Docs / Email Servers / Email Authentication: SPF, DKIM, and DMARC Explained

Email Authentication: SPF, DKIM, and DMARC Explained

By Admin · Feb 21, 2026 · Updated Apr 23, 2026 · 144 views · 2 min read

Why Email Authentication?

Without authentication, anyone can send email claiming to be from your domain. SPF, DKIM, and DMARC work together to prevent this.

SPF (Sender Policy Framework)

SPF declares which servers are allowed to send email for your domain.

DNS Record

v=spf1 ip4:198.51.100.10 include:_spf.google.com -all
Mechanism Meaning
ip4:198.51.100.10 Allow this IP
include:_spf.google.com Allow Google's servers (Gmail/Workspace)
-all Reject all others (hard fail)
~all Soft fail (deliver but mark suspicious)

Checking SPF

dig TXT example.com | grep spf
nslookup -type=txt example.com

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to every outgoing email, proving it wasn't altered in transit.

How It Works

  1. Your mail server signs each email with a private key
  2. The signature is added as a header
  3. Receiving servers verify using your public key (published in DNS)

DNS Record

selector._domainkey.example.com TXT "v=DKIM1; k=rsa; p=MIIBIjANBgkqhki..."

Generating DKIM Keys

# Using OpenDKIM
sudo apt install -y opendkim opendkim-tools
opendkim-genkey -s mail -d example.com
# Creates mail.txt (DNS record) and mail.private (private key)

DMARC (Domain-based Message Authentication, Reporting & Conformance)

DMARC tells receiving servers what to do when SPF or DKIM fails.

DNS Record

_dmarc.example.com TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com; ruf=mailto:dmarc@example.com; pct=100"
Tag Value Meaning
p none Monitor only (start here)
p quarantine Send failures to spam
p reject Block failures entirely
rua email Send aggregate reports to
ruf email Send forensic reports to
pct 100 Apply to 100% of messages

Recommended Rollout

  1. Week 1-2: p=none — monitor reports, fix SPF/DKIM issues
  2. Week 3-4: p=quarantine; pct=10 — quarantine 10% of failures
  3. Week 5-6: p=quarantine; pct=100 — quarantine all failures
  4. Week 7+: p=reject — block all failures

Testing

# Send a test email to
# mail-tester.com — scores your email authentication (free)

# Check all records at once
dig TXT example.com         # SPF
dig TXT mail._domainkey.example.com  # DKIM
dig TXT _dmarc.example.com  # DMARC

The Complete Picture

Sender → SPF check (is this server allowed?)
       → DKIM check (was the message altered?)
       → DMARC check (what's the policy if either fails?)
       → Inbox or Reject

Tip Start with p=none and review reports for 2 weeks before enforcing. Moving to p=reject too quickly can block legitimate emails from third-party services you forgot to authorize.

Was this article helpful?

Related Articles