain. This visibility helps identify compromised accounts, unauthorized services, and ongoing spoofing campaigns.

Builds Trust with Customers

When customers see the BIMI (Brand Indicators for Message Identification) avatar or simply know your emails are authenticated, trust increases. Many email clients now show authentication status to users.

Email Authentication + Domain Monitoring: Complete Protection

Email authentication protects against direct domain spoofing, but it does not stop lookalike domain attacks. Attackers can still register yourcornpany.com or yourcompany-support.com and send emails from those domains. DMARC only protects your exact domain.

This is where DoppelDown complements your email security. While you lock down your domain with SPF, DKIM, and DMARC, DoppelDown continuously monitors for lookalike domains that could be used to impersonate your brand.

Our platform detects typosquats, homoglyph attacks, and combosquats the moment they are registered — often before they are used in phishing campaigns. You get immediate alerts with risk scoring, automated evidence collection, and streamlined takedown workflows.

Together, email authentication and domain monitoring provide comprehensive protection: DMARC prevents spoofing of your actual domain, while DoppelDown catches the lookalike domains that bypass DMARC entirely.

Start protecting your brand with DoppelDown today — it is free to start, requires no credit card, and complements your email authentication setup perfectly. Do not let attackers hide in the gaps between your defenses.

SPF, DKIM, and DMARC form the foundation of email security for small businesses. They are not optional extras — they are essential protections that every business should implement. Set them up correctly, monitor your reports, and pair them with domain monitoring for complete brand protection.

Protect your brand today

Don't wait until someone impersonates your brand. DoppelDown detects threats in minutes — start free, no credit card required.

Start Free — No Credit Card