SPF, DKIM, and DMARC Explained (Why Your Email Isn't Secure Without Them)
14 May 2026
Every day, people receive emails that appear to come from legitimate businesses but are actually sent by attackers. The sender name says "John from YourCompany." The email address looks right. The content is convincing. One click on the link inside and the recipient has handed over their credentials to someone who shouldn't have them.
This is called email spoofing, and it's embarrassingly easy if your domain doesn't have SPF, DKIM, and DMARC configured. These three protocols are your defence — and most small businesses don't have them set up properly, if at all.
Without SPF, DKIM, and DMARC, anyone in the world can send emails that appear to come from your domain — and receiving servers have no way to tell the difference.
SPF (Sender Policy Framework)
SPF is a DNS record that lists which mail servers are authorised to send email on behalf of your domain. When a receiving server gets an email from @yourcompany.co.uk, it checks the SPF record to see if the sending server is on the approved list. If it's not, the email can be flagged or rejected.
Without SPF, any server in the world can send an email claiming to be from your domain, and receiving servers have no way to know it's fake.
How to set it up: Add a TXT record to your domain's DNS. For Microsoft 365, the record typically looks like: v=spf1 include:spf.protection.outlook.com -all. The "-all" at the end means "reject anything not on this list." Some people use "~all" (soft fail), which flags but doesn't reject — "-all" is stricter and better.
DKIM (DomainKeys Identified Mail)
DKIM adds a cryptographic signature to every outgoing email. The receiving server checks this signature against a public key published in your DNS. If the signature matches, the email hasn't been tampered with in transit. If it doesn't match, something's wrong.
Think of it as a wax seal on a letter. It proves the email was sent by someone with your private key and hasn't been modified since.
How to set it up: In Microsoft 365, go to the Defender portal, find DKIM settings for your domain, and enable it. Microsoft will generate the keys and tell you which CNAME records to add to your DNS. Two records, copy and paste, done.
Think of DKIM as a wax seal on a letter. It proves the email was sent by someone with your private key and has not been modified since.
DMARC (Domain-based Message Authentication, Reporting, and Conformance)
DMARC ties SPF and DKIM together and tells receiving servers what to do when an email fails both checks. Without DMARC, even if SPF and DKIM are configured, receiving servers might still deliver spoofed emails — they just note the failure.
DMARC gives you three policy options:
- None: Monitor only. Failed emails are delivered normally, but you get reports showing who's sending email as your domain. Start here.
- Quarantine: Failed emails go to the recipient's spam/junk folder.
- Reject: Failed emails are blocked entirely. This is the goal.
How to set it up: Add a TXT record to your DNS: v=DMARC1; p=none; rua=mailto:dmarc@yourcompany.co.uk. Start with "p=none" to collect reports without blocking anything. Review the reports for a few weeks to make sure legitimate email sources are covered by your SPF record. Then tighten to "p=quarantine" and eventually "p=reject."
Why This Matters for Your Business
Without these three protocols:
- Anyone can send emails that appear to come from your domain.
- Your clients and suppliers might receive phishing emails that look like they're from you.
- Your own team might receive spoofed emails appearing to come from colleagues.
- Your domain reputation suffers, meaning your legitimate emails are more likely to end up in spam.
With them configured properly:
- Spoofed emails from your domain get blocked before they reach anyone.
- Your legitimate emails are more likely to be delivered to inboxes, not spam.
- You get visibility into who's sending email as your domain — legitimate services and attackers alike.
Setting up all three takes about an hour. The DNS changes propagate within a day. It's one of the highest-impact security improvements you can make for zero ongoing cost.
Want to talk about this?
Book a free 15-minute call and we'll discuss how this applies to your business.
Book a Free CallGet IT tips in your inbox
Practical advice for small businesses. No spam.
