Email Authentication Explained: SPF, DKIM, and DMARC
By Nathan Cole, Security Researcher · Updated 2026-06-02SPF, DKIM, and DMARC are three standards that together prove an email actually came from your domain and decide what happens when one does not. They exist because plain email has no built-in way to verify the sender, which is exactly what spammers and phishers exploit. Publish all three correctly and you make your domain far harder to spoof while improving the odds your real mail reaches the inbox.
All three are published as DNS TXT records, so they sit right alongside the rest of your DNS records. A DNS lookup is all it takes to see whether a domain has them. You can check any domain's SPF and DMARC status with our DNS tool.
What each one does
| Standard | Job | Lives in | Defined by |
|---|---|---|---|
| SPF | Lists which servers may send mail for your domain | TXT record | RFC 7208 |
| DKIM | Adds a tamper-proof cryptographic signature to each message | TXT record (selector) | RFC 6376 |
| DMARC | Sets the policy for failures and requests reports | TXT record (_dmarc) |
RFC 7489 |
SPF: who is allowed to send
An SPF record names the mail servers permitted to send on behalf of your domain. A receiver checks the sending server against that list. Full detail in SPF records explained.
DKIM: a signature that proves nothing changed
DKIM attaches a digital signature to each message using a private key, and publishes the matching public key in DNS. Receivers verify the signature to confirm the message is genuine and unaltered. See DKIM explained.
DMARC: the policy and the reports
DMARC ties SPF and DKIM to your visible From address and tells receivers what to do with failures: monitor, quarantine, or reject. It also sends you reports showing who is mailing as your domain. See DMARC explained and the breakdown of DMARC policies.
Why all three, and why now
Each standard covers a gap the others leave open, which is why they are designed to work as a set. SPF alone breaks when mail is forwarded; DKIM alone does not say what to do on failure; DMARC ties them to the address users actually see and adds enforcement and reporting. We walk through the interplay in SPF vs DKIM vs DMARC.
Since 2024, the large mailbox providers require authentication for bulk senders, so this is no longer optional if you send marketing or transactional mail. Missing or broken authentication is one of the most common reasons legitimate mail lands in spam, covered in why your email goes to spam.
How to check a domain
You do not need to read raw DNS to audit a domain's email security. Our DNS tool reports whether SPF and DMARC are present, and our guide how to check SPF, DKIM, and DMARC shows how to verify all three by hand. Once DMARC is enforcing, you can even add a brand logo to your messages with BIMI.
Get these three right and you have closed the easiest door an attacker can use against your brand, and given your real mail its best shot at the inbox. Check any domain with our DNS tool, or have an agent pull the records through the dns_records tool in our MCP server.
Frequently asked questions
What are SPF, DKIM, and DMARC?
They are three DNS-based standards that prove an email really came from your domain. SPF lists the servers allowed to send for you, DKIM cryptographically signs your messages, and DMARC tells receivers what to do when a message fails and where to send reports. Used together they stop attackers from spoofing your domain.
Do I need all three?
For reliable delivery in 2024 and later, yes. Major mailbox providers now expect SPF, DKIM, and a DMARC policy for bulk senders, and DMARC only works when it can rely on SPF and DKIM underneath it.
Where do these records live?
All three are published as DNS TXT records on your domain, which is why a DNS lookup can confirm whether they exist and are valid.