Yes. SPF and DKIM authenticate; DMARC enforces.

What is DMARC, SPF, and DKIM? A Plain-Language Guide for Business Owners

Email authentication explained in plain language. What each record does, how to check yours, and what to fix first.

7 April 2026·6 min read

DMARC, SPF, and DKIM are three DNS records that together prevent attackers from sending email that appears to come from your domain. SPF lists which mail servers are authorised to send email from your domain. DKIM cryptographically signs outgoing email so recipients can verify it hasn't been tampered with. DMARC tells receiving mail servers what to do with email that fails SPF or DKIM checks. Missing DMARC is the single most common email security finding in UK SME exposure scans.

84%

of domains lack DMARC (Validity)

91%

of cyber attacks start with email (Deloitte)

$55B

global BEC losses over decade (FBI IC3)

5 min

to check all three records

SPF (Sender Policy Framework)

SPF is a DNS TXT record that lists which mail servers are allowed to send email on behalf of your domain. When someone receives an email "from" your domain, their mail server checks your SPF record to verify the sending server is authorised.

How to check: look up your domain on MXToolbox or run a Governably scan. Your SPF record should start with v=spf1 and end with -all (hard fail) or ~all (soft fail).

DKIM (DomainKeys Identified Mail)

DKIM adds a cryptographic signature to every outgoing email. The recipient's server uses your public key (published in DNS) to verify the signature matches — proving the email hasn't been altered in transit.

How to enable: in Google Workspace, go to Admin → Apps → Google Workspace → Gmail → Authenticate email. In Microsoft 365, go to Microsoft 365 Defender → Policies → Email authentication → DKIM.

DMARC (Domain-based Message Authentication, Reporting, and Conformance)

DMARC tells receiving servers what to do with email that fails SPF or DKIM. Three policy levels:

p=none: monitor only — receive reports but don't block anything
p=quarantine: send failing emails to spam
p=reject: block failing emails entirely

Start with p=none to see who is sending email as your domain. After reviewing reports for 2-4 weeks, move to p=quarantine, then p=reject.

Priority order: what to fix first

Add DMARC (even with p=none) — this gives you visibility
Fix SPF — ensure all legitimate senders are listed
Enable DKIM — add cryptographic signing
Tighten DMARC — move from none → quarantine → reject

What is DMARC in simple terms?

A DNS record that tells email providers what to do when someone tries to send email pretending to be from your domain.

Do I need all three?

Yes. SPF and DKIM authenticate your outgoing email; DMARC tells receivers what to do with failures.

How do I check my DMARC?

Use MXToolbox or a Governably scan.

What policy should I start with?

Start with p=none, then quarantine, then reject.