24 April

Understanding DKIM, DMARC, and SPF: What They Are and Why They Matter

CK SolutionsEmail, Office 365, security

Understanding DKIM, DMARC, and SPF: What They Are and Why They Matter

Email authentication protocols—SPF, DKIM, and DMARC—are fundamental to securing domain-based email systems against spoofing, phishing, and unauthorised use. These technologies work together to ensure that email claiming to come from a specific domain is actually authorised by that domain’s owner.

This post explains the function of each protocol, how they interact, and provides DNS record examples to assist with accurate implementation.

Protocol Overview and Purpose

  • SPF (Sender Policy Framework) allows a domain to list authorised mail servers via DNS.
  • DKIM (DomainKeys Identified Mail) adds a cryptographic signature to emails, verifying integrity and legitimacy.
  • DMARC (Domain-based Message Authentication, Reporting & Conformance) enforces alignment between SPF/DKIM and the visible “From” header, while also enabling detailed feedback through reporting.

Together, these protocols create a layered authentication strategy that helps protect your domain’s reputation and improves deliverability.

SPF: Authorise Sending Servers

SPF works by checking the envelope sender (the Return-Path) of an email against a TXT record in DNS. If the sending IP is not listed, the message fails SPF validation.

Example DNS record for SPF:

yourdomain.com.  IN  TXT  "v=spf1 ip4:203.0.113.5 include:spf.protection.outlook.com -all"
  • ip4:203.0.113.5 allows a specific mail server IP
  • include:spf.protection.outlook.com includes Microsoft 365 servers
  • -all indicates hard fail for unauthorised sources

Best practices:

  • Avoid using +all, which defeats SPF’s purpose.
  • Don’t exceed 10 DNS lookups (include: and redirect= count).
  • Only publish one SPF record per domain.

DKIM: Sign Outbound Mail with a Private Key

DKIM validates that a message’s content was not modified and that it originated from the stated domain. It does this via a cryptographic signature added to the email headers.

Example DNS record for DKIM:

selector1._domainkey.yourdomain.com.  IN  TXT  "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3..."
  • selector1 refers to a key selector used by the signing mail server.
  • The p= value contains the RSA public key.

Best practices:

  • Use 2048-bit keys where supported.
  • Rotate keys periodically.
  • Ensure your MTA (Mail Transfer Agent) is correctly signing outbound email.

DMARC: Align, Enforce, and Monitor

DMARC ensures that either SPF or DKIM (or both) pass and are aligned with the domain in the “From” header. It also instructs recipient servers what to do with unauthenticated emails, and provides reports.

Example DNS record for DMARC:

_dmarc.yourdomain.com.  IN  TXT  "v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@yourdomain.com; sp=none; adkim=s; aspf=s"
  • p=quarantine tells recipient to quarantine messages that fail DMARC
  • rua= defines the address to receive aggregate reports
  • sp=none sets a separate policy for subdomains
  • adkim=s and aspf=s enable strict alignment

Best practices:

  • Start with p=none to gather reports before enforcing policies.
  • Regularly review and analyse DMARC reports.
  • Use tools to parse and visualise report data.

Protocol Interoperability and Domain Alignment

These three protocols work together:

  • SPF validates the mail server sending the email.
  • DKIM verifies message integrity and authenticity.
  • DMARC ensures the “From” header aligns with SPF or DKIM domains and applies policy accordingly.

This alignment is critical because SPF and DKIM alone do not cover the “From” header—the most visible part of an email to users.

Example alignment failure:

  • Email claims to be from accounts@yourdomain.com
  • SPF passes for mail.vendor.com (used in Return-Path)
  • But the “From” is yourdomain.com, and they don’t match → DMARC fails

Implementation Considerations and Common Pitfalls

  • Publishing multiple SPF records—merge them into one
  • Using soft fail ~all permanently (should only be used during testing)
  • Misconfigured DKIM selectors or missing DNS records
  • Not enabling DMARC reports (rua=), which limits visibility
  • Assuming third-party services automatically support these protocols—many require manual setup

Subdomain note: Use the sp= tag in DMARC to control policies for subdomains explicitly. For example:

sp=reject

enforces rejection on subdomains too.

How CK Computer Solutions – Managed IT Services Dublin Can Help

While setting up SPF, DKIM, and DMARC is technically straightforward for experienced admins, ongoing management and monitoring are where most businesses stumble.

CK Computer Solutions offers expert assistance to:

  • Implement correct DNS records across multiple domains and services
  • Coordinate with third-party senders to align email sources
  • Parse and act on DMARC reporting
  • Harden policies over time while maintaining deliverability
  • Keep your systems compliant as standards evolve

We work with both cloud-based systems like Microsoft 365 and Google Workspace, and hybrid/on-prem environments. As your Managed IT Services provider in Dublin, we’ll secure your domain at the DNS, mail server, and policy levels—ensuring that your email reputation is protected and your communications stay trusted.

Contact Us

CK Computer Solutions