Three DNS records decide whether the world trusts email from your domain: SPF, DKIM and DMARC. Get them right and your mail reaches the inbox while impersonators get blocked. Get them wrong and your own messages land in spam. Here is what each one does and how they fit together.
Check where your domain stands as you read:
Reads public DNS only. Nothing is stored unless you save the domain to an account.
SPF: who is allowed to send
SPF (Sender Policy Framework) is a DNS record that lists the servers allowed to send mail for your domain. A receiver looks up your record and checks whether the sending server is on the list. If it is not, the message fails SPF. A record looks like this:
v=spf1 include:_spf.google.com -all
The -all at the end tells receivers to reject anything not listed. See how to set up SPF for the full walkthrough.
DKIM: proof the message was not tampered with
DKIM (DomainKeys Identified Mail) adds a cryptographic signature to every message you send. Your server signs outgoing mail with a private key, and receivers verify it against a public key in your DNS. A valid signature proves the message really came from you and was not altered on the way. See how to set up DKIM.
DMARC: tie it together and set the policy
DMARC (Domain-based Message Authentication, Reporting and Conformance) turns SPF and DKIM into a real defense. It does two things: it tells receivers what to do with mail that fails, and it requires alignment, meaning the domain in the visible From address must match the domain that passed SPF or DKIM. Alignment is what stops a spoofer who passes SPF for their own domain from impersonating yours. A basic record:
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.com
See how to set up DMARC and how to move to a reject policy safely.
How they work together
SPF proves the server is authorized. DKIM proves the message is intact. DMARC checks that at least one of them aligns with your visible domain and enforces a policy when they do not. You need all three. A domain with SPF and DKIM but no DMARC still has no policy, so receivers are left to guess.
Run a free scan to see your SPF, DKIM and DMARC in one grade, with the exact records to fix anything that is weak.