DMARC, DKIM, & SPF explained (email authentication 101)

DMARC, DKIM, and SPF are important for protecting your domain. Find out all you need to know about email authentication.
dmarc dkim spf

The FBI recently announced that BEC is a $50 billion scam. One thing you can do to protect against these bad actors is by implementing email authentication protocols.

DMARC, DKIM, and SPF are three must-have email authentication methods every business should use. Collectively, they prevent phishers from harming your customers (and your brand’s reputation). 

Implemented correctly, they’ll boost your deliverability rate and customer experience. Left forgotten, your messages might end up in email purgatory: the spam folder (or not delivered at all).

In today’s interconnected digital landscape, email has become a primary communication tool for individuals and businesses. However, the rise of email-based threats such as phishing, spoofing, and email fraud has required the development of more robust security measures.

Enter SPF, DKIM, and DMARC.

how valimail helps with dmarc

Below, we’ll walk you through everything you need to know about DMARC, DKIM, and SPF—and how they work together to protect your brand.

What is SPF?

SPF (Sender Policy Framework) is an email validation protocol that enables domain owners to define a list of authorized email servers allowed to send emails on behalf of their domain. Domain owners publish SPF records in their Domain Name System (DNS) to specify which servers are legitimate senders of emails originating from their domain. 

When an email is received, the recipient’s email server can check the SPF record of the sender’s domain to ensure that the email comes from an authorized source. SPF helps mitigate email spoofing and ensures that only authorized servers can send emails using a specific domain.

SPF is the oldest email authentication protocol, and it’s not designed to be a catch-all security method. Instead, it’s a simple step (of many) to protect your domain.

SPF authentication relies on the domain displayed in a message’s Return-Path field rather than the easily visible “From:” address. While that’s hand-dandy, most people rely on the information in the “From” field to determine the legitimacy of an email. In this case, SPF doesn’t help very much. 

how spf, dkim, and dmarc work together

What is DKIM?

DomainKeys Identified Mail (DKIM) is an email authentication method that adds a digital signature to outgoing emails. 

It ensures the authenticity and integrity of the message by allowing the recipient to verify that the email originates from a legitimate sender and has not been tampered with during transit. DKIM employs cryptographic keys to sign outgoing emails, and the recipient’s email server can verify the signature using the corresponding public key published in the sender’s domain’s DNS records. 

DKIM provides an essential layer of trust, preventing email spoofing and guaranteeing message integrity. However, it has a few limitations that make it vulnerable (when used alone) to avoiding phishing attacks:

  • Mismatched signatures
  • Lost DKIM private key
  • No connection to the mails servers required

What is DMARC?

Domain-based Message Authentication, Reporting, and Conformance (DMARC) empowers domain owners to instruct email receivers on how to handle unauthenticated emails sent from their domain. It combines the capabilities of DKIM and SPF and provides additional reporting mechanisms. 


With DMARC, domain owners can specify how to handle emails that fail authentication:

  • p=none: Take no action
  • p=quarantine: Deliver to the spam folder
  • p=reject: Don’t send the message at all

DMARC empowers organizations to gain greater control over their email domains and protect their brand reputation by reducing email fraud and phishing attacks.

DMARC reporting

DMARC has a reporting mechanism that allows email receivers to inform the domain owner whether the received email has passed or failed authentication. The domain owner’s DMARC record can indicate where the receivers should send the reports. 

These reports help the domain owner or their DMARC vendor identify who is using the domain to send emails. The valuable insights these reports provide enable domain owners to refine their email authentication policies, allowing them to authorize only trusted senders to send emails on behalf of the domain. 

By leveraging this information, domain owners can strengthen their email security measures and ensure that only legitimate sources can send emails under their domain.

DMARC enforcement

Loosey-goosey DMARC policies aren’t enough to protect your brand, though—you need DMARC enforcement. DMARC enforcement ensures only legitimate email (that you’ve authorized) gets sent from your domains. Everything else is deleted or sent to the spam folder.

This happens by evolving your email program from a p=none policy to a p=quarantine or p=reject. 

Internet Service Providers (ISPs) consider your sending domain’s reputation when making delivery decisions—and they take DMARC status into account. We have observed customers witnessing a remarkable increase in delivery rates for their marketing campaigns, ranging from 5 to 10%, upon transitioning to an enforcement policy.

Sadly, many companies that adopt DMARC fail to reach the enforcement stage. According to Valimail’s research, 75% to 80% of domains that have published a DMARC record face challenges in achieving enforcement. These challenges often arise from configuration errors or, more commonly, getting stuck at the p=none policy—sometimes for extended periods, spanning months or even years.

Operating in monitor mode, with a DMARC policy of p=none, does not protect your business. It simply tells you how your domain is sending emails without taking any action.

To see if your domain is at DMARC enforcement or not, use our free domain checker!

How do DMARC, DKIM, & SPF work together?

DKIM and SPF work alone, but DMARC combines all three to protect your sending domain. Here’s how DMARC works:

  1. Domain owner publishes DMARC record: The domain owner (the organization that owns the sending domain) publishes a DMARC record in their DNS (Domain Name System) records. The DMARC record contains specific instructions for how receiving mail servers should handle emails that claim to originate from the domain.
  2. Incoming email arrives at recipient’s mail server: When an email is sent from a domain implementing DMARC, it reaches the recipient’s mail server.
  3. Mail server checks for DMARC record: The recipient’s mail server checks for the presence of a DMARC record in the sending domain’s DNS.
  4. SPF and DKIM authentication: The mail server then performs SPF and DKIM authentication checks on the incoming email. SPF verifies that the email comes from an authorized server, while DKIM verifies the email’s integrity and authenticity using digital signatures.
  5. DMARC policy check: If the email fails DMARC, the recipient’s mail server evaluates the policy specified in the DMARC record. The policy can be set to three possible values: “none,” “quarantine,” or “reject.”
    1. None” policy: If the DMARC policy is set to “none,” the email is delivered as usual without additional action.
    2. “Quarantine” policy: If the DMARC policy is set to “quarantine,” the email is marked as potentially suspicious or sent to the recipient’s spam or junk folder.
    3. Reject” policy: If the DMARC policy is set to “reject,” the email is rejected outright and not delivered to the recipient’s inbox.
  6. Reporting and feedback: DMARC includes reporting mechanisms where the recipient’s mail server sends feedback reports to the domain owner. These reports provide information about email authentication results, failed attempts, and other data that assists in monitoring and improving email security.

Get started with DMARC enforcement

Stop phishing and impersonation attacks with continuous DMARC protection at scale. Valimail Enforce helps you reach DMARC enforcement without any manual DKIM or SPF configuration.

how valimail helps with dmarc enforcement

Want to see for yourself? Get started now, or schedule a quick call with one of our DMARC experts.

Get started for free
with Monitor

Start your path to DMARC enforcement with a panoramic view of the traffic being sent on your behalf.
No trial offers, credit cards, or obligations.

Explore all Valimail
has to offer

Go one step further than visibility…Take action! Reach DMARC enforcement faster. Stay compliant with evolving sender requirements. All while protecting your brand.

Phishing and BEC protection starts with your domain — verify your DMARC status with the Valimail Domain Checker.