Outbound email authentication is critical for protecting your domain from spoofing, phishing, and deliverability issues. The three core standards are:
SPF — Sender authorization
DKIM — Message integrity & domain verification
DMARC — Policy enforcement & reporting
These standards work together to protect your organization’s email reputation and improve inbox placement.
🛡️ SPF (Sender Policy Framework)
Purpose:
SPF defines which mail servers are authorized to send email on behalf of your domain.
How it works:
You publish a TXT record in DNS listing approved IP addresses or services.
Receiving mail servers compare the sending IP against this record.
Example SPF record:
v=spf1 ip4:203.0.113.10 a mx include:_spf.google.com include:spf.protection.outlook.com -all
Key Elements
ip4:/ip6:— Authorize specific IP addressesa/mx— Authorize your domain’s A or MX recordsinclude:— Authorize third-party services (Google, Microsoft, CRM platforms)-all— Hard fail (recommended after testing)~all— Soft fail (good for initial deployment)
Important Limitation
SPF allows maximum 10 DNS lookups.
Too many include, a, or mx mechanisms can cause SPF to fail.
Best Practices
Inventory all legitimate senders (M365, Google Workspace, CRM, ticketing systems, marketing platforms).
Use
~allduring rollout, move to-allonce confirmed.Regularly audit unused services.
Avoid nested includes that increase DNS lookups.
🔐 DKIM (DomainKeys Identified Mail)
Purpose:
DKIM adds a cryptographic signature to each outgoing email, proving:
The message was authorized by your domain.
The content was not altered in transit.
How it works:
A private key signs outgoing messages.
A public key is published in DNS.
The receiving server verifies the signature.
DNS location format:
selector._domainkey.example.com
Example:
s1._domainkey.example.com
Key Points
Recommended key size: 2048-bit RSA
Each sending platform may use its own selector.
Keys should be rotated periodically.
Hosted Providers
Platforms like:
Google Workspace
Microsoft 365
provide DKIM setup tools and generate keys automatically.
Testing
Check email headers for:
DKIM=pass
🧭 DMARC (Domain-based Message Authentication, Reporting & Conformance)
Purpose:
DMARC builds on SPF and DKIM to:
Enforce policy when authentication fails
Provide reporting visibility
Prevent domain spoofing
DNS Record Location:
_dmarc.example.com
Example DMARC record:
v=DMARC1; p=none; rua=mailto:dmarc-agg@example.com; ruf=mailto:dmarc-forensic@example.com; adkim=r; aspf=r; pct=100
Policy Options
p=none→ Monitor onlyp=quarantine→ Send failing mail to spamp=reject→ Block failing mail entirely
Alignment
DMARC requires alignment between:
Visible "From:" domain
SPF domain
DKIM signing domain
Alignment modes:
r= relaxeds= strict
Recommended Deployment Approach
Start with
p=noneReview aggregate reports (rua)
Fix misconfigured senders
Move to
p=quarantineFinally enforce
p=reject
🖼️ BIMI (Optional Branding Layer)
BIMI (Brand Indicators for Message Identification) displays your brand logo in supported inboxes.
Requirements:
DMARC set to
p=quarantineorp=rejectConsistent authentication pass
SVG logo
Often a Verified Mark Certificate (VMC)
Supported by providers like Gmail and Yahoo (not universal).
🔄 How They Work Together
Standard | Protects Against | Provides |
|---|---|---|
SPF | Unauthorized sending servers | IP validation |
DKIM | Message tampering | Cryptographic integrity |
DMARC | Spoofing & phishing | Policy enforcement + reporting |
If SPF or DKIM fails and alignment fails → DMARC policy applies.
🛠 Practical Implementation Workflow
Inventory all outbound email systems.
Publish SPF (keep lookups ≤ 10).
Enable DKIM for every sending platform.
Publish DMARC with
p=none.Monitor reports for 30–60 days.
Move to
p=quarantine.Enforce with
p=reject.Optionally deploy BIMI.
⚠️ Common Pitfalls
Exceeding SPF’s 10-lookup limit.
Misaligned subdomains breaking DMARC.
Expired or missing DKIM selectors.
Not monitoring DMARC reports.
DNS propagation delays.
Assuming SPF alone prevents spoofing (it does not).
🎯 Key Takeaways
SPF authorizes senders.
DKIM protects message integrity.
DMARC enforces policy and provides visibility.
Together, they protect your domain reputation and improve deliverability.
Move gradually toward strict enforcement.
Good to consider:
A Microsoft 365–specific configuration guide
A Google Workspace deployment checklist
Or a DMARC enforcement roadmap template