SPF, DKIM & DMARC: the email authentication guide

Last updated: 2026-06-26

Why email authentication matters

Without authentication, anyone can send email that looks like it came from your domain — the basis of phishing and business email compromise. SPF, DKIM and DMARC let receiving servers verify that mail claiming to be from you really is, and tell them what to do when it isn’t.

SPF (Sender Policy Framework)

SPF is a DNS TXT record that lists which servers are allowed to send mail for your domain. Receivers reject or flag mail from servers not on the list. A strong SPF record ends with “-all” (hard fail) or “~all” (soft fail).

v=spf1 include:_spf.google.com -all

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every message, published as a public key in DNS. The receiver verifies the signature to confirm the message wasn’t altered in transit and really came from your domain. Your mail provider generates the key and a “selector”.

DMARC

DMARC ties SPF and DKIM together and tells receivers what to do with mail that fails: nothing (p=none, monitoring only), quarantine (p=quarantine), or reject (p=reject). It also sends you reports. Start at p=none to observe, then move to quarantine and reject.

v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com

MTA-STS (transport security)

MTA-STS forces inbound mail to your domain to be delivered over TLS, preventing downgrade attacks where an attacker strips encryption. It’s a DNS record plus a policy file served over HTTPS.

Check your domain now

Not sure where your domain stands? Run our free checker — it grades your SPF, DMARC and MTA-STS in seconds, with no signup: spamless.dev/check.

How Spamless helps

Spamless is an MX-gateway that filters spam, phishing and malware before it reaches your inbox, and checks SPF/DKIM/DMARC on every inbound message as part of a 7-layer pipeline. Point your MX to us in 5 minutes — Basic is free.