SPF, DKIM, DMARC: Email Authentication for Your Domain

Email authentication prevents attackers from sending emails that appear to come from your domain.

SPF (Sender Policy Framework)

SPF specifies which mail servers are authorized to send email for your domain.

Add a TXT record to your domain:

v=spf1 include:_spf.google.com -all

The -all mechanism means "reject all other senders" (strict). Use ~all for soft fail during testing.

DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to outgoing emails. Configure through your email provider (Google Workspace, Microsoft 365, etc.).

DMARC (Domain-based Message Authentication)

DMARC tells receiving servers what to do when SPF or DKIM fails.

Add a TXT record at _dmarc.yourdomain.com:

v=DMARC1; p=reject; rua=mailto:dmarc-reports@yourdomain.com

Start with p=none to monitor, then move to p=quarantine, then p=reject.