SPF vs DKIM vs DMARC: The Complete 2025 Email Authentication Guide

SPF (Sender Policy Framework)

What it is:

SPF is a DNS TXT record that specifies which servers are allowed to send emails on behalf of your domain. Think of it as a VIP guest list for your email: only the servers listed are permitted to deliver messages. If an email comes from an unlisted server, recipient mail servers can mark it as suspicious or reject it altogether.

Why it matters:

Without SPF, malicious actors can easily impersonate your domain and send phishing or spam emails. Proper SPF setup prevents unauthorized servers from sending emails, protecting both your brand reputation and your customers.

Real-world example:

If your marketing team uses a platform like Mailchimp, and your SPF record doesn’t include Mailchimp’s sending servers, emails may land in spam or fail authentication checks.

Prerequisites:

• Access to your DNS provider to create or modify TXT records.
• A complete list of all third-party email services (e.g., ESPs, CRM platforms, automated tools) sending emails on your behalf.

Pro Tip:

Keep the number of DNS lookups under 10 to avoid SPF failures, and consolidate multiple includes when possible.

DKIM (DomainKeys Identified Mail)

What it is:

DKIM adds a cryptographic signature to every outgoing email. This signature is generated using a private key and verified by the recipient server using a public key published in your DNS. DKIM ensures two things: the email truly came from your domain, and it hasn’t been altered in transit.

Why it matters:

Even if an email comes from a legitimate server, it could be intercepted or tampered with during delivery. DKIM prevents such tampering and provides proof of authenticity, which builds trust with recipients and improves deliverability.

Real-world example:

An invoice sent from your accounting software can include a DKIM signature. If someone tries to modify the attachment, the recipient server will detect the tampering and flag the email as suspicious.

Prerequisites:

• Access to your email service provider (ESP) to generate DKIM key pairs (selector + private key).
• Access to your DNS provider to publish the public key as a TXT record.

Pro Tip:

Rotate DKIM keys periodically (e.g., annually) to maintain security and prevent key compromise.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

What it is:

DMARC is the protocol that enforces email authentication policies. It checks if incoming emails pass SPF or DKIM and tells receiving servers what to do with emails that fail (none, quarantine, or reject). DMARC also provides detailed reports about all emails sent from your domain, giving you visibility into legitimate and fraudulent activity.

Why it matters:

DMARC gives you control over how unauthenticated messages are handled and provides insight into potential abuse of your domain. Without DMARC, SPF and DKIM alone are less effective because recipient servers may ignore failures.

Real-world example:

A company receives daily DMARC reports showing several failed attempts from unknown IPs trying to spoof their domain. Using this data, they can adjust SPF/DKIM and block malicious senders.

Prerequisites:

• SPF and DKIM must already be configured and verified.
• Access to an email inbox to receive DMARC aggregate (rua) and forensic (ruf) reports.

Pro Tip:

Start with a p=none DMARC policy to monitor your email traffic without affecting deliverability, then gradually move to stricter policies (p=quarantine → p=reject) once you’ve verified all legitimate sources.

Step-by-Step Framework

Setting up SPF, DKIM, and DMARC may seem technical, but breaking it into structured steps makes the process manageable. Below is a comprehensive guide with checklists, practical tips, and 2025-specific best practices.

Step 1: Configure SPF

1. Check Existing Records

Before creating a new SPF record, verify if your domain already has one. Use tools like MXToolbox, DMARC Analyzer, or your DNS provider’s lookup tool. Multiple SPF records for the same domain can cause failures, so consolidate if needed.

2. Create/Update TXT Record

Access your DNS provider and either edit the existing TXT record or create a new one. Example:

Host: @ 

Value: v=spf1 include:_spf.google.com include:sendgrid.net -all

3. Verify SPF Record

After publishing, validate your SPF record using tools like MXToolbox SPF Checker or Kitterman SPF validator. Ensure no errors, all intended sending services are included, and DNS lookups remain under the 10-lookup limit.

Checklist for SPF Setup:

• Include all Email Service Providers (ESPs) and third-party senders (e.g., Mailchimp, HubSpot, SendGrid).
• Keep DNS lookups under 10; consolidate includes if necessary.
• Test emails from all sending sources to verify SPF passes.
• Document the SPF record and update whenever new email services are added.

Pro Tip (2025):

Use SPF “flattening” tools if you have multiple includes to avoid lookup limit failures.

Step 2: Add DKIM Signature

1. Generate Key Pair

Log into your ESP or email platform to generate a DKIM key pair. The platform will provide a selector and the corresponding public/private keys.

2. Publish Public Key in DNS

Create a TXT record in your DNS provider for the DKIM selector provided by your ESP:

Host: selector._domainkey 

Value: <public key

3. Validate DKIM

Send test emails to yourself or use DKIM testing tools to confirm that the DKIM-Signature appears in the email headers and validates correctly.

