SPF, DKIM & DMARC explained

Anyone can put your name on an envelope

Email was designed in a more trusting age. The protocols that carry it were written when the internet was a small club of universities, and they take the sender’s word for everything. The name on the From line is simply whatever the sender chose to type. Nothing in the original design checks it, which means anyone, anywhere, can send an email that claims to be from your company.

Spammers and fraudsters noticed decades ago, and the world’s inboxes have been dealing with the consequences ever since. Their answer was to stop trusting the From line altogether. Modern mail providers now look for proof that a message really came from the domain it claims, and they treat anything that arrives without it with suspicion. That proof lives in three small records that sit alongside the rest of your domain’s DNS, and most business owners have never seen any of them.

The three checks that vouch for you

Each record answers a different question, and they work best as a set:

  1. SPF is a published guest list. It names the servers that are allowed to send email on behalf of your domain, so a receiving inbox can check whether the message arrived from somewhere legitimate. The mechanics are set out in the standards, but the idea is just a list.
  2. DKIM is a wax seal. Your mail server signs each outgoing message with a cryptographic signature, and the receiving end checks the seal is intact. If anyone tampers with the message in transit, or forges one from scratch, the seal does not match.
  3. DMARC is the instruction card. It tells receiving inboxes what to do when the other two checks fail, quarantine the message, reject it outright, or let it through, and it sends you reports about who is sending mail in your name. The scheme exists precisely because SPF and DKIM alone were never quite enough.

A guest list, a seal and an instruction card. None of them is complicated on its own. Together they are how an inbox decides your email is honest.

The day inboxes stopped being polite

For years these checks were quietly encouraged rather than enforced, and plenty of businesses got away without them. That era ended in early 2024, when Google and Yahoo began requiring authentication from senders, rejecting or junking mail that could not prove where it came from. The rules bite hardest on bulk senders, but the direction of travel is clear for everyone: unauthenticated email is on borrowed time.

The uncomfortable part is who this catches. Not the spammers, who adapted immediately, but ordinary small businesses whose domains were set up years ago, before any of this mattered. Their email has not changed. The rules underneath it have.

Why it matters for your business

A missing record does not announce itself. Your emails still leave your outbox, no error comes back, and everything looks fine from your side. The damage happens silently at the other end: quotes that are never seen, invoices that are never paid, replies that never come. People rarely check their junk folder for something they were hoping to receive.

We were asked to dig into exactly this a while back by Electrician SEO Pro, a search marketing agency that gets electricians found on Google. One of their clients had healthy enquiry numbers but a strange silence afterwards: quotes were going out and nothing was coming back. The website and the marketing were doing their job. The domain, it turned out, had no SPF, DKIM or DMARC at all, and the quotes were landing in junk folders. Three DNS records later, the silence ended. The marketing was fine. The plumbing was not.

Looking after it

Like most of the infrastructure we write about, email authentication is something to set up carefully once, not to manage every day. Get all three records in place, and check them again whenever you adopt a new tool that sends email in your name, an invoicing system, a booking platform, a newsletter service, because each one needs adding to the guest list. Move to a strict DMARC policy deliberately, once the reports show only legitimate senders, rather than in a rush.

Done properly, the whole thing disappears from view. Your email simply arrives, the way everyone assumes it always does, and the only people who ever think about those three records are the ones pretending to be you, finding that nobody believes them any more.

Similar Posts

Leave a Reply