What is an SPF record and how does it prevent email spoofing?

A Sender Policy Framework (SPF) record is a DNS TXT record that lists every mail server authorised to send email on behalf of your domain. When a receiving mail server gets a message claiming to be from your domain, it checks the sending IP against your SPF record. If the IP is not listed, the message can be marked as spam or rejected — preventing attackers from spoofing your domain in the From address.

What does DMARC p=none mean?

DMARC p=none is a monitoring-only policy. It collects and reports authentication failures but takes no action — spoofed emails still reach recipients' inboxes. It is a safe starting point for understanding your email flows before moving to p=quarantine (moves failures to spam) or p=reject (blocks delivery entirely). Staying on p=none long-term provides no real protection against domain spoofing.

How do I check if my domain has SPF, DKIM, and DMARC configured?

Run a free scan at webaudit.in — paste your domain URL and WebAudit will query your DNS for SPF, DMARC, DKIM (testing 12 common selectors), CAA records, and DNSSEC. Results appear in the DNS Security section with a score impact and specific fix instructions for anything missing or misconfigured.

Important DNS 8 min read

SPF, DKIM & DMARC: Complete Email Security Guide

Q: What is the difference between DKIM and DMARC?

DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails. Receiving servers verify the signature against a public key in your DNS, proving the message was not altered in transit. DMARC (Domain-based Message Authentication, Reporting and Conformance) builds on SPF and DKIM: it tells receiving servers what to do when authentication fails (none, quarantine, or reject) and where to send aggregate reports. DKIM proves integrity; DMARC enforces policy.

Without SPF, DKIM, and DMARC, anyone on the internet can send email that appears to come from your domain. Attackers exploit this to run phishing campaigns that impersonate your brand. All three records work together — individually they're partial, together they're powerful.

How Email Spoofing Works

The Simple Mail Transfer Protocol (SMTP) was designed in 1982 and has essentially no built-in authentication. Any mail server can claim to be sending on behalf of any domain. The "From" address a user sees in their email client is completely untrusted unless the receiving server has a way to verify it.

Email spoofing is used in phishing attacks ("Your bank account has been locked — click here"), business email compromise ("Please wire $50,000 to this account — CEO"), and spam campaigns that damage your domain's reputation. Even if you never send marketing email, attackers can send phishing mail from your domain to your customers' inboxes.

SPF, DKIM, and DMARC are DNS-based standards that let receiving mail servers verify whether a message claiming to come from your domain actually did. Without them, there's nothing to verify.

SPF — Sender Policy Framework

SPF is a DNS TXT record that lists all the IP addresses and hostnames that are authorised to send email on behalf of your domain. When a receiving mail server gets a message claiming to be from @yourdomain.com, it looks up your SPF record and checks whether the sending server's IP is on the list. If it's not, the receiving server knows the email is suspicious.

SPF record syntax

v=spf1 include:_spf.google.com include:sendgrid.net ip4:203.0.113.5 ~all

v=spf1 — identifies this as an SPF record
include: — imports another domain's SPF record (your email provider's)
ip4: — explicitly authorises an IPv4 address or range
~all — soft fail: mark unauthorised sources as suspicious but still deliver them
-all — hard fail: reject unauthorised sources entirely (use this once you're confident)
+all — allow all (never use this — it negates SPF entirely)

SPF has a 10-DNS-lookup limit. Each include: and a: mechanism counts against this limit. Chains of includes can push you over. Use an SPF flattening tool to consolidate IPs if needed.

Where to add it

Add a TXT record to your domain's DNS for the root domain (@ or yourdomain.com). Only one SPF record per domain is allowed — if you have multiple, merge them into one.

DKIM — DomainKeys Identified Mail

DKIM adds a cryptographic signature to every outgoing email. Your mail server signs each message with a private key. The receiving server looks up your public key in DNS and verifies the signature. If the signature matches, the email hasn't been tampered with and genuinely came from a server that holds your private key.

Unlike SPF (which checks the sending server's IP), DKIM survives email forwarding — the signature travels with the message and remains verifiable even after the email has been relayed through other servers.

DKIM DNS record

DKIM records are published as TXT records at a specific "selector" subdomain. Your email provider will tell you which selector to use (commonly google, s1, k1, or a custom value). The record name looks like:

selector._domainkey.yourdomain.com

The value contains the public key in a specific format provided by your email service. You don't generate this manually — your email provider (Google Workspace, Microsoft 365, SendGrid, Mailgun etc.) gives you the exact record to add.

Multiple selectors

You can have multiple DKIM selectors — one per email sending service. If you send via Google Workspace and SendGrid, you'll have two separate DKIM records, each with a different selector name. This is normal and intentional.

DMARC — Domain-based Message Authentication Reporting and Conformance

DMARC ties SPF and DKIM together and tells receiving servers what to do when a message fails both checks. It also enables reporting — you receive daily XML reports from major mail providers showing who is sending email from your domain.

DMARC alignment requires that the "From" domain in the email header matches the domain that passed SPF or DKIM. This closes a bypass where an attacker could pass SPF using their own domain but display your domain in the visible From header.

DMARC record

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com; pct=100

DMARC policies (p=)

Policy	Action	When to use
`p=none`	Take no action — monitor only. Emails still get delivered.	Starting out. Collect reports, fix SPF/DKIM issues before enforcing.
`p=quarantine`	Mark failing emails as spam.	Intermediate stage after fixing obvious issues.
`p=reject`	Reject failing emails at the server level. They never reach the inbox.	Final goal once you're confident all legitimate mail passes SPF or DKIM.

Don't jump straight to p=reject. If you have misconfigured SPF or are missing DKIM for a sending service, p=reject will cause your legitimate emails to bounce. Start with p=none, monitor reports for 2–4 weeks, fix issues, then escalate to quarantine, then reject.

Recommended Setup Order

Set up SPF — list all your email sending services. Use ~all (soft fail) initially.
Set up DKIM — generate or obtain keys from each email service you use and add the DNS records.
Deploy DMARC with p=none and a reporting address. Wait 2–4 weeks and review reports.
Fix any legitimate sources not covered by SPF or not signing with DKIM.
Change SPF to -all (hard fail) once you're confident in your source list.
Escalate DMARC to p=quarantine, monitor for a week, then p=reject.

Testing Tools

WebAudit — scans SPF, DMARC, and attempts to detect DKIM selectors automatically.
dig TXT yourdomain.com — check your SPF record from the command line.
dig TXT _dmarc.yourdomain.com — check your DMARC record.
Send a test email to mail-tester.com — gives a 10/10 score report for SPF, DKIM, DMARC, and spam checks.
MXToolbox — SPF/DMARC record validator with human-readable output.

Domains that never send email still need DMARC. Attackers love to spoof parked and inactive domains because they have no SPF or DMARC. Add v=spf1 -all and v=DMARC1; p=reject to any domain that doesn't send email.

Check your domain's email security

WebAudit scans your SPF, DMARC, and DKIM records and flags weak policies or missing records with specific fix recommendations.

Check your site's security now →