Checklist for DKIM Setup:

• Rotate DKIM keys annually to maintain security.
• Ensure the DKIM domain aligns with your sending domain (alignment is crucial for DMARC).
• Include all subdomains if they send emails (e.g., marketing.yourdomain.com).
• Test email deliverability with DKIM enabled to confirm successful signing.

Pro Tip (2025):

Use your ESP’s reporting tools to monitor DKIM pass/fail rates over time. This helps catch misconfigurations early.

Step 3: Implement DMARC Policy

1. Create TXT Record

Add a DMARC record to your DNS. Start with monitoring mode (p=none) to avoid blocking legitimate emails:

Host: _dmarc   
Value: v=DMARC1; p=none; rua=mailto:reports@yourdomain.com; 
ruf=mailto:forensics@yourdomain.com; fo=1

2. Monitor Reports

DMARC aggregate reports (rua) show summary data for all emails sent from your domain, while forensic reports (ruf) provide detailed info about specific failures. Analyze these reports to detect unauthorized senders, misaligned SPF/DKIM, and deliverability issues.

3. Enforce Gradually

Once you’ve confirmed that all legitimate emails pass SPF and DKIM, gradually tighten your policy:

• p=quarantine: Sends failing emails to spam.
• p=reject: Blocks failing emails entirely.

Checklist for DMARC Setup:

• Review all sending sources before enforcing strict policies.
• Confirm SPF and DKIM alignment for all legitimate senders.
• Use DMARC dashboards/tools (e.g., DMARCian, Valimail) for monitoring and analysis.
• Document your policy changes for internal auditing.

Pro Tip (2025):

Start with a monitoring-only policy for at least 2–4 weeks before enforcing stricter actions to avoid accidentally blocking legitimate emails.

Step 4: Monitor & Maintain (2025 Additions)

1. Automate Reporting

Leverage tools like DMARCian, Valimail, or EasyDMARC to automate report parsing, visualize trends, and detect anomalies.

2. Detect Spoofing Attempts

Regularly review DMARC reports to identify rogue IPs or unauthorized sources attempting to send emails from your domain.

3. Subdomain Policies

Apply DMARC policies to subdomains to prevent “shadow domain” abuse, which scammers can exploit to bypass SPF/DKIM.

4. BIMI Integration

After DMARC enforcement, implement BIMI (Brand Indicators for Message Identification) to display your verified logo in supported inboxes, increasing brand recognition and trust.

Pro Tip (2025):

Schedule quarterly reviews of SPF, DKIM, and DMARC configurations to ensure compliance and adapt to new third-party email services.

1. SPF Lookups Exceed 10

Pitfall: SPF records can fail if they contain more than 10 DNS lookups due to multiple include statements for third-party services.

Fix:

• Flatten your SPF record using tools provided by your ESP or third-party services.
• Consolidate multiple includes into a single include where possible.
• Regularly audit your SPF record whenever adding new email services.

Example:

Instead of having include:mailchimp.com include:sendgrid.net include:hubspot.com separately, consolidate or use a service that flattens them into one effective IP list.

2. Premature DMARC Enforcement

Pitfall: Setting DMARC to p=quarantine or p=reject too soon can accidentally block legitimate emails, causing deliverability issues.

Fix:

• Always start with p=none to monitor email traffic.
• Review DMARC reports for at least 2–4 weeks to confirm all legitimate senders pass SPF and DKIM.
• Gradually move to stricter policies (quarantine → reject) once confident.

Example:

A company enforcing p=reject immediately blocked its marketing emails because a new ESP was not included in SPF, resulting in lost communications.

3. Missing Third-Party Senders

Pitfall: Forgetting to include all external email services (CRMs, marketing platforms, transactional email providers) in SPF or DKIM can lead to failures and undelivered emails.

Fix:

• Maintain a centralized ESP checklist documenting every service that sends email on your behalf.
• Update SPF and DKIM records whenever a new service is added
• Test each service after updates to confirm email passes authentication checks.

Example:

An e-commerce brand missed adding SendGrid to SPF, causing transactional order confirmations to land in spam. Updating the SPF record resolved the issue.

4. Unmonitored DMARC Reports

Pitfall: DMARC reports are only useful if actively reviewed. Ignoring reports can allow spoofing attempts or misaligned emails to continue unnoticed.

Fix:

• Use DMARC dashboards or reporting tools (e.g., DMARCian, Valimail, EasyDMARC) to parse aggregate and forensic reports.
• Set up alerts for repeated authentication failures or suspicious IPs.
• Schedule monthly audits to identify trends and potential threats.

Example:

A business discovered repeated failed DKIM signatures from an unauthorized IP using DMARC reports, preventing a possible phishing attack before it reached customers.

5. Outdated DKIM Keys

Pitfall: Using the same DKIM keys for long periods increases the risk of key compromise and weakens security.

Fix:

• Rotate DKIM keys annually or sooner if there’s a suspected breach.
• Update DNS with new public keys and ensure ESPs are configured with the matching private key.
• Test signed emails after rotation to ensure validation passes.

Example:

Rotating DKIM keys helped a SaaS company eliminate false-positive failures caused by an old, compromised key.