SPF, DKIM, and DMARC

SPF (Sender Policy Framework)

  • PF functions as an authorization list for email senders. The SPF Record contains this list of authorized servers. Emails claiming to be from your domain but sent from unauthorized servers are likely fraudulent.

  • Domain owners can create an SPF Record (a DNS TXT record) listing authorized mail servers that can send emails on behalf of the domain. This helps prevent email spoofing from unauthorized sources.

  • A typical DNS TXT record for SPF looks like:

    v=spf1 ip4:123.123.123.123 ~all

  • You can verify an SPF record with this command:

    dig TXT example.com

DKIM (DomainKeys Identified Mail)

  • DKIM functions as an authentication mechanism for email verification. When an email is sent, it contains a digital signature created with a private key. The recipient server verifies this signature using a public key stored in the DKIM Record.

  • This public key is stored in a DNS TXT record (the DKIM Record) which is publicly accessible. The verification process confirms the email's authenticity and ensures it hasn't been altered in transit.

  • A typical DNS TXT record for DKIM looks like:

    v=DKIM1; k=rsa; p=NICfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDBolTXCqbxwoRBffyg2efs+Dtlc+CjxKz9grZGBaISRvN7EOZNoGDTyjbDIG8CnEK479niIL4rPAVriT54MhUZfC5UU4OFXTvOW8FWzk6++a0JzYu+FAwYnOQE9R8npKNOl2iDK/kheneVcD4IKCK7IhuWf8w4lnR6QEW3hpTsawIDAQ0B"

  • You can verify a DKIM record with this command:

    dig TXT selector1._domainkey.yourdomain.com

Note: Replace "selector1" with your actual selector, and "yourdomain.com" with your actual domain.

DMARC (Domain-based Message Authentication, Reporting & Conformance)

  • DMARC coordinates SPF and DKIM authentication processes. It establishes a policy framework that specifies how to handle emails that fail authentication checks. For example, one policy might require sending a report when an email fails verification.

  • If an email passes both SPF and DKIM checks, the receiving server consults the DMARC policy to determine appropriate handling procedures.

  • A typical DNS TXT record for DMARC looks like:

    v=DMARC1; p=none; rua=mailto:postmaster@example.com

  • You can verify a DMARC record with this command:

    dig _dmarc.example.com TXT

Real World Examples of SPF, DKIM, and DMARC

Mobile Apps

Mobile applications that send emails implement these authentication protocols to ensure deliverability and prevent spoofing. When a fitness app sends a workout summary email, receiving servers verify the sending server's IP against the SPF record, confirm the DKIM signature, and apply the DMARC policy to determine delivery.

Email Service Providers

Services like Gmail, Yahoo, and Outlook authenticate incoming emails using these protocols. When an email arrives, Gmail verifies the sender's IP against the SPF record, validates the DKIM signature, and applies the DMARC policy to determine proper handling.

Social Media Platforms

Social networks sending notification emails implement these protocols to ensure deliverability and protect their reputation. When users receive notifications, their email provider verifies the sending server's legitimacy through SPF, confirms the email's integrity via DKIM, and applies the appropriate DMARC policy.

Businesses

Organizations implement SPF, DKIM, and DMARC to protect their email communications and brand reputation. These protocols ensure promotional emails reach recipients' inboxes rather than spam folders, and prevent domain spoofing in phishing attempts.

Government Agencies

Government entities implement these protocols to secure official communications and prevent phishing attacks. This ensures legitimate notifications reach citizens' inboxes while preventing cybercriminals from impersonating official agencies.

Last Updated: 9/18/25