Post

Email Authentication in Practice: SPF, DKIM, and DMARC

Posted
By Nathan Berg
1 min read
Email Authentication in Practice: SPF, DKIM, and DMARC

Email spoofing is still one of the easiest ways to bypass defenses. SPF, DKIM, and DMARC are the baseline controls that let receivers verify who is allowed to send mail on behalf of your domain. The setup is not hard, but the order matters.

This post walks through a practical setup that works for small teams and home labs.

Start with SPF

SPF tells receivers which servers are allowed to send mail for your domain. Add a TXT record for your root domain.

1

v=spf1 ip4:203.0.113.10 include:_spf.google.com -all

Keep the record small and explicit. Use -all once you are confident you have included all senders.

Add DKIM signing

DKIM uses a public key published in DNS to verify that your mail was signed by your domain. Most providers give you a selector name and a TXT record value.

1

selector1._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqh..."

Rotate DKIM keys annually and keep old selectors around until all senders are updated.

Layer on DMARC

DMARC ties SPF and DKIM together and defines your policy. Start in monitoring mode, then move to quarantine or reject.

1

_dmarc.example.com TXT "v=DMARC1; p=none; rua=mailto:dmarc@example.com; pct=100; adkim=s; aspf=s"

After you review reports for a few weeks, move to p=quarantine, then p=reject when you are confident.

Verify your records

Use dig to confirm what the world sees.

1
2
3

dig txt example.com +short
dig txt selector1._domainkey.example.com +short
dig txt _dmarc.example.com +short

If you see multiple SPF records, combine them. Receivers will treat multiple records as a failure.

Monitor DMARC reports

DMARC reports are XML files that show who is sending on your behalf. Set up a mailbox to collect them, or use a free DMARC report parser. This is where you find forgotten senders like monitoring tools, ticketing systems, or marketing platforms.

Hardening tips

  • Use strict alignment (adkim=s, aspf=s) once you are stable.
  • Keep SPF lookups under the 10 lookup limit.
  • Document every authorized sender so future changes do not break mail flow.

Takeaways

SPF, DKIM, and DMARC are simple controls with a large security payoff. Start with SPF, add DKIM, then enforce DMARC in stages. The monitoring data is as valuable as the enforcement.

blog
email spf dkim dmarc security
This post is licensed under CC BY 4.0 by the author.