SPF, DKIM & DMARC Basics

SPF, also known as Sender Policy Framework, is a DNS based authentication protocol that tells receiving servers which IP addresses are permitted to send mail for a domain. It validates the envelope from during the SMTP conversation and helps mailbox providers understand whether the sending server is legitimate.

Think of SPF as the harbor’s official list of registered vessels. If a ship approaches flying a domain’s flag but is not on that list the harbor master grows suspicious.

When a server receives a message, it checks the domain in the envelope from, then retrieves that domain’s SPF record from DNS. The SPF record states which IP addresses or systems are authorized to send.

If the connecting server’s IP appears in the SPF mechanisms, then the message passes. If not, it fails or softfails based on the qualifiers.

It functions like a port authority comparing the ship approaching the dock with the list of vessels that are allowed to carry that domain’s cargo.

Mechanisms define which servers are authorized. The main ones are:

ip4 authorizes a specific IPv4 address or range.

a authorizes the IPs of the domain’s A record.

mx authorizes the IPs of the domain’s MX records.

include imports the SPF policy of another domain.

Mechanisms are the items on the ship registry showing which vessels carry the domain’s colors.

DKIM, also known as DomainKeys Identified Mail, is an authentication protocol defined in RFC 6376 that proves a message really came from the domain it claims to come from and that its content was not altered along the way.

It works by attaching a cryptographic signature to the message headers. Receiving servers fetch the sender’s public key from DNS and verify the signature. If everything matches they know the message is authentic.

Think of DKIM as the wax seal of the email world. When the ship arrives at the harbor the seal tells the inspector that the letter has not been opened or tampered with during the journey.

DKIM works by signing specific headers and the message body with a private key stored by your mail system. The recipient retrieves the matching public key from DNS and verifies the signature.

If the signature is valid, it confirms two things:

The domain authorized the message.

The content was not modified.

It is a two part system much like matching a captain’s signature against the official registry at the harbor.

A DKIM selector is a label included in the DKIM signature that tells receiving servers where in DNS to find the public key.

A selector could be something like s1, mail, or octopus. It is chosen by the system that signs the message.

DMARC, also known as Domain based Message Authentication Reporting and Conformance, is defined in RFC 7489. It is a policy layer that sits on top of SPF and DKIM. It tells mailbox providers how to handle messages that fail authentication and provides visibility into who is sending on behalf of your domain.

It is the Reporting and Conformance parts that make DMARC unique. It transforms authentication signals into actionable policy and returns feedback that shows exactly how your domain is being used.

DMARC gives domain owners the power to say this is how my domain should behave and this is what to do when something does not match. It is the navigation chart that keeps your domain’s identity from drifting into dangerous waters.

DMARC protects recipients from impersonation and protects senders from brand abuse. Mailbox providers reward authenticated and aligned traffic with stronger domain reputation.

A strong DMARC policy is also required for BIMI, which allows approved senders to display their logo directly in the inbox strengthening trust and recognition.

A domain with DMARC is treated as a vessel flying an official flag. It signals trustworthiness and authority in the open sea of email.

DMARC records are published as TXT records under:

\_dmarc.yourdomain.com

Mailbox providers look in that exact location.

Identifier alignment is the rule that the domain visible to the user in the From header which is defined in RFC 5322 must match the domain authenticated by SPF which uses the RFC 5321 MailFrom or Return Path or by DKIM which uses the d= tag. DMARC only passes when at least one method aligns. Alignment is the anchor point that prevents impersonation.

No. SPF is a foundational requirement not a performance booster. Not having SPF or failing SPF harms deliverability and can cause rejections. Passing SPF simply meets the minimum bar for trust. Reputation and engagement are what actually improve inbox placement.

Yes. DMARC fails if neither SPF nor DKIM is aligned with the visible From domain. Passing is not enough. Alignment is required.