If you’ve never heard of SPF, DKIM, or DMARC — you’re not alone. Most business owners haven’t. But if your business uses email, these three records are the difference between your domain being protected and it being wide open for hackers to exploit.
Why this matters for your business
Here’s a scenario that plays out in businesses across Philadelphia every week: A vendor receives an email that appears to come from your company’s email address. The email contains updated payment instructions — a new bank account number for future invoices. The vendor pays. You find out when your real invoice goes unpaid.
The attacker never had access to your email account. They didn’t need it. They simply forged the sender address — a technique called email spoofing — and your domain had nothing in place to stop them.
$2.77B
Lost to business email compromise in 2024 (FBI)
82%
Of business domains have no DMARC protection
94%
Of cyberattacks are delivered via email
SPF, DKIM, and DMARC are the three DNS records that close this gap. They’re not new technology — they’ve existed for years — but most small businesses either don’t have them set up at all, or have them misconfigured in ways that leave them exposed.
This guide will explain what each one does, why all three are necessary, and what you should do next.
What is email spoofing — and why is it so easy?
Email was invented in the 1970s — long before cybersecurity was a concern. The original protocol (SMTP) was designed purely to deliver messages, with no built‑in mechanism to verify that the person sending an email is actually who they claim to be.
Think of it like sending a letter through the postal service. Anyone can write any return address they want on the envelope. The post office has no way to verify that the return address is real — it just delivers the letter. Email works the same way. Anyone with basic technical knowledge can send an email that appears to come from any address they choose, including yours.
⚠️ The key point
An attacker doesn’t need access to your email account to send emails that look like they came from you. They just need to know your email address — which is usually publicly available on your website.
SPF, DKIM, and DMARC are the modern fixes that were built on top of email’s original design to address this vulnerability. Together they answer the question that email’s original protocol couldn’t: Is this email actually from who it claims to be from?
📧 Real scenario: Business Email Compromise
A Chester County accounting firm received a call from a panicked client. The client had wired $47,000 to a new bank account after receiving what appeared to be an email from the firm’s managing partner requesting an urgent fund transfer for a client matter.
The firm’s email had never been hacked. Their managing partner had never sent the email. But because the firm had no DMARC record on their domain, the spoofed email passed right through the client’s email filters and landed in their inbox looking completely legitimate.
The money was never recovered.
What is SPF? (The Guest List)
SPF stands for Sender Policy Framework. It’s a DNS record — a small piece of text published in your domain’s settings — that tells the world which mail servers are authorized to send email on behalf of your domain.
When someone receives an email claiming to be from your domain, their email server looks up your SPF record and checks: was this email sent from a server on your authorized list? If yes, it passes. If no, it’s flagged as suspicious.
💡 The plain‑English analogy
SPF is like a guest list at a venue. The venue (the recipient’s email server) checks the list before letting anyone in. If your name’s not on the list, you don’t get in — or at least you get flagged as suspicious.
Your SPF record is your guest list. It says: “Only these specific mail servers (Microsoft 365, Mailchimp, QuickBooks, etc.) are allowed to send email from our domain. If you receive an email from our domain but it came from a different server — it’s not from us.”
What an SPF record looks like
An SPF record is published as a TXT record in your domain’s DNS. For a business using only Microsoft 365 for email, it looks something like this:
v=spf1 include:spf.protection.outlook.com -all
This record says: “Emails from our domain should only come from Microsoft 365’s mail servers. Reject everything else.”
The SPF limitation
SPF has one important limitation: it only checks the server that sent the email, not the “From” address that you actually see in your inbox. A sophisticated attacker can sometimes work around SPF alone — which is why DKIM and DMARC are also needed.
What is DKIM? (The Wax Seal)
DKIM stands for DomainKeys Identified Mail. Where SPF checks where an email came from, DKIM verifies that the email itself hasn’t been tampered with in transit and that it was genuinely sent by your organization.
DKIM works by adding an invisible digital signature to every email your organization sends. This signature is generated using a private key that only you have. When a recipient’s email server receives your message, it looks up your DKIM public key (published in your DNS) and uses it to verify the signature. If the signature is valid, the email is authentic. If it’s been tampered with or forged, the signature won’t match.
