Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Microsoft

What Is the Difference Between SPF, DKIM, and DMARC?

Quick Answer

SPF lists who can send email for you. DKIM adds a digital signature proving emails are genuine. DMARC tells receivers what to do when SPF or DKIM fail. You need all three working together for proper email authentication.

Quick answer: SPF lists who can send email for you. DKIM adds a digital signature proving emails are genuine. DMARC tells receivers what to do when SPF or DKIM fail. You need all three working together for proper email authentication.

The Three Standards

SPF (Sender Policy Framework)

What it does: Publishes a list of servers authorised to send email for your domain.

How it works:

  1. You create a DNS TXT record listing your mail servers
  2. Receiving server checks if sending server is on your list
  3. If not listed → SPF fails
Example record: ``` v=spf1 include:spf.protection.outlook.com -all ``` This says: "Only Microsoft 365 can send mail for us. Reject everything else."

Limitations:

  • Doesn't survive forwarding (forwarding server isn't on your SPF)
  • Only checks envelope sender, not visible "From" address
  • Easy to misconfigure

DKIM (DomainKeys Identified Mail)

What it does: Adds a cryptographic signature to emails proving they haven't been tampered with.

How it works:

  1. Your mail server signs outgoing emails with a private key
  2. Public key is published in DNS
  3. Receiving server verifies signature with public key
  4. Invalid signature → DKIM fails
What it proves:
  • Email genuinely came from claimed domain
  • Email wasn't modified in transit
Advantages over SPF:
  • Survives forwarding (signature travels with message)
  • Verifies message integrity
Limitations:
  • Requires mail server configuration
  • Doesn't specify what to do on failure

DMARC (Domain-based Message Authentication, Reporting & Conformance)

What it does: Tells receiving servers how to handle failed SPF/DKIM, and sends you reports.

How it works:

  1. You publish a DMARC policy in DNS
  2. Receiving server checks SPF and DKIM
  3. If both fail, DMARC policy determines action
  4. Reports sent to you about authentication results
Policy options:
  • `p=none` - Monitor only, deliver anyway
  • `p=quarantine` - Send failures to spam
  • `p=reject` - Block failures completely
Example record: ``` v=DMARC1; p=reject; rua=mailto:[email protected] ```

How They Work Together

``` Email arrives claiming to be from yourdomain.com ↓ SPF check: Is sending server authorised? ↓ DKIM check: Is signature valid? ↓ DMARC check: Do SPF or DKIM pass AND align with From domain? ↓ DMARC policy: What to do if failed? ↓ Deliver / Quarantine / Reject ```

DMARC requires at least one of SPF or DKIM to pass AND align with the visible From domain.

Why You Need All Three

SPF aloneDKIM aloneSPF + DKIMFull DMARC
Prevents basic spoofingPartialPartialBetterBest
Survives forwardingNoYesPartialYes
Verifies integrityNoYesYesYes
Specifies failure actionNoNoNoYes
Provides reportingNoNoNoYes
With only SPF: Forwarded emails fail. No policy on failures.

With only DKIM: No enforcement policy. Receivers decide what to do.

With all three: Legitimate email passes. Spoofed email is rejected. You know what's happening via reports.

Implementation Order

1. SPF first

  • Audit all legitimate sending sources
  • Create SPF record including all of them
  • Test before publishing

2. DKIM second

  • Enable in your email provider
  • Publish DKIM records in DNS
  • Verify signing is working

3. DMARC last

  • Start with `p=none` (monitor only)
  • Review reports for problems
  • Fix any legitimate email failing authentication
  • Move to `p=quarantine`
  • Eventually `p=reject`

Common Mistakes

SPF too long SPF has length limits. Too many includes = broken SPF.

Forgetting sending services Marketing platforms, CRM, helpdesk, transactional email—they all need including.

Jumping to DMARC reject Enforcement before you've fixed legitimate email = broken email.

Never moving beyond p=none Monitoring without enforcement doesn't protect you.

Not reviewing reports DMARC reports tell you what's happening. Ignoring them defeats the purpose.

Checking Your Setup

Use our Domain Health Check or tools like:

  • mxtoolbox.com
  • dmarcanalyzer.com
  • mail-tester.com
These show whether SPF, DKIM, and DMARC are configured correctly.

What We Configure

For managed clients, we implement full email authentication:

  • SPF covering all legitimate senders
  • DKIM enabled and verified
  • DMARC with path to enforcement
  • Monitoring of authentication results
Proper email authentication stops spoofing. We set it up right.

---

Want to check your email security? Use our free Domain Health Check or talk to us.

---

Related Questions