securityaudit.website
Fix guide

SPF, DKIM, and DMARC — Email DNS Records That Stop Spoofing

May 28, 2026 · 3 min read · Security Audit

If your audit flagged a missing SPF or DMARC record, your domain is easier to spoof than it should be. These records don't protect your website directly — they protect your name, by letting receiving mail servers verify that email claiming to be from you really is. Here's how the three pieces fit together.

SPF — who is allowed to send

A Sender Policy Framework record lists the servers permitted to send mail for your domain. It's a single DNS TXT record at your apex:

v=spf1 include:_spf.google.com include:sendgrid.net -all
  • include: pulls in your mail providers' own SPF rules.
  • -all means "reject anything not listed." Prefer this hard fail over the softer ~all once you're confident the list is complete.

Keep it to one SPF record, and watch the 10-DNS-lookup limit — too many include: chains will break it.

DKIM — proof the message wasn't forged

DKIM adds a cryptographic signature to outgoing mail. Your provider gives you a public key to publish as a DNS TXT record at a selector subdomain:

selector._domainkey.yourdomain.com  TXT  "v=DKIM1; k=rsa; p=MIGfMA0..."

Receiving servers fetch that key and verify the signature, confirming the message body and sender weren't tampered with in transit. You enable DKIM in your email provider's dashboard and paste the record they give you.

DMARC — what to do when checks fail

DMARC ties SPF and DKIM together and tells receivers what to do with mail that fails — and, crucially, sends you reports so you can see who's sending as you. Publish it at _dmarc:

_dmarc.yourdomain.com  TXT  "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"

The p= policy is the part that matters:

  • p=none — monitor only. Nothing is blocked, but you get reports. Always start here.
  • p=quarantine — failing mail goes to spam.
  • p=reject — failing mail is dropped outright. This is the goal.

The rollout

  1. Publish SPF and enable DKIM with your provider.
  2. Publish DMARC at p=none and watch the rua reports for a couple of weeks.
  3. Once legitimate mail is passing cleanly, move to p=quarantine, then p=reject.

Tightening DMARC before your reports are clean will send real email to spam, so don't rush the last step.

Verify

Re-run the audit. SPF should be present, and DMARC should ideally be enforced rather than left at p=none. Add a CAA record too while you're editing DNS — it restricts which certificate authorities can issue certificates for your domain.

Want to know if your site has this issue?
Run a free audit →

More guides

Jun 12, 2026

How to Fix a Missing Content-Security-Policy Header

A missing CSP is the most common high-impact gap we find. Here's how to add one safely without breaking your site.
Jun 9, 2026

HSTS Explained — Stop SSL Stripping with Strict-Transport-Security

HTTPS alone doesn't stop downgrade attacks. HSTS does. Here's what the header means and how to deploy it safely.