What Are SPF, DKIM and DMARC? An Email Security Guide

Email authentication is the invisible shield of business communication. SPF, DKIM, and DMARC — when these three DNS records are configured correctly, they block spoofing, increase deliverability, and protect your brand reputation. Starting in 2024, Gmail and Yahoo made these records mandatory; missing records mean your emails get rejected outright.

What Is an SPF Record and How Does It Work?

SPF (Sender Policy Framework) is a DNS TXT record that lists the servers and IP addresses authorized to send email on behalf of a domain. The receiving server compares the source of an incoming email against this list.

Example SPF record:

v=spf1 include:_spf.ulakmail.com ~all

Important note: A domain cannot have more than one SPF record. Merge them, otherwise both will be considered invalid.

What Is a DKIM Record and How Does It Work?

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails. It proves that the email has not been altered along its journey and that it genuinely came from you.

How it works:

1. The sending server signs the email with a private key
2. The public key is published in DNS
3. The receiving server verifies the signature with the public key

You can use our DKIM lookup tool to inspect your DKIM record.

What Is a DMARC Record and How Does It Work?

DMARC (Domain-based Message Authentication, Reporting and Conformance) decides what to do based on the SPF and DKIM results and provides reporting.

Example DMARC record:

v=DMARC1; p=quarantine; rua=mailto:dmarc@yourcompany.com; pct=100

DMARC passes for emails that pass at least one of SPF or DKIM AND meet domain alignment.

How Do the Three Work Together?

Sending server → Sends the email
         ↓
Receiving server checks:
  1. SPF: Is this IP authorized?
  2. DKIM: Is the signature valid?
  3. DMARC: Is there SPF/DKIM alignment? What is the policy?
         ↓
Based on the result: Inbox / Spam / Reject

SPF and DKIM are not enough on their own. Without DMARC, spoofed emails are still delivered; only a note is logged.

Step-by-Step Setup Guide

Step 1 — Add an SPF record

Create a TXT record in your DNS management panel:

v=spf1 include:[your-mail-provider] -all

Step 2 — Generate a DKIM key

Your mail provider gives you a selector and a public key. Add it to DNS in this format:

selector._domainkey.yourdomain.com → TXT → "v=DKIM1; k=rsa; p=[public-key]"

Step 3 — Begin monitoring with a DMARC record

Start with p=none and review the reports:

_dmarc.yourdomain.com → TXT → "v=DMARC1; p=none; rua=mailto:dmarc@yourcompany.com"

Step 4 — Tighten the policy

Watch reports for 2–4 weeks; if there are no issues, switch to p=quarantine, then p=reject.

Common Mistakes

• Multiple SPF records: There must be only one SPF in DNS; delete the old one when you add a new one
• DKIM without DMARC: Authentication remains incomplete and spoofed emails get through
• Jumping straight to p=reject: Monitor with none first, otherwise your own emails will be blocked
• Not rotating the DKIM key: 1024-bit legacy keys are insecure; use 2048-bit and rotate annually

Frequently Asked Questions

I have an SPF record but my emails still land in spam, why? DKIM or DMARC is probably missing. Sometimes the sending IP isn’t in the SPF list. Check the situation with our SPF lookup tool.

How do I read a DMARC report? DMARC reports come in XML format. You can easily visualize them with Google Postmaster Tools or free DMARC analysis tools.

Why did Google and Yahoo make SPF/DKIM/DMARC mandatory? Starting in 2024, Gmail and Yahoo required these records for domains sending bulk email. If you don’t set up all three, your emails may be rejected outright.

Does my business provider configure these records automatically? Ulakmail provides SPF records as part of the plan. DKIM and DMARC require access to your domain’s DNS. Get in touch for free setup support.

SPF lookup → • DKIM lookup → • DMARC lookup → • Email reputation →