DKIM, SPF, and DMARC are the core controls that protect your domain from spoofing and improve trust in mailbox filtering systems.
You need all three configured correctly for a durable email security posture.
What each control does
| Control | Primary purpose |
|---|---|
| SPF | Declares which sending hosts are allowed for your domain |
| DKIM | Adds cryptographic signatures to prove message integrity and domain association |
| DMARC | Defines policy and reporting based on SPF/DKIM alignment outcomes |
How they work together
- Receiver checks SPF host authorization.
- Receiver validates DKIM signatures.
- Receiver applies DMARC policy based on alignment/pass results.
- Receiver may send aggregate/forensic reports (where configured).
DMARC is the policy layer; SPF and DKIM are the underlying signals.
Rollout strategy that reduces risk
Phase 1: Visibility
- Publish SPF and DKIM for all sending systems.
- Publish DMARC with
. - Collect and review DMARC aggregate reports.
Phase 2: Tightening
- Fix unknown senders and alignment issues.
- Remove stale SPF includes and rotate weak DKIM keys.
- Increase policy confidence using report data.
Phase 3: Enforcement
- Move DMARC to
, thenwhen stable. - Keep monitoring and change control in place.
Example DNS records
SPF:
DKIM (selector example):
DMARC:
Common misconfigurations
- multiple conflicting SPF records,
- SPF include chains exceeding DNS lookup limits,
- DKIM selectors not rotated or missing for one sender path,
- DMARC enforcement before all send streams are aligned.
Monitoring checklist
- Track DMARC pass/fail rates by source.
- Alert on new unrecognized sender infrastructure.
- Review DKIM key age and rotation cadence.
- Audit SPF records after provider or infra changes.
- Re-test after domain onboarding/migration events.
Related routes
Final take
Email authentication is an operational discipline, not a one-time DNS task. The teams that win keep sender inventory, policy rollout, and report analysis in one repeatable workflow.