💡 The plain‑English analogy
DKIM is like a wax seal on a letter. When you seal a letter with your personal wax stamp, the recipient can verify two things: the letter came from you (because only you have that stamp), and the letter hasn’t been opened or altered since you sent it (because the seal would be broken).
DKIM works the same way. Every email your business sends gets your digital seal. If the seal is intact when the recipient gets it — the email is authentic and unmodified.
Why DKIM matters beyond spoofing
DKIM also protects against a more sophisticated attack called a “man‑in‑the‑middle” attack, where an attacker intercepts an email in transit and modifies it before it reaches the recipient. Because the DKIM signature covers the email’s content, any modification would break the signature and alert the recipient’s mail server.
What is DMARC? (The Bouncer)
DMARC stands for Domain‑based Message Authentication, Reporting, and Conformance. If SPF is the guest list and DKIM is the wax seal, DMARC is the bouncer who checks both and decides what to do with anyone who fails either test.
DMARC is the most powerful of the three records because it does three things that SPF and DKIM alone cannot:
-
It ties SPF and DKIM together — requiring alignment between the authenticated domain and the visible “From” address.
-
It tells receiving mail servers what to do when an email fails authentication — reject it, quarantine it (send to spam), or just monitor.
-
It sends you reports showing who is sending email from your domain — including unauthorized senders.
💡 The plain‑English analogy
DMARC is the bouncer at the door. The bouncer checks the guest list (SPF) and the wax seal (DKIM). If either fails, the bouncer decides what to do — turn the person away entirely (reject), send them to a waiting area (quarantine), or just make a note of it (monitor).
Without a bouncer, even if you have a guest list and a seal, anyone who fails those checks might still get through. DMARC is what closes that gap.
DMARC policies explained
A DMARC record includes a policy that tells receiving servers what to do with emails that fail authentication. There are three policy levels:
-
p=none — Monitor mode. Failed emails are delivered but you receive reports about them. Use this when first setting up DMARC to understand your email traffic before enforcing anything.
-
p=quarantine — Failed emails go to the spam/junk folder. A good middle step that reduces spoofing risk while minimizing the chance of blocking legitimate email.
-
p=reject — Failed emails are rejected entirely and never reach the inbox. This is the strongest protection — the goal for most businesses once DMARC is properly configured.
⚠️ Don’t rush straight to p=reject
Many businesses set up DMARC and immediately jump to a reject policy — and then discover that some of their legitimate email (from Mailchimp, QuickBooks, their CRM, etc.) wasn’t included in their SPF record. Those emails get rejected along with the spoofed ones.
Always start with p=none, review the reports for 2–4 weeks to identify all legitimate senders, update your SPF record to include them, then move to quarantine and finally reject. Rushing this step is the most common DMARC mistake.
The DMARC reporting benefit
One of DMARC’s most underappreciated features is its reporting. When DMARC is active, you receive daily XML reports from every major email provider showing every email sent from your domain — including emails you didn’t send. This is invaluable intelligence: you’ll know immediately if someone is actively trying to spoof your domain, and you can see exactly how much of that traffic is being blocked.
How SPF, DKIM, and DMARC work together
It’s important to understand that SPF, DKIM, and DMARC are not alternatives — they’re layers. Each one addresses a different part of the email authentication problem, and having one or two without the third leaves meaningful gaps.
01 SPF — Sender Policy Framework
Verifies that the email came from an authorized server for your domain.
What it stops: Emails sent from unauthorized servers claiming to be from your domain.
02 DKIM — DomainKeys Identified Mail
Verifies the email was genuinely sent by your organization and wasn’t altered in transit.
What it stops: Forged emails and emails tampered with during delivery.
03 DMARC — Domain‑Based Message Authentication
Ties SPF and DKIM together, enforces a policy for failures, and reports on unauthorized use.
What it stops: Spoofed emails that might slip past SPF or DKIM alone.
Here’s a simple way to think about it: SPF and DKIM are the locks on your door. DMARC is the alarm system that sounds when someone tries to pick either lock — and the policy is what calls the police (or in this case, rejects the email).
What happens if your business doesn’t have them?
Without SPF, DKIM, and DMARC in place, your domain is unprotected. Here’s what that means in practice:
-
✕ Anyone can send email pretending to be you. Attackers can forge your email address and send messages to your clients, vendors, and employees — and most email filters won’t catch it because your domain has no authentication to check against.
-
✕ Your legitimate emails may go to spam. Google and Microsoft now heavily penalize domains without proper authentication. Your proposals, invoices, and client communications may be silently landing in junk folders.
-
✕ You won’t know if you’re being spoofed. Without DMARC reporting, you have no visibility into whether attackers are actively abusing your domain. Many businesses only find out when a client calls to report a suspicious email.
-
✕ You may fail compliance requirements. HIPAA, PCI DSS, and most cyber insurance policies now expect basic email authentication controls to be in place. An absence of SPF, DKIM, and DMARC can be cited in an audit or used to deny a claim.
-
✕ Your domain reputation suffers. If your domain is used for spam or phishing campaigns — even ones you didn’t send — email providers may blacklist your domain, causing all your emails to be blocked until the issue is resolved.
Not sure if your domain is protected? SkyViewTek offers a free email security audit — we’ll check your SPF, DKIM, and DMARC records and tell you exactly where you stand.
How to check if your domain has SPF, DKIM, and DMARC
You can check your domain’s email authentication status using free online tools. Here’s how:
-
Check your SPF record
Go to mxtoolbox.com/spf.aspx and enter your domain name (e.g., skyviewtek.com). If you have an SPF record, it will display it. If the result is blank or shows an error, you have no SPF record. -
Check your DMARC record
Go to mxtoolbox.com/dmarc.aspx and enter your domain. A result showingv=DMARC1means you have a DMARC record. Pay attention to the policy — if it showsp=none, you’re in monitoring mode only, not enforcing protection. -
Check your DKIM record
DKIM is slightly harder to check because you need to know your DKIM selector (usually provided by your email host). For Microsoft 365, common selectors areselector1andselector2. Use mxtoolbox.com/dkim.aspx and enter your domain and selector. -
Interpret what you find
If any of the three records are missing, or if your DMARC policy is set top=nonewith no plan to move to enforcement, your domain is not fully protected. The next step is to get them configured correctly.
⚠️ A word of caution about DIY configuration
SPF, DKIM, and DMARC records are DNS records — and incorrect DNS configuration can break your email entirely. A wrong SPF record can cause your legitimate emails to be rejected by every major email provider. We strongly recommend having an IT professional configure these records, especially if your business uses multiple services that send email on your behalf (Mailchimp, QuickBooks, Salesforce, DocuSign, etc.) — each one needs to be accounted for in your SPF record.
Next steps for your Philadelphia‑area business
If you’ve read this far, you now understand more about email authentication than most business owners — and almost certainly more than whoever set up your current email system. Here’s what we recommend:
-
Check your current status
Use the MXToolbox links above to see what records you currently have. Even partial protection is better than none — but you need to know where the gaps are. -
Inventory all your email senders
Make a list of every service that sends email on behalf of your domain — your email host (Microsoft 365, Google Workspace), your email marketing tool (Mailchimp, Constant Contact), your accounting software (QuickBooks), your CRM, your e‑signature tool (DocuSign, Adobe Sign), and any others. Every one of these needs to be authorized in your SPF record. -
Configure SPF and DKIM first
Get SPF and DKIM correctly configured before adding DMARC. DMARC relies on both of them — if either is misconfigured when you add a DMARC enforcement policy, you’ll start blocking your own legitimate email. -
Add DMARC starting at p=none
Start with a monitoring policy, review the daily reports for 2–4 weeks, fix any legitimate senders that aren’t covered by your SPF record, then move top=quarantineand eventuallyp=reject. -
Monitor DMARC reports ongoing
DMARC reporting is an ongoing intelligence feed — not a one‑time setup. Set up regular review of your DMARC reports or use a tool that aggregates and summarizes them for you. SkyViewTek monitors DMARC reports as part of our managed email security service.